Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 64ee1d04 by Carlos Henrique Lima Melara at 2026-02-24T00:27:12-03:00 CVE-2026-2913/vips: add NOTE with commit introducing the vulnerability Accordingly to the reporter [1] "vips_source_read_to_memory() allocates a GByteArray using source->length (gint64), but g_byte_array_set_size() takes a 32-bit guint. When source->length > G_MAXUINT, the allocation truncates while the subsequent read loop still writes up to the full 64-bit length bound, causing a heap-buffer-overflow.". The functionallity to read a custom source to memory was introduced in 8030d7b9260 [2] which added the vips_source_read_to_memory() function (then called vips_streami_read_to_memory) that read streami->length (gint64) to g_byte_array_set_size() which truncates to guint64 hence the overflow could still happen. [1] https://github.com/libvips/libvips/issues/4857#issue-3920154326 [2] https://github.com/libvips/libvips/commit/8030d7b926077f578640bacb202febcd5d2ba29e - - - - - 12a1e303 by Salvatore Bonaccorso at 2026-02-24T20:24:19+01:00 Merge branch 'detail-vips-cve' into 'master' CVE-2026-2913/vips: add NOTE with commit introducing the vulnerability See merge request security-tracker-team/security-tracker!270 - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -807,6 +807,7 @@ CVE-2026-2913 (A vulnerability was determined in libvips up to 8.19.0. The affec [bookworm] - vips <no-dsa> (Minor issue) [bullseye] - vips <postponed> (Minor issue, local access required, hard to trigger) NOTE: https://github.com/libvips/libvips/issues/4857 + NOTE: Introduced by: https://github.com/libvips/libvips/commit/8030d7b926077f578640bacb202febcd5d2ba29e (v8.9.0-beta2) NOTE: Fixed by: https://github.com/libvips/libvips/commit/a56feecbe9ed66521d9647ec9fbcd2546eccd7ee CVE-2026-2912 (A vulnerability was found in code-projects Online Reviewer System 1.0. ...) NOT-FOR-US: code-projects View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a3ddd3cfccef137a779cae040cb637c4d6b52196...12a1e3039339fedb5d5faa2db8959d6531a1ff18 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a3ddd3cfccef137a779cae040cb637c4d6b52196...12a1e3039339fedb5d5faa2db8959d6531a1ff18 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
