[Debian-med-packaging] Bug#1140003: openslide: CVE-2026-48977
Étienne Mollier
emollier at debian.org
Sun Jun 14 19:05:50 BST 2026
Control: found -1 3.4.1+dfsg-6
Control: fixed -1 3.4.1+dfsg-9
Hi Salvatore and the Security Team,
Thank you for the notification, the fix (hopefully correct this
time) should make it to Debian unstable soon, and then forky in
a couple of days. I have proceeded to an urgency=high upload of
openslide 3.4.1+dfsg-9 this time. I saw preparatory work for a
version 4.0.0 in Salsa, but that was unfinished work and I was
unsure of the blockers, so I favored a targeted fix for now.
trixie and bookworm are running the same 3.4.1 upstream version
(3.4.1+dfsg-7 and 3.4.1+dfsg-6 packaging iterations
respectively), so I have begun wrapping up an eventual security
upload for stable and oldstable. You will find the debdiffs in
attachment.
I have problems testing the fix for myself. The test suite in
the package currently does not trigger, in addition to issues
with inlining binaries in quilt patches. This is how I tripped
on the carpet with the return NULL vs goto FAIL in the patch.
Otherwise, I assume this would have been caught by the test case
added along upstream commit 2be88bd. :( Thankfully, as you
might have witnessed, upstream has been very reactive to
pinpoint issues and provide proper corrections. :) I have
reviewed the way the function parse_level0_xml evolved between
3.4.1 and 4.0.0 and I agree that the correction was needed.
With these elements, should I go ahead with upload to
trixie-security and to bookworm-security?
Have a nice day, :)
--
.''`. Étienne Mollier <emollier at debian.org>
: :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da
`. `' sent from /dev/pts/2, please excuse my verbosity
`-
-------------- next part --------------
diff -Nru openslide-3.4.1+dfsg/debian/changelog openslide-3.4.1+dfsg/debian/changelog
--- openslide-3.4.1+dfsg/debian/changelog 2023-08-25 01:17:26.000000000 +0200
+++ openslide-3.4.1+dfsg/debian/changelog 2026-06-14 19:17:44.000000000 +0200
@@ -1,3 +1,12 @@
+openslide (3.4.1+dfsg-7+deb13u1) trixie-security; urgency=medium
+
+ * CVE-2026-48977.patch: new: fix CVE-2026-48977.
+ The change lacks attempt to apply the test case, because the binary
+ representation of a newly introduced test file is not possible in the
+ patch. (Closes: #1140003)
+
+ -- Étienne Mollier <emollier at debian.org> Sun, 14 Jun 2026 19:17:44 +0200
+
openslide (3.4.1+dfsg-7) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch
--- openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch 1970-01-01 01:00:00.000000000 +0100
+++ openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch 2026-06-14 19:15:49.000000000 +0200
@@ -0,0 +1,28 @@
+Applied-Upstream: 2be88bd782d9fff46de8e56a99baca523e7917b3
+Author: Benjamin Gilbert <bgilbert at cs.cmu.edu>
+Last-Update: 2026-06-14
+Description: ventana: fail if area has invalid tile count
+ Reported-by: Erik Lening <lening.erik at proton.me>
+ Signed-off-by: Benjamin Gilbert <bgilbert at cs.cmu.edu>
+ .
+ This Debian-specific patch lacks implementation of the test case due to
+ technical unability to represent the OS-2.bif.xdelta within a quilt
+ patch.
