Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: openslide@packages.debian.org
Control: affects -1 + src:openslide
User: release.debian.org@packages.debian.org
Usertags: pu
Hi Stable Release Managers,
This is the bookworm-pu equivalent of the trixie-pu upload of
openslide discussed in #1140493.
[ Reason ]
openslide in bookworm is currently affected by CVE-2026-48977.
See also #1140003. Following discussion with the Security Team,
it seemed fair to include the change for the upcoming point
release.
[ Impact ]
openslide will remain affected by CVE-2026-48977 if the update
is not granted.
[ Tests ]
The test suite of openslide currently does not trigger while
building the package. I had to trust reverse dependencies
autopkgtest had sufficient coverage, but even then, the initial
revision of the patch had a problem that I didn't catch (change
from return NULL to goto FAIL needed when backporting the patch
from openslide 4.0.0 to openslide 3.4.1). It was promptly
flagged by the upstream openslide developper and corrected
thankfully.
[ Risks ]
The change is relatively short, but the context around the
function evolved between openslide 3.4.1 and openslide 4.0.0.
Therefore the patch does look different from upstream's commit.
As the test suite doesn't trigger, and the quilt patch choke on
the binary artifact update for test item, I screwup the initial
revision of the patch. The present revision of the patch has
beneftitted from upstream correction and comment.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
This change introduces CVE-2026-48977.patch, import of upstream
commit 2be88bd782d9fff46de8e56a99baca523e7917b3. The code
triggers an error condition when one of the area tiles has an
incoherent value (lesser than one integer IIUC). Differences
with upstream commit are the lack of test artifacts and the goto
FAIL instead of the return NULL, in order to properly branch to
the failure handling segment present up to openslide 3.4.1.
[ Other info ]
When looking up the security tracker for openslide, you may also
notice CVE-2026-54604. It appears to not trigger in trixie and
older as long as the libtiff remains no greater than version
4.7.0. The fix is not part of the present patch.
Have a nice day, :)