[Debian-med-packaging] Bug#1140003: openslide: CVE-2026-48977
Salvatore Bonaccorso
carnil at debian.org
Sat Jun 20 20:58:26 BST 2026
Hi Étienne,
On Sun, Jun 14, 2026 at 08:05:50PM +0200, Étienne Mollier wrote:
> Control: found -1 3.4.1+dfsg-6
> Control: fixed -1 3.4.1+dfsg-9
>
> Hi Salvatore and the Security Team,
>
> Thank you for the notification, the fix (hopefully correct this
> time) should make it to Debian unstable soon, and then forky in
> a couple of days. I have proceeded to an urgency=high upload of
> openslide 3.4.1+dfsg-9 this time. I saw preparatory work for a
> version 4.0.0 in Salsa, but that was unfinished work and I was
> unsure of the blockers, so I favored a targeted fix for now.
>
> trixie and bookworm are running the same 3.4.1 upstream version
> (3.4.1+dfsg-7 and 3.4.1+dfsg-6 packaging iterations
> respectively), so I have begun wrapping up an eventual security
> upload for stable and oldstable. You will find the debdiffs in
> attachment.
>
> I have problems testing the fix for myself. The test suite in
> the package currently does not trigger, in addition to issues
> with inlining binaries in quilt patches. This is how I tripped
> on the carpet with the return NULL vs goto FAIL in the patch.
> Otherwise, I assume this would have been caught by the test case
> added along upstream commit 2be88bd. :( Thankfully, as you
> might have witnessed, upstream has been very reactive to
> pinpoint issues and provide proper corrections. :) I have
> reviewed the way the function parse_level0_xml evolved between
> 3.4.1 and 4.0.0 and I agree that the correction was needed.
>
> With these elements, should I go ahead with upload to
> trixie-security and to bookworm-security?
Sorry for the late followup, there was/is some backlog and openslide
was not on topmost on the radar. I still think openslide would be good
candidate for the point releases (which are approaching, rather than a
dedicated security update).
Regards,
Salvatore
More information about the Debian-med-packaging
mailing list