Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:vips User: [email protected] Usertags: pu
Hi RMs, [ Reason ] There are eight security fixes in VIPS that don't warrant a DSA. As it's an image processing library and tools, it may work with untrusted images from some sources. Thus I would like to update this via PU procedure. [ Impact ] Users will be safe from various malicious images that can exploit their system. At least one issue has a public exploit available. [ Tests ] Build and some basic testing. This update was done by Moritz Mühlenhoff from the Security Team and I've double checked. He also did successful Debusine checking with this update. [ Risks ] Very small, all changes are only additional validity checking and using the correct variable types in some places. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issues are verified as fixed in unstable Thanks, Laszlo/GCS
diff -Nru vips-8.16.1/debian/changelog vips-8.16.1/debian/changelog --- vips-8.16.1/debian/changelog 2025-03-15 16:12:33.000000000 +0100 +++ vips-8.16.1/debian/changelog 2026-04-06 14:18:12.000000000 +0200 @@ -1,3 +1,15 @@ +vips (8.16.1-1+deb13u1) trixie; urgency=medium + + [ Moritz Mühlenhoff <[email protected]> ] + * CVE-2026-3283 CVE-2026-3284 (Closes: #1129310) + * CVE-2026-3282 (Closes: #1129311) + * CVE-2026-3281 (Closes: #1129312) + * CVE-2026-3147 (Closes: #1129314) + * CVE-2026-3145 CVE-2026-3146 (Closes: #1129315) + * CVE-2026-2913 (Closes: #1128785) + + -- Laszlo Boszormenyi (GCS) <[email protected]> Mon, 06 Apr 2026 14:18:12 +0200 + vips (8.16.1-1) unstable; urgency=medium * New upstream release. diff -Nru vips-8.16.1/debian/patches/CVE-2026-2913.patch vips-8.16.1/debian/patches/CVE-2026-2913.patch --- vips-8.16.1/debian/patches/CVE-2026-2913.patch 1970-01-01 01:00:00.000000000 +0100 +++ vips-8.16.1/debian/patches/CVE-2026-2913.patch 2026-04-06 00:24:53.000000000 +0200 @@ -0,0 +1,50 @@ +From a56feecbe9ed66521d9647ec9fbcd2546eccd7ee Mon Sep 17 00:00:00 2001 +From: Kleis Auke Wolthuizen <[email protected]> +Date: Thu, 12 Feb 2026 10:38:55 +0100 +Subject: [PATCH] source: guard against length truncation (#4858) + +--- vips-8.16.1.orig/libvips/iofuncs/source.c ++++ vips-8.16.1/libvips/iofuncs/source.c +@@ -912,6 +912,12 @@ vips_source_read_to_memory(VipsSource *s + g_assert(!source->header_bytes); + g_assert(source->length >= 0); + ++ if (G_UNLIKELY(source->length > UINT_MAX)) { ++ vips_error(vips_connection_nick(VIPS_CONNECTION(source)), ++ "%s", _("length overflow")); ++ return -1; ++ } ++ + if (vips_source_rewind(source)) + return -1; + +@@ -919,7 +925,7 @@ vips_source_read_to_memory(VipsSource *s + * directly to it. + */ + byte_array = g_byte_array_new(); +- g_byte_array_set_size(byte_array, source->length); ++ g_byte_array_set_size(byte_array, (guint) source->length); + + read_position = 0; + q = byte_array->data; +@@ -1302,13 +1308,19 @@ vips_source_sniff_at_most(VipsSource *so + + VIPS_DEBUG_MSG("vips_source_sniff_at_most: %zd bytes\n", length); + ++ if (G_UNLIKELY(length > UINT_MAX)) { ++ vips_error(vips_connection_nick(VIPS_CONNECTION(source)), ++ "%s", _("length overflow")); ++ return -1; ++ } ++ + SANITY(source); + + if (vips_source_test_features(source) || + vips_source_rewind(source)) + return -1; + +- g_byte_array_set_size(source->sniff, length); ++ g_byte_array_set_size(source->sniff, (guint) length); + + read_position = 0; + q = source->sniff->data; diff -Nru vips-8.16.