#1140494 bookworm-pu: package openslide/3.4.1+dfsg-6+deb12u1

#1140494#5
Date:
2026-06-21 13:54:33 UTC
From:
To:
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: openslide@packages.debian.org
Control: affects -1 + src:openslide
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Stable Release Managers,

This is the bookworm-pu equivalent of the trixie-pu upload of
openslide discussed in #1140493.

[ Reason ]
openslide in bookworm is currently affected by CVE-2026-48977.
See also #1140003.  Following discussion with the Security Team,
it seemed fair to include the change for the upcoming point
release.

[ Impact ]
openslide will remain affected by CVE-2026-48977 if the update
is not granted.

[ Tests ]
The test suite of openslide currently does not trigger while
building the package.  I had to trust reverse dependencies
autopkgtest had sufficient coverage, but even then, the initial
revision of the patch had a problem that I didn't catch (change
from return NULL to goto FAIL needed when backporting the patch
from openslide 4.0.0 to openslide 3.4.1).  It was promptly
flagged by the upstream openslide developper and corrected
thankfully.

[ Risks ]
The change is relatively short, but the context around the
function evolved between openslide 3.4.1 and openslide 4.0.0.
Therefore the patch does look different from upstream's commit.
As the test suite doesn't trigger, and the quilt patch choke on
the binary artifact update for test item, I screwup the initial
revision of the patch.  The present revision of the patch has
beneftitted from upstream correction and comment.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
This change introduces CVE-2026-48977.patch, import of upstream
commit 2be88bd782d9fff46de8e56a99baca523e7917b3.  The code
triggers an error condition when one of the area tiles has an
incoherent value (lesser than one integer IIUC).  Differences
with upstream commit are the lack of test artifacts and the goto
FAIL instead of the return NULL, in order to properly branch to
the failure handling segment present up to openslide 3.4.1.

[ Other info ]
When looking up the security tracker for openslide, you may also
notice CVE-2026-54604.  It appears to not trigger in trixie and
older as long as the libtiff remains no greater than version
4.7.0.  The fix is not part of the present patch.

Have a nice day,  :)

#1140494#12
Date:
2026-06-30 05:49:29 UTC
From:
To:
Control: tags -1 + confirmed

Please go ahead.

Regards,

Adam

#1140494#19
Date:
2026-06-30 06:27:56 UTC
From:
To:
Hi Adam,

I went ahead, thank you!

Have a nice day,  :)

#1140494#24
Date:
2026-06-30 17:54:01 UTC
From:
To:
package release.debian.org
tags 1140494 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: openslide
Version: 3.4.1+dfsg-6+deb12u1

Explanation: fix possible code execution issue [CVE-2026-48977]

#1140494#29
Date:
2026-06-30 17:54:01 UTC
From:
To:
package release.debian.org
tags 1140494 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: openslide
Version: 3.4.1+dfsg-6+deb12u1

Explanation: fix possible code execution issue [CVE-2026-48977]