[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2026-2913/vips: add NOTE with commit introducing the vulnerability

Salvatore Bonaccorso (@carnil) carnil at debian.org
Tue Feb 24 19:24:28 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
64ee1d04 by Carlos Henrique Lima Melara at 2026-02-24T00:27:12-03:00
CVE-2026-2913/vips: add NOTE with commit introducing the vulnerability

Accordingly to the reporter [1] "vips_source_read_to_memory() allocates
a GByteArray using source->length (gint64), but g_byte_array_set_size()
takes a 32-bit guint. When source->length > G_MAXUINT, the allocation
truncates while the subsequent read loop still writes up to the full
64-bit length bound, causing a heap-buffer-overflow.". The
functionallity to read a custom source to memory was introduced in
8030d7b9260 [2] which added the vips_source_read_to_memory() function
(then called vips_streami_read_to_memory) that read streami->length
(gint64) to g_byte_array_set_size() which truncates to guint64 hence the
overflow could still happen.

[1] https://github.com/libvips/libvips/issues/4857#issue-3920154326
[2] https://github.com/libvips/libvips/commit/8030d7b926077f578640bacb202febcd5d2ba29e

- - - - -
12a1e303 by Salvatore Bonaccorso at 2026-02-24T20:24:19+01:00
Merge branch 'detail-vips-cve' into 'master'

CVE-2026-2913/vips: add NOTE with commit introducing the vulnerability

See merge request security-tracker-team/security-tracker!270
- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -807,6 +807,7 @@ CVE-2026-2913 (A vulnerability was determined in libvips up to 8.19.0. The affec
 	[bookworm] - vips <no-dsa> (Minor issue)
 	[bullseye] - vips <postponed> (Minor issue, local access required, hard to trigger)
 	NOTE: https://github.com/libvips/libvips/issues/4857
+	NOTE: Introduced by: https://github.com/libvips/libvips/commit/8030d7b926077f578640bacb202febcd5d2ba29e (v8.9.0-beta2)
 	NOTE: Fixed by: https://github.com/libvips/libvips/commit/a56feecbe9ed66521d9647ec9fbcd2546eccd7ee
 CVE-2026-2912 (A vulnerability was found in code-projects Online Reviewer System 1.0. ...)
 	NOT-FOR-US: code-projects



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a3ddd3cfccef137a779cae040cb637c4d6b52196...12a1e3039339fedb5d5faa2db8959d6531a1ff18

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a3ddd3cfccef137a779cae040cb637c4d6b52196...12a1e3039339fedb5d5faa2db8959d6531a1ff18
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260224/3db5bae1/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list