Your message dated Tue, 02 Jun 2026 19:32:19 +0000
with message-id <[email protected]>
and subject line Bug#1136952: fixed in libcaca 0.99.beta20-3+deb12u1
has caused the Debian Bug report #1136952,
regarding libcaca: CVE-2026-42046
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136952
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcaca
Version: 0.99.beta20-5
Severity: important
Tags: security upstream
Forwarded: https://github.com/cacalabs/libcaca/issues/86
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libcaca.
CVE-2026-42046[0]:
| libcaca is a colour ASCII art library. In 0.99.beta20 and earlier,
| an integer overflow vulnerability in libcaca's canvas import
| functionality allows an attacker to cause a controlled heap out-of-
| bounds write (heap overflow) by supplying a crafted file in the
| "caca" format. Depending on the build configuration and memory
| allocator, this may lead to memory corruption or remote code
| execution. This is the same vulnerability as CVE-2021-3410 but the
| fix at that time was not fully correct. Commit
| fb77acff9ba6bb01d53940da34fb10f20b156a23 fixes this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-42046
https://www.cve.org/CVERecord?id=CVE-2026-42046
[1] https://github.com/cacalabs/libcaca/issues/86
[2] https://github.com/cacalabs/libcaca/security/advisories/GHSA-4vvg-vrqv-m56w
[3]
https://github.com/cacalabs/libcaca/commit/fb77acff9ba6bb01d53940da34fb10f20b156a23
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcaca
Source-Version: 0.99.beta20-3+deb12u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libcaca, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libcaca package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 31 May 2026 15:42:49 +0200
Source: libcaca
Architecture: source
Version: 0.99.beta20-3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Multimedia Maintainers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1136952
Changes:
libcaca (0.99.beta20-3+deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* Prevent undefined behaviour in overflow check (CVE-2026-42046)
(Closes: #1136952)
Checksums-Sha1:
e0c58ed1243caedb8413418ef54738764399e0b2 2453 libcaca_0.99.beta20-3+deb12u1.dsc
f69f97b52aee2989c9c35399714dde6b57bfb87a 10604
libcaca_0.99.beta20-3+deb12u1.debian.tar.xz
bd8c1f7815d0a1c567827ff53387d26b00862c8a 6323
libcaca_0.99.beta20-3+deb12u1_source.buildinfo
Checksums-Sha256:
1db5ee1e4c9bd2df021d07a0555e6b04e8e7e46ea0976a2e5547bbc0a66b9a85 2453
libcaca_0.99.beta20-3+deb12u1.dsc
728427ce27675c65bf8eea116045d7c88a66c5b89cd0666d2fcddc13f42e0632 10604
libcaca_0.99.beta20-3+deb12u1.debian.tar.xz
8b6a31c091863911fe1ec1c2fe1485254e32f486e45f8f03f8bab8d567491557 6323
libcaca_0.99.beta20-3+deb12u1_source.buildinfo
Files:
d502cea1f804708b29286bab1906b055 2453 libs optional
libcaca_0.99.beta20-3+deb12u1.dsc
9a08a39d643212cdba74b597089ef2fb 10604 libs optional
libcaca_0.99.beta20-3+deb12u1.debian.tar.xz
0e19f2519acc2b2e28ec2e14255068a1 6323 libs optional
libcaca_0.99.beta20-3+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmocQyFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ExoQP/2pJG4q+u3T+qXJYsHqKxtd8ov4/GYuC
DfFShWqLEpgejfzUigqSc0cz00ou3kHcKtVBX6tattlhAq/iqNtypbHkxq7/1kme
8GZD7t2nYrinV+ynVsGGtJq+TFemX55Sl0yjmIHUTdczqcmJW4W+Ow/KQ26W06cj
n5GMYchP8EyEH+1C7aJKoxYIq/4+kOHwcR4OFQwq4r7Amrt8EMnwLJeSevaXuE8L
ZBYaG7Id3uZCNF5bWaxwrrMUOSh5SiTa0mmALVZgekp4o9vUibrEJNLXzRY4GCVs
TCuHcleRVHKcnAy3HLqvshwPbQo19CVvRdHpoyG8VDmWYWtP4fiNVYI+2+6jJgTg
e2I5yxmBdA+3/CUZIP5zrLxAlVrr0zTunjTsAQBenQU0WmDx9CysEvOHY4pJofAO
yWolm7kHmkAE3wvzvZ3VGcNg6PUfh9N6GfGjL1SEOYr8QXmZKpGQbAyixSXMvLZ1
DfZovHk+wx8UckbIittR2Hmjzkv8jFCm+Gu5xKFJpTXcNCemovISqFTVsSDQAVnP
zHn+IqHgWraau0phOhXoCObhDRCPyo4ZGAtybhDySrhhJN04veZTwimevsB1PNm5
60734yssBGb1fI99E0OEPkeGT3qJaGsElo60UwrfPoCpUBzkPj7JnRRkeWrrdxv5
5czdiNTmL6pU
=gzXL
-----END PGP SIGNATURE-----
pgpH5Bx9i_HgY.pgp
Description: PGP signature
--- End Message ---
