Your message dated Sat, 11 Jul 2026 10:42:30 +0000
with message-id <[email protected]>
and subject line Released in 12.15
has caused the Debian Bug report #1140777,
regarding bookworm-pu: package giflib/5.2.1-2.5+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140777: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140777
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:giflib
User: [email protected]
Usertags: pu


As part of the LTS team I've updated giflib for LTS and ELTS.

This fixes two CVEs which are marked no-DSA.

Related update for trixie-proposed-update, #1140102, was prepared by
jmm. The difference for CVE-2026-26740 is that upstream has now a
dedicated commit to fix this issue [1] and I am choosing this version
over the maintainer fix.

[1] 
https://sourceforge.net/p/giflib/code/ci/061605081115bbfd7019bafc119a13b6f17fcf25

Build and tests are fine in debusine. [2]
[2] https://debusine.debian.net/debian/developers/work-request/893443/

I'm going to upload the changes after sending this mail.

-- 
tobi

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

diff -Nru giflib-5.2.1/debian/changelog giflib-5.2.1/debian/changelog
--- giflib-5.2.1/debian/changelog       2022-06-12 18:32:15.000000000 +0200
+++ giflib-5.2.1/debian/changelog       2026-06-26 09:19:21.000000000 +0200
@@ -1,3 +1,13 @@
+giflib (5.2.1-2.5+deb12u1) bookworm; urgency=high
+
+  * Non-maintainer upload by the LTS Team
+  * Enable CI for bookworm, adapt gbp.conf for bookworm.
+  * Backport fixes for:
+    - CVE-2026-23868 - double-free vulnerability (Closes: #1130495)
+    - CVE-2026-26740 - heap OOB write (Closes: #1131368)
+
+ -- Tobias Frost <[email protected]>  Fri, 26 Jun 2026 09:19:21 +0200
+
 giflib (5.2.1-2.5) unstable; urgency=medium
 
