Version in base suite: 5.2.1-2.5

Base version: giflib_5.2.1-2.5
Target version: giflib_5.2.1-2.5+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/giflib/giflib_5.2.1-2.5.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/giflib/giflib_5.2.1-2.5+deb12u1.dsc

 changelog                    |   10 ++++++++++
 gbp.conf                     |    7 +++++++
 giflib-dbg.docs              |    2 ++
 patches/CVE-2026-23868.patch |   25 +++++++++++++++++++++++++
 patches/CVE-2026-26740.patch |   34 ++++++++++++++++++++++++++++++++++
 patches/series               |    2 ++
 salsa-ci.yml                 |    6 ++++++
 7 files changed, 86 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4rv52z65/giflib_5.2.1-2.5.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4rv52z65/giflib_5.2.1-2.5+deb12u1.dsc: no acceptable signature found
diff -Nru giflib-5.2.1/debian/changelog giflib-5.2.1/debian/changelog
--- giflib-5.2.1/debian/changelog	2022-06-12 16:32:15.000000000 +0000
+++ giflib-5.2.1/debian/changelog	2026-06-26 07:19:21.000000000 +0000
@@ -1,3 +1,13 @@
+giflib (5.2.1-2.5+deb12u1) bookworm; urgency=high
+
+  * Non-maintainer upload by the LTS Team
+  * Enable CI for bookworm, adapt gbp.conf for bookworm.
+  * Backport fixes for:
+    - CVE-2026-23868 - double-free vulnerability (Closes: #1130495)
+    - CVE-2026-26740 - heap OOB write (Closes: #1131368)
+
+ -- Tobias Frost <tobi@debian.org>  Fri, 26 Jun 2026 09:19:21 +0200
+
 giflib (5.2.1-2.5) unstable; urgency=medium
 
