Your message dated Sun, 10 May 2026 18:02:35 +0000
with message-id <[email protected]>
and subject line Bug#1134335: fixed in lcms2 2.16-2+deb13u1
has caused the Debian Bug report #1134335,
regarding lcms2: CVE-2026-41254
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134335: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134335
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: lcms2
Version: 2.17-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for lcms2.
CVE-2026-41254[0]:
| Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize
| in cmslut.c because the overflow check is performed after the
| multiplication.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-41254
https://www.cve.org/CVERecord?id=CVE-2026-41254
[1] https://www.openwall.com/lists/oss-security/2026/04/17/16
[2] https://abhinavagarwal07.github.io/posts/lcms2-cubesize-overflow/
[3]
https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0
[4]
https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: lcms2
Source-Version: 2.16-2+deb13u1
Done: Moritz Mühlenhoff <[email protected]>
We believe that the bug you reported is fixed in the latest version of
lcms2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated lcms2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 30 Apr 2026 20:12:43 +0200
Source: lcms2
Architecture: source
Version: 2.16-2+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Thomas Weber <[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Closes: 1134335
Changes:
lcms2 (2.16-2+deb13u1) trixie-security; urgency=medium
.
* CVE-2026-41254 (Closes: #1134335)
Checksums-Sha1:
cbd0f9989859ee33c04a8ea6c54267844a817f18 2004 lcms2_2.16-2+deb13u1.dsc
751d32ba11809e3591c118be9aae8ac2dbd41cb7 7632822 lcms2_2.16.orig.tar.gz
eaf28571dccb3df67df581ddd713d4c78f1dfff6 12388
lcms2_2.16-2+deb13u1.debian.tar.xz
e449ad44648e3185dd041a87283d0093a4bba273 8542
lcms2_2.16-2+deb13u1_amd64.buildinfo
Checksums-Sha256:
64a273d949af5e255c1e45bddd984ea215a583da8d8407de4b006470bd91a68d 2004
lcms2_2.16-2+deb13u1.dsc
d873d34ad8b9b4cea010631f1a6228d2087475e4dc5e763eb81acc23d9d45a51 7632822
lcms2_2.16.orig.tar.gz
9bda1f5b887a371745884ba6c2dd33e705bf7f6ce5f1ed36a0830ee1b7b70f72 12388
lcms2_2.16-2+deb13u1.debian.tar.xz
5c808f0017c52d3f04fd4e2a18a9cebb69b905cd755974cf51e3e3d87d9089b2 8542
lcms2_2.16-2+deb13u1_amd64.buildinfo
Files:
4b23fe04008f6d506a03a96cdef980a8 2004 libs optional lcms2_2.16-2+deb13u1.dsc
f219d87c247957c97020a3859d8d6fa8 7632822 libs optional lcms2_2.16.orig.tar.gz
00bd4c132611455f97532e11250105ea 12388 libs optional
lcms2_2.16-2+deb13u1.debian.tar.xz
d141434318e955cc093fdc6629fc30a8 8542 libs optional
lcms2_2.16-2+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmnznFEACgkQEMKTtsN8
TjZCtxAAuiV+JCEhUuIFzlK2L6ersA1prfzRnkCQGT5t/JEURq/odUM0i7+Fua1Z
f+F/pgl4wd1LDO44+z3luELm9lC+X3gItHdyK2UjiKPQj9wobyfhuLzAeelYdFJ1
1lQh/VV30syHz0pU7BeyIn0ZdUB3GjrkixMq4+yHYFWKCF7qD9qBugUM3pxT4AHe
MgwgzA3Ll5J9Co6dcfGD2KCvGwtSPllfeUg1NzVWjp9p0Aga/8thBfkKmCj6CycY
Xh6zzlvDj+D9HysnE2wqfFfEAB5bkPMSWol2opkmZ8Nl28UzFF935AZSRYkr/hVN
85vjb67jG0HmvmoCG5UFmsfHYpdQf3UDvevwSlG9e8tmvO7SsjTIHpHOb3bTMQLd
nZ7ZzAit9zPVair+Oft9LBPf3BLh/sE9ifTCnIxa3nyS0ejZ+26qqxnO3kTAij0k
f2LJKSTzxV/Kn2YLuiIENO4JMYuRLV7yNT4aLCPqBupFAqfEwiEsXuYSLjdsJYM5
NOopRHIajYTQFtAH+TVjgA0Kr8AnhqjU27LTSXhVxNao4JL21CTZRUmov1/ZF5TO
o3zw7KxJItU/vdL49Cvcbp4akEOe8twrAJ8THFxJynGvDpGid34ZuRureTE8r9Q4
ic8uGdcqRAwAYPBIoH8UIib0ihRL91TM72rwlvkNw4b1IIRjLc8=
=aTMa
-----END PGP SIGNATURE-----
pgpu9lrZ5lr5G.pgp
Description: PGP signature
--- End Message ---
