Version in base suite: 0.4.42-2+deb12u1 Base version: gegl_0.4.42-2+deb12u1 Target version: gegl_0.4.42-2+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gegl/gegl_0.4.42-2+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gegl/gegl_0.4.42-2+deb12u2.dsc changelog | 7 ++ patches/ZDI-CAN-28266-guard-against-buffer-overflow.patch | 38 ++++++++++++++ patches/series | 1 3 files changed, 46 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpb4tlnzbs/gegl_0.4.42-2+deb12u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpb4tlnzbs/gegl_0.4.42-2+deb12u2.dsc: no acceptable signature found diff -Nru gegl-0.4.42/debian/changelog gegl-0.4.42/debian/changelog --- gegl-0.4.42/debian/changelog 2025-09-28 14:50:01.000000000 +0000 +++ gegl-0.4.42/debian/changelog 2026-02-18 14:08:05.000000000 +0000 @@ -1,3 +1,10 @@ +gegl (1:0.4.42-2+deb12u2) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * ZDI-CAN-28266: guard against buffer overflow (CVE-2026-2049, CVE-2026-2050) + + -- Salvatore Bonaccorso Wed, 18 Feb 2026 15:08:05 +0100 + gegl (1:0.4.42-2+deb12u1) bookworm-security; urgency=medium * CVE-2025-10921 (Closes: #1116470) diff -Nru gegl-0.4.42/debian/patches/ZDI-CAN-28266-guard-against-buffer-overflow.patch gegl-0.4.42/debian/patches/ZDI-CAN-28266-guard-against-buffer-overflow.patch --- gegl-0.4.42/debian/patches/ZDI-CAN-28266-guard-against-buffer-overflow.patch 1970-01-01 00:00:00.000000000 +0000 +++ gegl-0.4.42/debian/patches/ZDI-CAN-28266-guard-against-buffer-overflow.patch 2026-02-18 14:07:51.000000000 +0000 @@ -0,0 +1,38 @@ +From: Gabriele Barbero +Date: Fri, 5 Dec 2025 00:20:22 +0100 +Subject: ZDI-CAN-28266: guard against buffer overflow +Origin: https://gitlab.gnome.org/GNOME/gegl/-/commit/d32f1badb4bde1d6e8137f687d9ee1195768d4ed +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-2049 +Bug: https://gitlab.gnome.org/GNOME/gegl/-/issues/446 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-2050 +Bug: https://gitlab.gnome.org/GNOME/gegl/-/issues/450 + +In rgbe_read_new_rle we check whether there is still space in the buffer, +but we do not verify that the run length fits within the remaining capacity. +This can lead to a buffer overflow. This patch adds a check to ensure that +the run length does not exceed the available space. +--- + libs/rgbe/rgbe.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/libs/rgbe/rgbe.c b/libs/rgbe/rgbe.c +index 228e96f1f519..be44afeab2d3 100644 +--- a/libs/rgbe/rgbe.c ++++ b/libs/rgbe/rgbe.c +@@ -684,6 +684,13 @@ rgbe_read_new_rle (const rgbe_file *file, + + data++; + ++ /* Check if there's enought space in the buffer to avoid OOB */ ++ if (length > (pixels + RGBE_NUM_RGBE * linesize - pixoffset[component]) / RGBE_NUM_RGBE) ++ { ++ g_warning ("Buffer overflow detected."); ++ return FALSE; ++ } ++ + /* A compressed run */ + if (rle) + { +-- +2.51.0 + diff -Nru gegl-0.4.42/debian/patches/series gegl-0.4.42/debian/patches/series --- gegl-0.4.42/debian/patches/series 2025-09-28 14:50:01.000000000 +0000 +++ gegl-0.4.42/debian/patches/series 2026-02-18 14:07:51.000000000 +0000 @@ -1 +1,2 @@ CVE-2025-10921.patch +ZDI-CAN-28266-guard-against-buffer-overflow.patch