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch vips-8.16.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch --- vips-8.16.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch 1970-01-01 01:00:00.000000000 +0100 +++ vips-8.16.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch 2026-04-06 08:21:58.000000000 +0200 @@ -0,0 +1,28 @@ +From d4ce337c76bff1b278d7085c3c4f4725e3aa6ece Mon Sep 17 00:00:00 2001 +From: Lovell Fuller <[email protected]> +Date: Thu, 19 Feb 2026 12:31:43 +0000 +Subject: [PATCH] matrixload: guard against empty and very large inputs (#4888) + +--- vips-8.16.1.orig/libvips/foreign/matrixload.c ++++ vips-8.16.1/libvips/foreign/matrixload.c +@@ -186,7 +186,10 @@ vips_foreign_load_matrix_header(VipsFore + if (vips_source_rewind(matrix->source)) + return -1; + +- line = vips_sbuf_get_line_copy(matrix->sbuf); ++ if (!(line = vips_sbuf_get_line_copy(matrix->sbuf))) { ++ vips_error("mask2vips", "%s", _("invalid header")); ++ return -1; ++ } + result = parse_matrix_header(line, &width, &height, &scale, &offset); + g_free(line); + if (result) +@@ -331,7 +334,7 @@ static gboolean + vips_foreign_load_matrix_file_is_a(const char *filename) + { + unsigned char line[80]; +- guint64 bytes; ++ gint64 bytes; + int width; + int height; + double scale; diff -Nru vips-8.16.1/debian/patches/CVE-2026-3147.patch vips-8.16.1/debian/patches/CVE-2026-3147.patch --- vips-8.16.1/debian/patches/CVE-2026-3147.patch 1970-01-01 01:00:00.000000000 +0100 +++ vips-8.16.1/debian/patches/CVE-2026-3147.patch 2026-04-06 00:24:53.000000000 +0200 @@ -0,0 +1,21 @@ +From b3ab458a25e0e261cbd1788474bbc763f7435780 Mon Sep 17 00:00:00 2001 +From: Lovell Fuller <[email protected]> +Date: Sat, 21 Feb 2026 19:00:31 +0000 +Subject: [PATCH] csvload: check whitespace and separator are ASCII (#4894) + +--- vips-8.16.1.orig/libvips/foreign/csvload.c ++++ vips-8.16.1/libvips/foreign/csvload.c +@@ -121,6 +121,13 @@ vips_foreign_load_csv_build(VipsObject * + int i; + const char *p; + ++ if (!g_str_is_ascii(csv->whitespace) || ++ !g_str_is_ascii(csv->separator)) { ++ vips_error("csvload", "%s", ++ _("whitespace and separator must be ASCII")); ++ return -1; ++ } ++ + if (!(csv->sbuf = vips_sbuf_new_from_source(csv->source))) + return -1; + diff -Nru vips-8.16.1/debian/patches/CVE-2026-3281.patch vips-8.16.1/debian/patches/CVE-2026-3281.patch --- vips-8.16.1/debian/patches/CVE-2026-3281.patch 1970-01-01 01:00:00.000000000 +0100 +++ vips-8.16.1/debian/patches/CVE-2026-3281.patch 2026-04-06 00:24:53.000000000 +0200 @@ -0,0 +1,18 @@ +From fd28c5463697712cb0ab116a2c55e4f4d92c4088 Mon Sep 17 00:00:00 2001 +From: Lovell Fuller <[email protected]> +Date: Sun, 22 Feb 2026 09:39:05 +0000 +Subject: [PATCH] bandrank: check index is in range #4878 (#4895) + +--- vips-8.16.1.orig/libvips/conversion/bandrank.c ++++ vips-8.16.1/libvips/conversion/bandrank.c +@@ -224,6 +224,10 @@ vips_bandrank_build(VipsObject *object) + + if (bandrank->index == -1) + bandrank->index = bandary->n / 2; ++ else if (bandrank->index >= bandary->n) { ++ vips_error(class->nickname, _("index out of range")); ++ return -1; ++ } + } + + if (VIPS_OBJECT_CLASS(vips_bandrank_parent_class)->build(object)) diff -Nru vips-8.16.1/debian/patches/CVE-2026-3282.patch vips-8.16.1/debian/patches/CVE-2026-3282.patch --- vips-8.16.1/debian/patches/CVE-2026-3282.patch 1970-01-01 01:00:00.000000000 +0100 +++ vips-8.16.1/debian/patches/CVE-2026-3282.patch 2026-04-06 00:24:53.000000000 +0200 @@ -0,0 +1,18 @@ +From 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91 Mon Sep 17 00:00:00 2001 +From: Lovell Fuller <[email protected]> +Date: Thu, 19 Feb 2026 13:50:37 +0000 +Subject: [PATCH] unpremultiply: check alpha_band is in range #4881 (#4886) + +--- vips-8.16.1.orig/libvips/conversion/unpremultiply.c ++++ vips-8.16.1/libvips/conversion/unpremultiply.c +@@ -287,6 +287,10 @@ vips_unpremultiply_build(VipsObject *obj + */ + if (!vips_object_argument_isset(object, "alpha_band")) + unpremultiply->alpha_band = in->Bands - 1; ++ else if (unpremultiply->alpha_band >= in->Bands) { ++ vips_error(class->nickname, "%s", _("alpha_band out of range")); ++ return -1; ++ } + + if (in->BandFmt == VIPS_FORMAT_DOUBLE) + conversion->out->BandFmt = VIPS_FORMAT_DOUBLE; diff -Nru vips-8.16.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch vips-8.16.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch --- vips-8.16.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch 1970-01-01 01:00:00.000000000 +0100 +++ vips-8.16.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch 2026-04-06 00:24:53.000000000 +0200 @@ -0,0 +1,28 @@ +From 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70 Mon Sep 17 00:00:00 2001 +From: Lovell Fuller <[email protected]> +Date: Thu, 19 Feb 2026 08:39:31 +0000 +Subject: [PATCH] extract: check bounds using unsigned arith #4879 #4880 + (#4887) + +--- vips-8.16.1.orig/libvips/conversion/extract.c ++++ vips-8.16.1/libvips/conversion/extract.c +@@ -143,8 +143,8 @@ vips_extract_area_build(VipsObject *obje + if (VIPS_OBJECT_CLASS(vips_extract_area_parent_class)->build(object)) + return -1; + +- if (extract->left + extract->width > extract->in->Xsize || +- extract->top + extract->height > extract->in->Ysize || ++ if ((guint64) extract->left + extract->width > extract->in->Xsize || ++ (guint64) extract->top + extract->height > extract->in->Ysize || + extract->left < 0 || extract->top < 0 || + extract->width <= 0 || extract->height <= 0) { + vips_error(class->nickname, "%s", _("bad extract area")); +@@ -393,7 +393,7 @@ vips_extract_band_build(VipsObject *obje + bandary->in = &extract->in; + bandary->out_bands = extract->n; + +- if (extract->band + extract->n > bands) { ++ if ((guint64) extract->band + extract->n > bands) { + vips_error(class->nickname, + "%s", _("bad extract band")); + return -1; diff -Nru vips-8.16.1/debian/patches/series vips-8.16.1/debian/patches/series --- vips-8.16.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ vips-8.16.1/debian/patches/series 2026-04-06 08:22:03.000000000 +0200 @@ -0,0 +1,6 @@ +CVE-2026-3283_CVE-2026-3284.patch +CVE-2026-3282.patch +CVE-2026-3281.patch +CVE-2026-3147.patch +CVE-2026-3145_CVE-2026-3146.patch +CVE-2026-2913.patch