   * Non-maintainer upload
diff -Nru giflib-5.2.1/debian/gbp.conf giflib-5.2.1/debian/gbp.conf
--- giflib-5.2.1/debian/gbp.conf        1970-01-01 01:00:00.000000000 +0100
+++ giflib-5.2.1/debian/gbp.conf        2026-06-26 09:07:42.000000000 +0200
@@ -0,0 +1,7 @@
+[DEFAULT]
+upstream-tag = upstream/%(version)s
+debian-branch = debian/bookworm
+pristine-tar=True
+
+[import-orig]
+filter=[ '.gitignore', '.travis.yml', '.git*' ]
diff -Nru giflib-5.2.1/debian/giflib-dbg.docs 
giflib-5.2.1/debian/giflib-dbg.docs
--- giflib-5.2.1/debian/giflib-dbg.docs 1970-01-01 01:00:00.000000000 +0100
+++ giflib-5.2.1/debian/giflib-dbg.docs 2026-06-26 09:07:42.000000000 +0200
@@ -0,0 +1,2 @@
+NEWS
+TODO
diff -Nru giflib-5.2.1/debian/patches/CVE-2026-23868.patch 
giflib-5.2.1/debian/patches/CVE-2026-23868.patch
--- giflib-5.2.1/debian/patches/CVE-2026-23868.patch    1970-01-01 
01:00:00.000000000 +0100
+++ giflib-5.2.1/debian/patches/CVE-2026-23868.patch    2026-06-26 
09:07:42.000000000 +0200
@@ -0,0 +1,25 @@
+Description: CVE-2026-23868 - double-free vulnerability
+Origin: 
https://sourceforge.net/p/giflib/code/ci/f5b7267aed3665ef025c13823e454170d031c106
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130495
+
+commit f5b7267aed3665ef025c13823e454170d031c106
+Author: Eric S. Raymond <[email protected]>
+Date:   Wed Mar 4 18:49:49 2026 -0500
+
+--- a/gifalloc.c
++++ b/gifalloc.c
+@@ -346,6 +346,14 @@
+              * problems.
+              */
+ 
++                      /* Null out aliased pointers before any allocations
++                       * so that FreeLastSavedImage won't free CopyFrom's
++                       * data if an allocation fails partway through. */
++                      sp->ImageDesc.ColorMap = NULL;
++                      sp->RasterBits = NULL;
++                      sp->ExtensionBlocks = NULL;
++                      sp->ExtensionBlockCount = 0;
++
+             /* first, the local color map */
+             if (CopyFrom->ImageDesc.ColorMap != NULL) {
+                 sp->ImageDesc.ColorMap = GifMakeMapObject(
diff -Nru giflib-5.2.1/debian/patches/CVE-2026-26740.patch 
giflib-5.2.1/debian/patches/CVE-2026-26740.patch
--- giflib-5.2.1/debian/patches/CVE-2026-26740.patch    1970-01-01 
01:00:00.000000000 +0100
+++ giflib-5.2.1/debian/patches/CVE-2026-26740.patch    2026-06-26 
09:07:42.000000000 +0200
@@ -0,0 +1,34 @@
+Description: CVE-2026-26740 -- heap OOB write in EGifGCBToSavedExtension
+Origin: 
https://sourceforge.net/p/giflib/code/ci/061605081115bbfd7019bafc119a13b6f17fcf25
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131368
+Bug: https://sourceforge.net/p/giflib/bugs/199/
+Bug: https://sourceforge.net/p/giflib/bugs/201/
+commit 061605081115bbfd7019bafc119a13b6f17fcf25
+Author: Anthony Hurtado <[email protected]>
+Date:   Mon Jun 1 15:40:48 2026 -0500
+
+    Fix CVE-2026-26740: heap OOB write in EGifGCBToSavedExtension
+    
+    EGifGCBToSavedExtension calls EGifGCBToExtension which unconditionally
+    writes 4 bytes into ep->Bytes without checking ep->ByteCount.  If the
+    extension block was allocated with fewer than 4 bytes, this results in
+    a heap buffer overflow.
+    
+    The read-side counterpart DGifExtensionToGCB already validates that
+    GifExtensionLength == 4 before reading.  Add the symmetric check on
+    the write side: return GIF_ERROR when ep->ByteCount < 4.
+    
+    Signed-off-by: Anthony Hurtado <[email protected]>
+
+--- a/egif_lib.c
++++ b/egif_lib.c
+@@ -687,6 +687,9 @@
+     for (i = 0; i < GifFile->SavedImages[ImageIndex].ExtensionBlockCount; 
i++) {
+       ExtensionBlock *ep = 
&GifFile->SavedImages[ImageIndex].ExtensionBlocks[i];
+       if (ep->Function == GRAPHICS_EXT_FUNC_CODE) {
++              if (ep->ByteCount < 4) {
++                      return GIF_ERROR;
++              }
+           EGifGCBToExtension(GCB, ep->Bytes);
+           return GIF_OK;
+       }
diff -Nru giflib-5.2.1/debian/patches/series giflib-5.2.1/debian/patches/series
--- giflib-5.2.1/debian/patches/series  2022-06-12 18:30:10.000000000 +0200
+++ giflib-5.2.1/debian/patches/series  2026-06-26 09:07:42.000000000 +0200
@@ -7,3 +7,5 @@
 giflib_quantize.patch
 dont-spoil-tests-with-stderr.patch
 giflib_quantize-header.patch
+CVE-2026-23868.patch
+CVE-2026-26740.patch
diff -Nru giflib-5.2.1/debian/salsa-ci.yml giflib-5.2.1/debian/salsa-ci.yml
--- giflib-5.2.1/debian/salsa-ci.yml    1970-01-01 01:00:00.000000000 +0100
+++ giflib-5.2.1/debian/salsa-ci.yml    2026-06-26 09:07:42.000000000 +0200
@@ -0,0 +1,6 @@
+---
+include:
+  - 
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+    RELEASE: 'bookworm'

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message ---
Version: 12.15

This update was released as part of 12.15.

--- End Message ---

Reply via email to