[Debian-med-packaging] Bug#1140493: trixie-pu: package openslide/3.4.1+dfsg-7+deb13u1

Étienne Mollier emollier at debian.org
Sun Jun 21 14:50:25 BST 2026


Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: openslide at packages.debian.org
Control: affects -1 + src:openslide
User: release.debian.org at packages.debian.org
Usertags: pu

Hi Stable Release Managers,

[ Reason ]
openslide in trixie is currently affected by CVE-2026-48977.
See also #1140003.  Following discussion with the Security Team,
it seemed fair to include the change for the upcoming point
release.

[ Impact ]
openslide will remain affected by CVE-2026-48977 if the update
is not granted.

[ Tests ]
The test suite of openslide currently does not trigger while
building the package.  I had to trust reverse dependencies
autopkgtest had sufficient coverage, but even then, the initial
revision of the patch had a problem that I didn't catch (change
from return NULL to goto FAIL needed when backporting the patch
from openslide 4.0.0 to openslide 3.4.1).  It was promptly
flagged by the upstream openslide developper and corrected
thankfully.

[ Risks ]
The change is relatively short, but the context around the
function evolved between openslide 3.4.1 and openslide 4.0.0.
Therefore the patch does look different from upstream's commit.
As the test suite doesn't trigger, and the quilt patch choke on
the binary artifact update for test item, I screwup the initial
revision of the patch.  The present revision of the patch has
beneftitted from upstream correction and comment.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
This change introduces CVE-2026-48977.patch, import of upstream
commit 2be88bd782d9fff46de8e56a99baca523e7917b3.  The code
triggers an error condition when one of the area tiles has an
incoherent value (lesser than one integer IIUC).  Differences
with upstream commit are the lack of test artifacts and the goto
FAIL instead of the return NULL, in order to properly branch to
the failure handling segment present up to openslide 3.4.1.

[ Other info ]
When looking up the security tracker for openslide, you may also
notice CVE-2026-54604.  It appears to not trigger in trixie and
older as long as the libtiff remains no greater than version
4.7.0.  The fix is not part of the present patch.

Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <emollier at debian.org>
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/2, please excuse my verbosity
   `-
-------------- next part --------------
diff -Nru openslide-3.4.1+dfsg/debian/changelog openslide-3.4.1+dfsg/debian/changelog
--- openslide-3.4.1+dfsg/debian/changelog	2023-08-25 01:17:26.000000000 +0200
+++ openslide-3.4.1+dfsg/debian/changelog	2026-06-14 19:17:44.000000000 +0200
@@ -1,3 +1,12 @@
+openslide (3.4.1+dfsg-7+deb13u1) trixie-security; urgency=medium
+
+  * CVE-2026-48977.patch: new: fix CVE-2026-48977.
+    The change lacks attempt to apply the test case, because the binary
+    representation of a newly introduced test file is not possible in the
+    patch. (Closes: #1140003)
+
+ -- Étienne Mollier <emollier at debian.org>  Sun, 14 Jun 2026 19:17:44 +0200
+
 openslide (3.4.1+dfsg-7) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch
--- openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch	1970-01-01 01:00:00.000000000 +0100
+++ openslide-3.4.1+dfsg/debian/patches/CVE-2026-48977.patch	2026-06-14 19:15:49.000000000 +0200
@@ -0,0 +1,28 @@
+Applied-Upstream: 2be88bd782d9fff46de8e56a99baca523e7917b3
+Author: Benjamin Gilbert <bgilbert at cs.cmu.edu>
+Last-Update: 2026-06-14
+Description: ventana: fail if area has invalid tile count
+ Reported-by: Erik Lening <lening.erik at proton.me>
+ Signed-off-by: Benjamin Gilbert <bgilbert at cs.cmu.edu>
+ .
+ This Debian-specific patch lacks implementation of the test case due to
+ technical unability to represent the OS-2.bif.xdelta within a quilt
+ patch.
+Reviewed-By: Étienne Mollier <emollier at debian.org>
+Bug-Debian: https://bugs.debian.org/1140003
+
+--- openslide.orig/src/openslide-vendor-ventana.c
++++ openslide/src/openslide-vendor-ventana.c
+@@ -524,6 +524,12 @@
+     // get tile counts
+     PARSE_INT_ATTRIBUTE_OR_FAIL(info, ATTR_NUM_COLS, area->tiles_across);
+     PARSE_INT_ATTRIBUTE_OR_FAIL(info, ATTR_NUM_ROWS, area->tiles_down);
++    if (area->tiles_across < 1 || area->tiles_down < 1) {
++      g_set_error(err, OPENSLIDE_ERROR, OPENSLIDE_ERROR_FAILED,
++                  "Area has invalid tile count %"PRId64"x%"PRId64,
++                  area->tiles_across, area->tiles_down);
++      goto FAIL;
++    }
+ 
+     // get position
+     // it seems these are always whole numbers, but they are sometimes
diff -Nru openslide-3.4.1+dfsg/debian/patches/series openslide-3.4.1+dfsg/debian/patches/series
--- openslide-3.4.1+dfsg/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ openslide-3.4.1+dfsg/debian/patches/series	2026-06-14 19:15:49.000000000 +0200
@@ -0,0 +1 @@
+CVE-2026-48977.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20260621/2a9a1eea/attachment.sig>


More information about the Debian-med-packaging mailing list