Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:graphite2 User: [email protected] Usertags: pu
[ Reason ] CVE. See https://cvefeed.io/vuln/detail/CVE-2026-50593 the Security Team suggests to fix this via point release, so here it is :) [ Impact ] CVE unfixed [ Tests ] None. Operated that out since a .ttf is bad for a diff. But the test with 1.3.15-2 works in sid [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Apply upstreams https://github.com/silnrsi/graphite/commit/ad78c6b7319909e1540c1b134e115ced03417866 Debdiff attached.
diff -Nru graphite2-1.3.14/debian/changelog graphite2-1.3.14/debian/changelog --- graphite2-1.3.14/debian/changelog 2020-04-01 11:11:00.000000000 +0200 +++ graphite2-1.3.14/debian/changelog 2026-06-06 19:58:37.000000000 +0200 @@ -1,3 +1,10 @@ +graphite2 (1.3.14-1+deb12u1) bookworm; urgency=medium + + * debian/patches/ad78c6b7319909e1540c1b134e115ced03417866.patch: + fix CVE-2026-50593 + + -- Rene Engelhard <[email protected]> Sat, 06 Jun 2026 19:58:37 +0200 + graphite2 (1.3.14-1) unstable; urgency=medium * New upstream version 1.3.14 diff -Nru graphite2-1.3.14/debian/patches/ad78c6b7319909e1540c1b134e115ced03417866.patch graphite2-1.3.14/debian/patches/ad78c6b7319909e1540c1b134e115ced03417866.patch --- graphite2-1.3.14/debian/patches/ad78c6b7319909e1540c1b134e115ced03417866.patch 1970-01-01 01:00:00.000000000 +0100 +++ graphite2-1.3.14/debian/patches/ad78c6b7319909e1540c1b134e115ced03417866.patch 2026-06-06 19:58:37.000000000 +0200 @@ -0,0 +1,34 @@ +From ad78c6b7319909e1540c1b134e115ced03417866 Mon Sep 17 00:00:00 2001 +From: Tim Eves <[email protected]> +Date: Mon, 1 Jun 2026 03:21:42 +0700 +Subject: [PATCH] Fix an underflow case that can be induced by crafted graphite + actions. + +This can be used to induce an out-of-bounds write prior to the slotmap. + +Add tests that will crash the engine if the underflow can be caused. +--- + src/inc/opcodes.h | 3 +- + tests/CMakeLists.txt | 1 + + tests/fonts/underflow.ttf | Bin 0 -> 58340 bytes + tests/standards/underflow.json | 473 +++++++++++++++++++++++++++++++++ + tests/standards/underflow.log | 2 + + 5 files changed, 478 insertions(+), 1 deletion(-) + create mode 100644 tests/fonts/underflow.ttf + create mode 100644 tests/standards/underflow.json + create mode 100644 tests/standards/underflow.log + +diff --git a/src/inc/opcodes.h b/src/inc/opcodes.h +index 10ba1772..f6166693 100644 +--- a/src/inc/opcodes.h ++++ b/src/inc/opcodes.h +@@ -53,7 +53,8 @@ + + #define push(n) { *++sp = n; } + #define pop() (*sp--) +-#define slotat(x) (map[(x)]) ++#define slotat(x) ((map + (x) >= &smap[-1] && map + (x) < smap.end()) ? \ ++ map[(x)] : (status = Machine::slot_offset_out_bounds, nullptr)) + #define DIE { is=seg.last(); status = Machine::died_early; EXIT(1); } + #define POSITIONED 1 + diff -Nru graphite2-1.3.14/debian/patches/series graphite2-1.3.14/debian/patches/series --- graphite2-1.3.14/debian/patches/series 2020-04-01 11:11:00.000000000 +0200 +++ graphite2-1.3.14/debian/patches/series 2026-06-06 19:58:37.000000000 +0200 @@ -5,3 +5,4 @@ test-timeout.diff reproducible-build.diff python-libgraphite-SONAME.diff +ad78c6b7319909e1540c1b134e115ced03417866.patch
