Hi,

The following vulnerability was published for openslide.

CVE-2026-48977[0]:
| Arbitrary memory write with crafted Ventana BIF file

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-48977
https://www.cve.org/CVERecord?id=CVE-2026-48977
[1] https://github.com/openslide/openslide/security/advisories/GHSA-mxg2-48g7-fmwc

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Hello,

Bug #1140003 in openslide reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/med-team/openslide/-/commit/8a5f43bf436e26fb8fe85552965e8faa52ccdf6a
The change lacks attempt to apply the test case, because the binary
representation of a newly introduced test file is not possible in the
patch.

Closes: #1140003
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1140003

On 3.4.1 if you return NULL you'll leak all kinds of stuff.  You
should goto FAIL instead, matching the other error paths in that
function.

Hi Benjamin,

Benjamin Gilbert, on 2026-06-14:

Acknowledged and fixing that immediately.

Thank you,  :)

We believe that the bug you reported is fixed in the latest version of
openslide, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140003@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Étienne Mollier <emollier@debian.org> (supplier of updated openslide package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 14 Jun 2026 18:20:29 +0200
Source: openslide
Architecture: source
Version: 3.4.1+dfsg-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Étienne Mollier <emollier@debian.org>
Closes: 1140003
Changes:
 openslide (3.4.1+dfsg-8) unstable; urgency=medium
 .
   * Team upload.
   * CVE-2026-48977.patch: new: fix CVE-2026-48977.
     The change lacks attempt to apply the test case, because the binary
     representation of a newly introduced test file is not possible in the
     patch. (Closes: #1140003)
   * d/control: drop redundant Rules-Requires-Root: no.
   * d/control: drop redundant Priority: optional.
   * d/control: declare compliance to standards version 4.7.4.
   * d/watch: convert to watch file version 5.
   * d/copyright: drop the old FSF mail address.
Checksums-Sha1:
 9ec2e3810e282cb5ca9ab740cf5b323501b2c458 2714 openslide_3.4.1+dfsg-8.dsc
 965948055c4f8399ed4870ecd427ed3db4cfeb53 20440 openslide_3.4.1+dfsg-8.debian.tar.xz
Checksums-Sha256:
 2f1dda6b53c7673848498c32ca3e72d1f8206dfbbec728e8824409e161c7a157 2714 openslide_3.4.1+dfsg-8.dsc
 6c374bde4bd7c8d3b9650de8522959c87ea2b85246df1e8042818447518a9fd9 20440 openslide_3.4.1+dfsg-8.debian.tar.xz
Files:
 a156533cbefd7c69622c394c67c108ea 2714 libs optional openslide_3.4.1+dfsg-8.dsc
 7686bb2ea621bb291a807aaf41cc27c1 20440 libs optional openslide_3.4.1+dfsg-8.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmou1nEUHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdqPXA/9GmA5Glcp3U+D0DeE4CHk8YJ0QnE+
Z83Am0I7wYqHtxlOpDFHZs7I3tdO45Aq1quC0XwAIuwfiB8kV69QW73BO9AyWyW3
qn0mTaMB3/J4/g+CeZyaqsYrvjeFTMXJlhruy6iMNhsvcyiEmfdsj/XiysY6L8io
RX4bo6QPEKQyg5pPruEhup3RI1RgYAgfsQxE10mqmen7EEFVDUVSbLYKIEbb7KBD
Vhq2H7/egLkUDuGGFp/aZGhBYpo/9Mtzln+42XxgqgCNjqjyu3izLVRtSToNwgtR
cD/fku94LCSKQ9/1FcqzPE7Eb4f8y5tGH6KqZkvZw+vJIU9fglw0FfTkovjY6JNF
z/MvHcC6FU969YNt8ELevdeeZ3wLDF84V6zCbJ2gY/7TSsaW0X+1MRNwGr102Uex
e0eJ+ORT8kXv7+7nm5MUWxf/0A308eXKXbAKFgkcKc+4U0eBn7eCUFtbRdsMrj2q
5VQ4gBVgKQSrX2XTQp8TQ805ol4o8dvpX9QDsoDkmfLLkkLgw1Ah7rr1AOzCn89n
6J4dj9Cs5f1aOqpYVhmGhb+ONo95k1zcOXQOSVoM+FiRWJTEhgRDw1eoxcPi2Ikd
bc3huTnVoC7mdiEpnVXa64ZStaqr7sSv+GbHyJGoL1MH2u9Of0SznzCB40huvoaW
agOFay94Qh7lh+E=
=exLs
-----END PGP SIGNATURE-----

Control: found -1 3.4.1+dfsg-6
Control: fixed -1 3.4.1+dfsg-9

Hi Salvatore and the Security Team,

Thank you for the notification, the fix (hopefully correct this
time) should make it to Debian unstable soon, and then forky in
a couple of days.  I have proceeded to an urgency=high upload of
openslide 3.4.1+dfsg-9 this time.  I saw preparatory work for a
version 4.0.0 in Salsa, but that was unfinished work and I was
unsure of the blockers, so I favored a targeted fix for now.

trixie and bookworm are running the same 3.4.1 upstream version
(3.4.1+dfsg-7 and 3.4.1+dfsg-6 packaging iterations
respectively), so I have begun wrapping up an eventual security
upload for stable and oldstable.  You will find the debdiffs in
attachment.

