Your message dated Tue, 02 Jun 2026 19:17:07 +0000
with message-id <[email protected]>
and subject line Bug#1136952: fixed in libcaca 0.99.beta20-5+deb13u1
has caused the Debian Bug report #1136952,
regarding libcaca: CVE-2026-42046
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136952
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcaca
Version: 0.99.beta20-5
Severity: important
Tags: security upstream
Forwarded: https://github.com/cacalabs/libcaca/issues/86
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libcaca.
CVE-2026-42046[0]:
| libcaca is a colour ASCII art library. In 0.99.beta20 and earlier,
| an integer overflow vulnerability in libcaca's canvas import
| functionality allows an attacker to cause a controlled heap out-of-
| bounds write (heap overflow) by supplying a crafted file in the
| "caca" format. Depending on the build configuration and memory
| allocator, this may lead to memory corruption or remote code
| execution. This is the same vulnerability as CVE-2021-3410 but the
| fix at that time was not fully correct. Commit
| fb77acff9ba6bb01d53940da34fb10f20b156a23 fixes this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-42046
https://www.cve.org/CVERecord?id=CVE-2026-42046
[1] https://github.com/cacalabs/libcaca/issues/86
[2] https://github.com/cacalabs/libcaca/security/advisories/GHSA-4vvg-vrqv-m56w
[3]
https://github.com/cacalabs/libcaca/commit/fb77acff9ba6bb01d53940da34fb10f20b156a23
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcaca
Source-Version: 0.99.beta20-5+deb13u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libcaca, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libcaca package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 31 May 2026 15:40:07 +0200
Source: libcaca
Architecture: source
Version: 0.99.beta20-5+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Multimedia Maintainers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1136952
Changes:
libcaca (0.99.beta20-5+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* Prevent undefined behaviour in overflow check (CVE-2026-42046)
(Closes: #1136952)
Checksums-Sha1:
c1516d3a6339c780ae2188d609869e16336b7e29 2417 libcaca_0.99.beta20-5+deb13u1.dsc
e0882ae72a29598b45d07e426427b6bac68c8bd9 11212
libcaca_0.99.beta20-5+deb13u1.debian.tar.xz
cb627fa0eff68cd9e7b02fb44de7df752561c511 6323
libcaca_0.99.beta20-5+deb13u1_source.buildinfo
Checksums-Sha256:
5d38b6ace4a9de1c51a9c707680d0a939b7e1fc92ea93946fffad8e60db905aa 2417
libcaca_0.99.beta20-5+deb13u1.dsc
1afa73c61696374ea39d13d8125a0580ef9e2a2dd8f443fefd65b0783102cdc1 11212
libcaca_0.99.beta20-5+deb13u1.debian.tar.xz
7fdef4a59c4cfd8032404e688c1c374963967135cbbc40e588ef3ab8543e3e6a 6323
libcaca_0.99.beta20-5+deb13u1_source.buildinfo
Files:
c8d230f88f774fe9bb59b2b88a721c11 2417 libs optional
libcaca_0.99.beta20-5+deb13u1.dsc
33fc3cd0d6d7a8490e474954a267e5c8 11212 libs optional
libcaca_0.99.beta20-5+deb13u1.debian.tar.xz
9e456ce32519264f4cdf4d3c0cfa12e9 6323 libs optional
libcaca_0.99.beta20-5+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmocQvVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EAHEP/iruv9djVKDuWepUjM5umOS6Pe4cNc6k
l6Jdnoz9AlUrn5pUBbtujJgi3acu8aFVr8bfJt9cl8TQfIWoKgk3vXZhVjy3+mJX
nt95smbD5p8fn0GPaOAs5YrmpRGOlh9BjDLBQzlRtL+QV8E6J6llhUgoeG+Hn0iu
ChanOZHEoeFCuQtMQSYsgzHOILlQv9JrkzM7prjEdyyqxgfurVwaTt/nZpxYJ+v7
rvxPraTXrAH3qkr8dQF4Gnof5HK2rBIS8+M3frkcN/d1T6KnmpINgK3WJ3WL+lhp
yrIK7gZEPDS/Rv+/7afxOxesbI7HtTcEETpSkUB9PnGnzAogF2WoIEqcUPCINn+w
My8mwhs1CHTo6f13b0ZdOELoo2O76YZZNR1gvpGyCTuWOmPEptPl+74aAUM0rWRZ
5+5XBG4fkuGzE4D6amz9Nwu8rM6w0GvduqLpRfXBgL5AsdBLk9u0orl1ycrksoXp
k0IOsnEu81Cj8EahNsl8VvNE7cinikNhgccm6dAJjBndgWkLxMNp+a3g9fdW8Jof
XIEaZOdIGznR7O2pft5OSLBgBGpt0ZyFEpD/cGUikTWDf33zpIUjSA0O/M+nnoUw
aSEdKFXrGfSl6vmFHokKrribUHiBhp8vZSbwdGMEYAS4HC+fGZ4Qf/7KAFoy9raU
CS0bDpqLyCN7
=Ucxh
-----END PGP SIGNATURE-----
pgpaPq0g3I24V.pgp
Description: PGP signature
--- End Message ---
