Bug#1133010: prepare trixie pu for CVE-2026-35444 and related parser fixes
Simon McVittie
smcv at debian.org
Tue Apr 21 10:57:51 BST 2026
On Tue, 21 Apr 2026 at 00:33:48 -0300, Aquila Macedo wrote:
>@@ -0,0 +1,4 @@
>+CVE-2026-35444.patch
>+lbm-fix-heap-buffer-overflow-write-in-LBM-palette.patch
>+xcf-fix-heap-buffer-overflow-read-in-XCF-RLE-decoder.patch
https://github.com/libsdl-org/SDL_image/commit/bc17bc7c6a2767e342ebb6d3fd37c8e323c8dd70
"xpm: Remove QUICK_COLORHASH, replace it with inline code that checks
for NULL." is fixing a null pointer dereference, is that one not
applicable in trixie?
>+xcf-fix-heap-buffer-overflow-read-in-do_layer_surface.patch
This one had a follow-up commit,
https://github.com/libsdl-org/SDL_image/commit/1aedddcbd205c4e1ea0f99fdb2c785acc8e2489b
"xcf: Added an SDL_SetError when rejecting out-of-bounds tile data.", to
make sure that SDL's error/exception mechanism is used correctly. I
think we should not apply "Fix heap-buffer-overflow READ in XCF
do_layer_surface (CWE-122)" without also applying "xcf: Added an
SDL_SetError when rejecting out-of-bounds tile data.".
There are also some other robustness fixes pending review in
https://github.com/libsdl-org/SDL_image/pulls which seem likely to be
included in a future upstream release if they're correct (I haven't
reviewed them). We might be better to wait for 2.8.12 to be released
upstream, and then base a trixie update on that.
Thanks,
smcv
More information about the Pkg-sdl-maintainers
mailing list