   * Non-maintainer upload
diff -Nru giflib-5.2.1/debian/gbp.conf giflib-5.2.1/debian/gbp.conf
--- giflib-5.2.1/debian/gbp.conf	1970-01-01 00:00:00.000000000 +0000
+++ giflib-5.2.1/debian/gbp.conf	2026-06-26 07:07:42.000000000 +0000
@@ -0,0 +1,7 @@
+[DEFAULT]
+upstream-tag = upstream/%(version)s
+debian-branch = debian/bookworm
+pristine-tar=True
+
+[import-orig]
+filter=[ '.gitignore', '.travis.yml', '.git*' ]
diff -Nru giflib-5.2.1/debian/giflib-dbg.docs giflib-5.2.1/debian/giflib-dbg.docs
--- giflib-5.2.1/debian/giflib-dbg.docs	1970-01-01 00:00:00.000000000 +0000
+++ giflib-5.2.1/debian/giflib-dbg.docs	2026-06-26 07:07:42.000000000 +0000
@@ -0,0 +1,2 @@
+NEWS
+TODO
diff -Nru giflib-5.2.1/debian/patches/CVE-2026-23868.patch giflib-5.2.1/debian/patches/CVE-2026-23868.patch
--- giflib-5.2.1/debian/patches/CVE-2026-23868.patch	1970-01-01 00:00:00.000000000 +0000
+++ giflib-5.2.1/debian/patches/CVE-2026-23868.patch	2026-06-26 07:07:42.000000000 +0000
@@ -0,0 +1,25 @@
+Description: CVE-2026-23868 - double-free vulnerability
+Origin: https://sourceforge.net/p/giflib/code/ci/f5b7267aed3665ef025c13823e454170d031c106
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130495
+
+commit f5b7267aed3665ef025c13823e454170d031c106
+Author: Eric S. Raymond <esr@thyrsus.com>
+Date:   Wed Mar 4 18:49:49 2026 -0500
+
+--- a/gifalloc.c
++++ b/gifalloc.c
+@@ -346,6 +346,14 @@
+              * problems.
+              */
+ 
++			/* Null out aliased pointers before any allocations
++			 * so that FreeLastSavedImage won't free CopyFrom's
++			 * data if an allocation fails partway through. */
++			sp->ImageDesc.ColorMap = NULL;
++			sp->RasterBits = NULL;
++			sp->ExtensionBlocks = NULL;
++			sp->ExtensionBlockCount = 0;
++
+             /* first, the local color map */
+             if (CopyFrom->ImageDesc.ColorMap != NULL) {
+                 sp->ImageDesc.ColorMap = GifMakeMapObject(
diff -Nru giflib-5.2.1/debian/patches/CVE-2026-26740.patch giflib-5.2.1/debian/patches/CVE-2026-26740.patch
--- giflib-5.2.1/debian/patches/CVE-2026-26740.patch	1970-01-01 00:00:00.000000000 +0000
+++ giflib-5.2.1/debian/patches/CVE-2026-26740.patch	2026-06-26 07:07:42.000000000 +0000
@@ -0,0 +1,34 @@
+Description: CVE-2026-26740 -- heap OOB write in EGifGCBToSavedExtension
+Origin: https://sourceforge.net/p/giflib/code/ci/061605081115bbfd7019bafc119a13b6f17fcf25
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131368
+Bug: https://sourceforge.net/p/giflib/bugs/199/
+Bug: https://sourceforge.net/p/giflib/bugs/201/
+commit 061605081115bbfd7019bafc119a13b6f17fcf25
+Author: Anthony Hurtado <amhurtado@protonmail.com>
+Date:   Mon Jun 1 15:40:48 2026 -0500
+
+    Fix CVE-2026-26740: heap OOB write in EGifGCBToSavedExtension
+    
+    EGifGCBToSavedExtension calls EGifGCBToExtension which unconditionally
+    writes 4 bytes into ep->Bytes without checking ep->ByteCount.  If the
+    extension block was allocated with fewer than 4 bytes, this results in
+    a heap buffer overflow.
+    
+    The read-side counterpart DGifExtensionToGCB already validates that
+    GifExtensionLength == 4 before reading.  Add the symmetric check on
+    the write side: return GIF_ERROR when ep->ByteCount < 4.
+    
+    Signed-off-by: Anthony Hurtado <amhurtado@pm.me>
+
+--- a/egif_lib.c
++++ b/egif_lib.c
+@@ -687,6 +687,9 @@
+     for (i = 0; i < GifFile->SavedImages[ImageIndex].ExtensionBlockCount; i++) {
+ 	ExtensionBlock *ep = &GifFile->SavedImages[ImageIndex].ExtensionBlocks[i];
+ 	if (ep->Function == GRAPHICS_EXT_FUNC_CODE) {
++		if (ep->ByteCount < 4) {
++			return GIF_ERROR;
++		}
+ 	    EGifGCBToExtension(GCB, ep->Bytes);
+ 	    return GIF_OK;
+ 	}
diff -Nru giflib-5.2.1/debian/patches/series giflib-5.2.1/debian/patches/series
--- giflib-5.2.1/debian/patches/series	2022-06-12 16:30:10.000000000 +0000
+++ giflib-5.2.1/debian/patches/series	2026-06-26 07:07:42.000000000 +0000
@@ -7,3 +7,5 @@
 giflib_quantize.patch
 dont-spoil-tests-with-stderr.patch
 giflib_quantize-header.patch
+CVE-2026-23868.patch
+CVE-2026-26740.patch
diff -Nru giflib-5.2.1/debian/salsa-ci.yml giflib-5.2.1/debian/salsa-ci.yml
--- giflib-5.2.1/debian/salsa-ci.yml	1970-01-01 00:00:00.000000000 +0000
+++ giflib-5.2.1/debian/salsa-ci.yml	2026-06-26 07:07:42.000000000 +0000
@@ -0,0 +1,6 @@
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+    RELEASE: 'bookworm'