Control: tags -1 + moreinfo
On Sun, 03 May 2026 at 12:09:56 +0100, Adam D. Barratt wrote:
On Tue, 2026-04-21 at 00:40 -0300, Aquila Macedo wrote:
This upload updates libsdl2-image in trixie with upstream fixes for
CVE-2026-35444 and closely related parser hardening fixes in the same
area of code.
Please note that this trixie-pu was not coordinated with the package's
maintainer(s), and I haven't had a response after querying the contents
of this proposed update in the CVE tracking bug
<https://bugs.debian.org/1134510>. I think it should include at least
the follow-up commit
https://github.com/libsdl-org/SDL_image/commit/1aedddcbd205c4e1ea0f99fdb2c785acc8e2489b,
which arranges for SDL's error/exception mechanism to be used correctly
when parsing an invalid XCF file.
In the CVE tracking bug, I also mentioned that there were other
robustness fixes pending review at the time. Those have now been
released (in 2.8.12 and 3.4.4 upstream) so now would be a good time for
anyone interested in backporting invalid-image parsing fixes to take
another look at libsdl2-image (and libsdl3-image). I'm not sure why
CVE-2026-35444, specifically, got a CVE ID but out-of-bounds accesses in
the LBM and XPM parsers didn't.
Aquila, if you have some time available and an interest in this package
(or this CVE), please could you reassess the various fixes in
2.8.10/2.8.12 and 3.4.2/3.4.4 and propose a new update? Or if you no
longer have time available for this package, I'll try to get to it at
some point, but probably not in time for Debian 13.5.
Thanks,
smcv
