Version in base suite: 8.14.1-3+deb12u2

Base version: vips_8.14.1-3+deb12u2
Target version: vips_8.14.1-3+deb12u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/v/vips/vips_8.14.1-3+deb12u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/v/vips/vips_8.14.1-3+deb12u3.dsc

 changelog                                 |   11 ++++++
 patches/CVE-2026-2913.patch               |   50 ++++++++++++++++++++++++++++++
 patches/CVE-2026-3145_CVE-2026-3146.patch |   28 ++++++++++++++++
 patches/CVE-2026-3147.patch               |   21 ++++++++++++
 patches/CVE-2026-3281.patch               |   18 ++++++++++
 patches/CVE-2026-3282.patch               |   18 ++++++++++
 patches/CVE-2026-3283_CVE-2026-3284.patch |   28 ++++++++++++++++
 patches/series                            |    6 +++
 8 files changed, 180 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpfkbauhrv/vips_8.14.1-3+deb12u2.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpfkbauhrv/vips_8.14.1-3+deb12u3.dsc: no acceptable signature found
diff -Nru vips-8.14.1/debian/changelog vips-8.14.1/debian/changelog
--- vips-8.14.1/debian/changelog	2025-04-30 18:53:34.000000000 +0000
+++ vips-8.14.1/debian/changelog	2026-04-06 05:36:49.000000000 +0000
@@ -1,3 +1,14 @@
+vips (8.14.1-3+deb12u3) bookworm; urgency=medium
+
+  * CVE-2026-3283 CVE-2026-3284 (Closes: #1129310)
+  * CVE-2026-3282 (Closes: #1129311)
+  * CVE-2026-3281 (Closes: #1129312)
+  * CVE-2026-3147 (Closes: #1129314)
+  * CVE-2026-3145 CVE-2026-3146 (Closes: #1129315)
+  * CVE-2026-2913 (Closes: #1128785)
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 06 Apr 2026 07:36:49 +0200
+
 vips (8.14.1-3+deb12u2) bookworm-security; urgency=high
 
