Your message dated Sun, 17 May 2026 19:34:31 +0000
with message-id <[email protected]>
and subject line Bug#1134336: fixed in sail 0.9.10-2
has caused the Debian Bug report #1134336,
regarding sail: CVE-2026-40492 CVE-2026-40493 CVE-2026-40494
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134336: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134336
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sail
Version: 0.9.10-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for sail.
CVE-2026-40492[0]:
| SAIL is a cross-platform library for loading and saving images with
| support for animation, metadata, and ICC profiles. Prior to commit
| 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves
| pixel format based on `pixmap_depth` but the byte-swap code uses
| `bits_per_pixel` independently. When `pixmap_depth=8` (BPP8_INDEXED,
| 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop
| accesses memory as `uint32_t*`, reading/writing 4x the allocated
| buffer size. This is a different vulnerability from the previously
| reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed
| `bytes_per_line` validation. Commit
| 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.
CVE-2026-40493[1]:
| SAIL is a cross-platform library for loading and saving images with
| support for animation, metadata, and ICC profiles. Prior to commit
| c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes
| bytes-per-pixel (`bpp`) from raw header fields `channels * depth`,
| but the pixel buffer is allocated based on the resolved pixel
| format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8
| = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per
| pixel. Every pixel write overshoots, causing a deterministic heap
| buffer overflow on every row. Commit
| c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch.
CVE-2026-40494[2]:
| SAIL is a cross-platform library for loading and saving images with
| support for animation, metadata, and ICC profiles. Prior to commit
| 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE
| decoder in `tga.c` has an asymmetric bounds check vulnerability. The
| run-packet path (line 297) correctly clamps the repeat count to the
| remaining buffer space, but the raw-packet path (line 305-311) has
| no equivalent bounds check. This allows writing up to 496 bytes of
| attacker-controlled data past the end of a heap buffer. Commit
| 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40492
https://www.cve.org/CVERecord?id=CVE-2026-40492
[1] https://security-tracker.debian.org/tracker/CVE-2026-40493
https://www.cve.org/CVERecord?id=CVE-2026-40493
[2] https://security-tracker.debian.org/tracker/CVE-2026-40494
https://www.cve.org/CVERecord?id=CVE-2026-40494
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sail
Source-Version: 0.9.10-2
Done: Sudip Mukherjee <[email protected]>
We believe that the bug you reported is fixed in the latest version of
sail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sudip Mukherjee <[email protected]> (supplier of updated sail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 17 May 2026 19:50:30 +0100
Source: sail
Architecture: source
Version: 0.9.10-2
Distribution: unstable
Urgency: medium
Maintainer: Sudip Mukherjee <[email protected]>
Changed-By: Sudip Mukherjee <[email protected]>
Closes: 1133734 1134336
Changes:
sail (0.9.10-2) unstable; urgency=medium
.
* Move cmake files to arch dependent path. (Closes: #1133734)
* Add patch for security fixes. (Closes: #1134336)
- CVE-2026-40493
- CVE-2026-40492
- CVE-2026-40494
* Update Standards-Version to 4.7.4
Checksums-Sha1:
83dfb9f689f9b38baa0eb6ec4f0fb1934d5c288e 2436 sail_0.9.10-2.dsc
a2e88a7c65ef46037a1258ccc51f236d7981e214 8916 sail_0.9.10-2.debian.tar.xz
c2023c5a3fb3372be801333ed4f3599da0049060 11639 sail_0.9.10-2_amd64.buildinfo
Checksums-Sha256:
ed800595ba8df8640fb1c661cab4a8cead4851cea54245259e146406cdabcc40 2436
sail_0.9.10-2.dsc
df726c5f124e2bac670d77ffbc1fcbda1cc8ce0eceb7e37d5ae9ad427bbc5c86 8916
sail_0.9.10-2.debian.tar.xz
1f0e2a412a0d1eda3f2789adac9690afeb62c6523c4bafb16c04fa42f8a14555 11639
sail_0.9.10-2_amd64.buildinfo
Files:
036be632cf046f865297e4e4c3c8ca50 2436 libs optional sail_0.9.10-2.dsc
0fb9d9b0e674ca77890d9dc13ea51005 8916 libs optional sail_0.9.10-2.debian.tar.xz
a11a5b2245b870787e4878e603c30360 11639 libs optional
sail_0.9.10-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuDQJkCg9jZvBlJrHR5mjUUbRKzUFAmoKDmsACgkQR5mjUUbR
KzV/MA/+OkiexkXpLo8ZJvsbjyg9Oinx3sSYoP+K1azzNmVYs0PjrPoPtOJRoUZP
5q+o/FGfslAy8nrGy/0wNCMxaY6XvZ4NvO39km/g6lnuj9Ej7HoGOJSQ5x8ldS0w
7s4wSNEFrjxgbvwuZ5MR2PTJrYEo8Jw5m0cz+PCcIsXtKjucKQ+n9ZJS8m/VWjxF
smCyK0DK4AiOunv4OCXGK66A3r7jgShjIXPmBVF6k8bz06ragwM1QR6Uxio7gI9g
VSqbcW+9ItUdZzuHHfJKN2LboBIKTVoizIXOubDiSalxBqbVcSmaCeXN8bIolNoB
ACum9KkDINaKPDwR4K/1M7Gy2EMHsBfPsdIWykYHfqPKMlXzBAaVhYbkmWAtDctO
IYqKmYfH7CGXnvPaJP8tE5mm8yNABBvPOLI2FyDB60KDTEusxBY+phXQue+a5+Iy
rlN59Vih2P0c621OVVPaO9welG9UNTtMOXwahhvrssKfvexjVIILmO+ar26w5IrC
ZhRsO3xN9lE/R9cIqS/TjY1QYWyoV7XtXnCdkPg8UNjlR8zY8JTeiscXh4JU5yWm
e3IbpzQA0Q6qVKqjhyydNBMDBt0g1e4FeJ9Q2flNN5sFQ0PKo3aM4B4xJ2lLRib/
E63ZAqI2z2RDikEVnirvGiBQGJx3M6JRsdTFHzJ+Ooi5EQe8wy0=
=ytag
-----END PGP SIGNATURE-----
pgpqktlSNjyP9.pgp
Description: PGP signature
--- End Message ---
