Your message dated Sun, 01 Mar 2026 09:04:56 +0000
with message-id <[email protected]>
and subject line Bug#1129310: fixed in vips 8.18.0-3
has caused the Debian Bug report #1129310,
regarding vips: CVE-2026-3283 CVE-2026-3284
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129310: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129310
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: vips
Version: 8.18.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/libvips/libvips/pull/4887
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for vips.
CVE-2026-3283[0]:
| A vulnerability has been found in libvips 8.19.0. This issue affects
| the function vips_extract_band_build of the file
| libvips/conversion/extract.c. The manipulation of the argument
| extract_band leads to out-of-bounds read. The attack needs to be
| performed locally. The exploit has been disclosed to the public and
| may be used. The identifier of the patch is
| 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. To fix this issue, it is
| recommended to deploy a patch.
CVE-2026-3284[1]:
| A vulnerability was found in libvips 8.19.0. Impacted is the
| function vips_extract_area_build of the file
| libvips/conversion/extract.c. The manipulation of the argument
| extract_area results in integer overflow. The attack requires a
| local approach. The exploit has been made public and could be used.
| The patch is identified as 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70.
| It is advisable to implement a patch to correct this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-3283
https://www.cve.org/CVERecord?id=CVE-2026-3283
[1] https://security-tracker.debian.org/tracker/CVE-2026-3284
https://www.cve.org/CVERecord?id=CVE-2026-3284
[2] https://github.com/libvips/libvips/pull/4887
[3]
https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: vips
Source-Version: 8.18.0-3
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
vips, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated vips package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 01 Mar 2026 07:46:08 +0100
Source: vips
Architecture: source
Version: 8.18.0-3
Distribution: unstable
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1129310 1129311 1129312 1129314 1129315
Changes:
vips (8.18.0-3) unstable; urgency=medium
.
* Backport upstream security fix for CVE-2026-3283 and CVE-2026-3284:
manipulation of the argument in vips_extract_band_build() leads to
out-of-bounds read (closes: #1129310).
* Backport upstream security fix for CVE-2026-3145 and CVE-2026-3146:
vips_foreign_load_matrix_header() memory corruption (closes: #1129315).
* Backport upstream security fix for CVE-2026-3282: manipulation of the
argument in vips_unpremultiply_build() can lead to out-of-bounds read
(closes: #1129311).
* Backport upstream security fix for CVE-2026-3147: heap-based buffer
overflow in vips_foreign_load_csv_build() (closes: #1129314).
* Backport upstream security fix for CVE-2026-3281: manipulation of the
argument in vips_bandrank_build() results in heap-based buffer overflow
(closes: #1129312).
* Mark gir1.2-vips-8.0 Multi-Arch: same.
Checksums-Sha1:
50d571bc09c1fb083428569856d8529f32f6c901 2531 vips_8.18.0-3.dsc
46c8e69ad226fdc3f096e54e6313b079806c4844 14256 vips_8.18.0-3.debian.tar.xz
Checksums-Sha256:
672e2bc094ae5caaef20ed2ee9e5e0d71cfe50e8f444b5fdac5b124cd02f4960 2531
vips_8.18.0-3.dsc
fa7755ea4035376723911aca251f5f720a532efd1267d6c2b60942a68978b7ae 14256
vips_8.18.0-3.debian.tar.xz
Files:
29df674c26d6fbb0296f157e831e09c3 2531 libs optional vips_8.18.0-3.dsc
e1e118c140b8dd5b41fe654e273a8f3b 14256 libs optional
vips_8.18.0-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmmj/doACgkQ3OMQ54ZM
yL8WHRAAmCHhfBwU02uMocXU3GC3/dGhoR5TqWQXce4hajv6M+vP41u6IqpZVrjD
enULAucheXv0A4ugxNxFXfRDfJ7e/VFLIZJlOUAL+2W6tiENvJwrTAlvKo2/AqwO
TNkrHAzKX7YwkZsUfN8pqcdeSe8Qm2YmiVpBmx4K3Tyumb0Y11i5PXs3pO/Sxi9/
qV00lX5kR7LrKOcFy2MyilMCA3min59rDUed6TVTa/J9CjECuG9gap5xEi7z6oOt
NWRCQx6KydDFIdJmfxoalcNi3NVbxTt3v/yjqgUJmVc8C2gYyueM0cTQGMemCqn9
5cPV0jZFqp8+a981rYUI2YmNwojwkprDxvRNSwaYWlOZLImRa1m1MOTOogdI7ivr
iNCubpZJS3Ca5MfLvhHaE6XPNdLIaofR2UWtiUNuS+oGBiVMjRJm8QVER4JSW8pA
74Pk6a1lqAvL42ZqDk9lBEwjGuev2kXgZ2mrVrUUuotGag3GyjSrbNi/VSZG7z9x
k4Y4XosRAmCvPGdeCD9AOKxMhBOd6YZhiZnYesi1FnXSdE43sq31E5wNUwsHK3l4
airNy7nK9Yfdta2BNTPQfRg2H1j4RQonidzUCQlILjMjouoqrec6yE/KlL+YdjY9
BMP7Po0sAOUC4/rdjbqvZutdgjRoxMy1BvkHXeQ9OvE5pvMcpSk=
=ZMpH
-----END PGP SIGNATURE-----
pgpCcHp2Ddduc.pgp
Description: PGP signature
--- End Message ---