+Reviewed-By: Étienne Mollier <emollier at debian.org>
+Bug-Debian: https://bugs.debian.org/1140003
+
+--- openslide.orig/src/openslide-vendor-ventana.c
++++ openslide/src/openslide-vendor-ventana.c
+@@ -524,6 +524,12 @@
+ // get tile counts
+ PARSE_INT_ATTRIBUTE_OR_FAIL(info, ATTR_NUM_COLS, area->tiles_across);
+ PARSE_INT_ATTRIBUTE_OR_FAIL(info, ATTR_NUM_ROWS, area->tiles_down);
++ if (area->tiles_across < 1 || area->tiles_down < 1) {
++ g_set_error(err, OPENSLIDE_ERROR, OPENSLIDE_ERROR_FAILED,
++ "Area has invalid tile count %"PRId64"x%"PRId64,
++ area->tiles_across, area->tiles_down);
++ goto FAIL;
++ }
+
+ // get position
+ // it seems these are always whole numbers, but they are sometimes
diff -Nru openslide-3.4.1+dfsg/debian/patches/series openslide-3.4.1+dfsg/debian/patches/series
--- openslide-3.4.1+dfsg/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ openslide-3.4.1+dfsg/debian/patches/series 2026-06-14 19:15:49.000000000 +0200
@@ -0,0 +1 @@
+CVE-2026-48977.patch
-------------- next part --------------
diff -Nru openslide-3.4.1+dfsg/debian/changelog openslide-3.4.1+dfsg/debian/changelog
--- openslide-3.4.1+dfsg/debian/changelog 2022-05-23 23:13:35.000000000 +0200
+++ openslide-3.4.1+dfsg/debian/changelog 2026-06-14 19:52:57.000000000 +0200
@@ -1,3 +1,13 @@
+openslide (3.4.1+dfsg-6+deb12u1) bookworm-security; urgency=medium
+
+ * Team upload.
+ * CVE-2026-48977.patch: new: fix CVE-2026-48977.
+ The change lacks attempt to apply the test case, because the binary
+ representation of a newly introduced test file is not possible in the
+ patch. (Closes: #1140003)
+
+ -- Étienne Mollier <emollier at debian.org> Sun, 14 Jun 2026 19:52:57 +0200
+
openslide (3.4.1+dfsg-6) unstable; urgency=medium
* Team upload.
diff -Nru openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch
--- openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch 1970-01-01 01:00:00.000000000 +0100
+++ openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch 2026-06-14 19:52:39.000000000 +0200
@@ -0,0 +1,28 @@
+Applied-Upstream: 2be88bd782d9fff46de8e56a99baca523e7917b3
+Author: Benjamin Gilbert <bgilbert at cs.cmu.edu>
+Last-Update: 2026-06-14
+Description: ventana: fail if area has invalid tile count
+ Reported-by: Erik Lening <lening.erik at proton.me>
+ Signed-off-by: Benjamin Gilbert <bgilbert at cs.cmu.edu>
+ .
+ This Debian-specific patch lacks implementation of the test case due to
+ technical unability to represent the OS-2.bif.xdelta within a quilt
+ patch.
+Reviewed-By: Étienne Mollier <emollier at debian.org>
+Bug-Debian: https://bugs.debian.org/1140003
+
+--- openslide.orig/src/openslide-vendor-ventana.c
++++ openslide/src/openslide-vendor-ventana.c
+@@ -524,6 +524,12 @@
+ // get tile counts
+ PARSE_INT_ATTRIBUTE_OR_FAIL(info, ATTR_NUM_COLS, area->tiles_across);
+ PARSE_INT_ATTRIBUTE_OR_FAIL(info, ATTR_NUM_ROWS, area->tiles_down);
++ if (area->tiles_across < 1 || area->tiles_down < 1) {
++ g_set_error(err, OPENSLIDE_ERROR, OPENSLIDE_ERROR_FAILED,
++ "Area has invalid tile count %"PRId64"x%"PRId64,
++ area->tiles_across, area->tiles_down);
++ goto FAIL;
++ }
+
+ // get position
+ // it seems these are always whole numbers, but they are sometimes
diff -Nru openslide-3.4.1+dfsg/debian/patches/series openslide-3.4.1+dfsg/debian/patches/series
--- openslide-3.4.1+dfsg/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ openslide-3.4.1+dfsg/debian/patches/series 2026-06-14 19:52:39.000000000 +0200
@@ -0,0 +1 @@
+CVE-2026-48977.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20260614/1653ed2a/attachment-0002.sig>
More information about the Debian-med-packaging
mailing list