I have problems testing the fix for myself.  The test suite in
the package currently does not trigger, in addition to issues
with inlining binaries in quilt patches.  This is how I tripped
on the carpet with the return NULL vs goto FAIL in the patch.
Otherwise, I assume this would have been caught by the test case
added along upstream commit 2be88bd.  :(  Thankfully, as you
might have witnessed, upstream has been very reactive to
pinpoint issues and provide proper corrections.  :)  I have
reviewed the way the function parse_level0_xml evolved between
3.4.1 and 4.0.0 and I agree that the correction was needed.

With these elements, should I go ahead with upload to
trixie-security and to bookworm-security?

Have a nice day,  :)

Control: found -1 3.4.1+dfsg-6
Control: fixed -1 3.4.1+dfsg-9

Hi Salvatore and the Security Team,

Thank you for the notification, the fix (hopefully correct this
time) should make it to Debian unstable soon, and then forky in
a couple of days.  I have proceeded to an urgency=high upload of
openslide 3.4.1+dfsg-9 this time.  I saw preparatory work for a
version 4.0.0 in Salsa, but that was unfinished work and I was
unsure of the blockers, so I favored a targeted fix for now.

trixie and bookworm are running the same 3.4.1 upstream version
(3.4.1+dfsg-7 and 3.4.1+dfsg-6 packaging iterations
respectively), so I have begun wrapping up an eventual security
upload for stable and oldstable.  You will find the debdiffs in
attachment.

I have problems testing the fix for myself.  The test suite in
the package currently does not trigger, in addition to issues
with inlining binaries in quilt patches.  This is how I tripped
on the carpet with the return NULL vs goto FAIL in the patch.
Otherwise, I assume this would have been caught by the test case
added along upstream commit 2be88bd.  :(  Thankfully, as you
might have witnessed, upstream has been very reactive to
pinpoint issues and provide proper corrections.  :)  I have
reviewed the way the function parse_level0_xml evolved between
3.4.1 and 4.0.0 and I agree that the correction was needed.

With these elements, should I go ahead with upload to
trixie-security and to bookworm-security?

Have a nice day,  :)

Hello,

Bug #1140003 in openslide reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/med-team/openslide/-/commit/ec729c578536ebb3fb165b21c40a1ae3f36fe21a
The change lacks attempt to apply the test case, because the binary
representation of a newly introduced test file is not possible in the
patch.

Closes: #1140003
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1140003

Hello,

Bug #1140003 in openslide reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/med-team/openslide/-/commit/63446b77227e74be9f9f53a7dfdbc685014e4f9b
The change lacks attempt to apply the test case, because the binary
representation of a newly introduced test file is not possible in the
patch.

Closes: #1140003
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1140003

Hello,

Bug #1140003 in openslide reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/med-team/openslide/-/commit/8a5f43bf436e26fb8fe85552965e8faa52ccdf6a
The change lacks attempt to apply the test case, because the binary
representation of a newly introduced test file is not possible in the
patch.

Closes: #1140003
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1140003

Hi Étienne,

Sorry for the late followup, there was/is some backlog and openslide
was not on topmost on the radar. I still think openslide would be good
candidate for the point releases (which are approaching, rather than a
dedicated security update).

Regards,
Salvatore

Hi Salvatore,

Salvatore Bonaccorso, on 2026-06-20:

No worries, when I saw the multiple security announcements, I've
suspected you might be a bit drowned, so I probably should not
have insisted to double check the situation.  I'm still
intending to coordinate with stable release managers and will
likely proceed later today.  No hard feelings.  ;)

In the meantime, I've focused on integrating openslide 4.0.1,
currently in experimental as it is going to require a
transition.  Up to version 4.0.0, openslide is affected by
CVE-2026-54604 [1]; see also #1099727.  Thankfully, if I trust
the advisory on Github [2], Debian stable releases are not
affected, because they ship with libtiff 4.7.0 or earlier, which
do not trigger the vulnerability openslide.

[1]: https://security-tracker.debian.org/tracker/CVE-2026-54604
[2]: https://github.com/openslide/openslide/security/advisories/GHSA-f734-jv98-5677

Have a nice day,  :)

Hi Étienne,

No worries at all, it is manageable, I just think still openslide is
better candidate to be batched with other updates in the upcoming
point release. It is good if you ask to double check if there are
uncertainities (better safe!).

Ack we will look on how to update the tracker.

Thanks for all your work!

Regards,
Salvatore

Hi there,

Salvatore Bonaccorso, on 2026-06-21:

Sounds good!  I started the coordination work for upload to
proposed-upgrades.  It is tracked in #1140493 and #1140494.

Thanks for the update!

You're welcome, I return the compliment for tracking the
security of the system!

Have a nice day,  :)