   * Non-maintainer upload.
diff -Nru vips-8.14.1/debian/patches/CVE-2026-2913.patch vips-8.14.1/debian/patches/CVE-2026-2913.patch
--- vips-8.14.1/debian/patches/CVE-2026-2913.patch	1970-01-01 00:00:00.000000000 +0000
+++ vips-8.14.1/debian/patches/CVE-2026-2913.patch	2026-04-06 00:13:53.000000000 +0000
@@ -0,0 +1,50 @@
+From a56feecbe9ed66521d9647ec9fbcd2546eccd7ee Mon Sep 17 00:00:00 2001
+From: Kleis Auke Wolthuizen <github@kleisauke.nl>
+Date: Thu, 12 Feb 2026 10:38:55 +0100
+Subject: [PATCH] source: guard against length truncation (#4858)
+
+--- vips-8.14.1.orig/libvips/iofuncs/source.c
++++ vips-8.14.1/libvips/iofuncs/source.c
+@@ -929,6 +929,12 @@ vips_source_read_to_memory( VipsSource *
+ 	g_assert( !source->header_bytes );
+ 	g_assert( source->length >= 0 );
+ 
++	if (G_UNLIKELY(source->length > UINT_MAX)) {
++		vips_error(vips_connection_nick(VIPS_CONNECTION(source)),
++			"%s", _("length overflow"));
++		return -1;
++	}
++
+ 	if( vips_source_rewind( source ) )
+ 		return( -1 );
+ 
+@@ -936,7 +942,7 @@ vips_source_read_to_memory( VipsSource *
+ 	 * directly to it.
+ 	 */
+ 	byte_array = g_byte_array_new();
+-	g_byte_array_set_size( byte_array, source->length );
++	g_byte_array_set_size(byte_array, (guint) source->length);
+ 
+ 	read_position = 0;
+ 	q = byte_array->data;
+@@ -1320,13 +1326,19 @@ vips_source_sniff_at_most( VipsSource *s
+ 
+ 	VIPS_DEBUG_MSG( "vips_source_sniff_at_most: %zd bytes\n", length );
+ 
++	if (G_UNLIKELY(length > UINT_MAX)) {
++		vips_error(vips_connection_nick(VIPS_CONNECTION(source)),
++			"%s", _("length overflow"));
++		return -1;
++	}
++
+ 	SANITY( source );
+ 
+ 	if( vips_source_test_features( source ) ||
+ 		vips_source_rewind( source ) )
+ 		return( -1 );
+ 
+-	g_byte_array_set_size( source->sniff, length );
++	g_byte_array_set_size(source->sniff, (guint) length);
+ 
+ 	read_position = 0; 
+ 	q = source->sniff->data;
diff -Nru vips-8.14.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch vips-8.14.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch
--- vips-8.14.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch	1970-01-01 00:00:00.000000000 +0000
+++ vips-8.14.1/debian/patches/CVE-2026-3145_CVE-2026-3146.patch	2026-04-06 05:36:49.000000000 +0000
@@ -0,0 +1,28 @@
+From d4ce337c76bff1b278d7085c3c4f4725e3aa6ece Mon Sep 17 00:00:00 2001
+From: Lovell Fuller <lovell@users.noreply.github.com>
+Date: Thu, 19 Feb 2026 12:31:43 +0000
+Subject: [PATCH] matrixload: guard against empty and very large inputs (#4888)
+
+--- vips-8.14.1.orig/libvips/foreign/matrixload.c
++++ vips-8.14.1/libvips/foreign/matrixload.c
+@@ -187,7 +187,10 @@ vips_foreign_load_matrix_header( VipsFor
+ 	if( vips_source_rewind( matrix->source ) )
+ 		return( -1 );
+ 
+-	line = vips_sbuf_get_line_copy( matrix->sbuf );
++	if (!(line = vips_sbuf_get_line_copy(matrix->sbuf))) {
++		vips_error("mask2vips", "%s", _("invalid header"));
++		return -1;
++	}
+ 	result = parse_matrix_header( line, &width, &height, &scale, &offset );
+ 	g_free( line );
+ 	if( result )
+@@ -333,7 +336,7 @@ static gboolean
+ vips_foreign_load_matrix_file_is_a( const char *filename )
+ {
+ 	unsigned char line[80];
+-	guint64 bytes;
++	gint64 bytes;
+ 	int width;
+ 	int height;
+ 	double scale;
diff -Nru vips-8.14.1/debian/patches/CVE-2026-3147.patch vips-8.14.1/debian/patches/CVE-2026-3147.patch
--- vips-8.14.1/debian/patches/CVE-2026-3147.patch	1970-01-01 00:00:00.000000000 +0000
+++ vips-8.14.1/debian/patches/CVE-2026-3147.patch	2026-04-05 23:48:31.000000000 +0000
@@ -0,0 +1,21 @@
+From b3ab458a25e0e261cbd1788474bbc763f7435780 Mon Sep 17 00:00:00 2001
+From: Lovell Fuller <lovell@users.noreply.github.com>
+Date: Sat, 21 Feb 2026 19:00:31 +0000
+Subject: [PATCH] csvload: check whitespace and separator are ASCII (#4894)
+
+--- vips-8.14.1.orig/libvips/foreign/csvload.c
++++ vips-8.14.1/libvips/foreign/csvload.c
+@@ -122,6 +122,13 @@ vips_foreign_load_csv_build( VipsObject
+ 	int i;
+ 	const char *p;
+ 
++	if (!g_str_is_ascii(csv->whitespace) ||
++		!g_str_is_ascii(csv->separator)) {
++		vips_error("csvload", "%s",
++			_("whitespace and separator must be ASCII"));
++		return -1;
++	}
++
+ 	if( !(csv->sbuf = vips_sbuf_new_from_source( csv->source )) )
+ 		return( -1 );
+ 
diff -Nru vips-8.14.1/debian/patches/CVE-2026-3281.patch vips-8.14.1/debian/patches/CVE-2026-3281.patch
--- vips-8.14.1/debian/patches/CVE-2026-3281.patch	1970-01-01 00:00:00.000000000 +0000
+++ vips-8.14.1/debian/patches/CVE-2026-3281.patch	2026-04-05 23:48:31.000000000 +0000
@@ -0,0 +1,18 @@
+From fd28c5463697712cb0ab116a2c55e4f4d92c4088 Mon Sep 17 00:00:00 2001
+From: Lovell Fuller <lovell@users.noreply.github.com>
+Date: Sun, 22 Feb 2026 09:39:05 +0000
+Subject: [PATCH] bandrank: check index is in range #4878 (#4895)
+
+--- vips-8.14.1.orig/libvips/conversion/bandrank.c
++++ vips-8.14.1/libvips/conversion/bandrank.c
+@@ -205,6 +205,10 @@ vips_bandrank_build( VipsObject *object
+ 
+ 		if( bandrank->index == -1 )
+ 			bandrank->index = bandary->n / 2; 
++		else if (bandrank->index >= bandary->n) {
++			vips_error(class->nickname, _("index out of range"));
++			return -1;
++		}
+ 	}
+ 
+ 	if( VIPS_OBJECT_CLASS( vips_bandrank_parent_class )->build( object ) )
diff -Nru vips-8.14.1/debian/patches/CVE-2026-3282.patch vips-8.14.1/debian/patches/CVE-2026-3282.patch
--- vips-8.14.1/debian/patches/CVE-2026-3282.patch	1970-01-01 00:00:00.000000000 +0000
+++ vips-8.14.1/debian/patches/CVE-2026-3282.patch	2026-04-05 23:48:31.000000000 +0000
@@ -0,0 +1,18 @@
+From 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91 Mon Sep 17 00:00:00 2001
+From: Lovell Fuller <lovell@users.noreply.github.com>
+Date: Thu, 19 Feb 2026 13:50:37 +0000
+Subject: [PATCH] unpremultiply: check alpha_band is in range #4881 (#4886)
+
+--- vips-8.14.1.orig/libvips/conversion/unpremultiply.c
++++ vips-8.14.1/libvips/conversion/unpremultiply.c
+@@ -284,6 +284,10 @@ vips_unpremultiply_build( VipsObject *ob
+ 	 */
+ 	if( !vips_object_argument_isset( object, "alpha_band" ) ) 
+ 		unpremultiply->alpha_band = in->Bands - 1;
++	else if (unpremultiply->alpha_band >= in->Bands) {
++		vips_error(class->nickname, "%s", _("alpha_band out of range"));
++		return -1;
++	}
+ 
+ 	if( in->BandFmt == VIPS_FORMAT_DOUBLE )
+ 		conversion->out->BandFmt = VIPS_FORMAT_DOUBLE;
diff -Nru vips-8.14.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch vips-8.14.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch
--- vips-8.14.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch	1970-01-01 00:00:00.000000000 +0000
+++ vips-8.14.1/debian/patches/CVE-2026-3283_CVE-2026-3284.patch	2025-04-30 18:53:34.000000000 +0000
@@ -0,0 +1,28 @@
+From 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70 Mon Sep 17 00:00:00 2001
+From: Lovell Fuller <lovell@users.noreply.github.com>
+Date: Thu, 19 Feb 2026 08:39:31 +0000
+Subject: [PATCH] extract: check bounds using unsigned arith #4879 #4880
+ (#4887)
+
+--- vips-8.14.1.orig/libvips/conversion/extract.c
++++ vips-8.14.1/libvips/conversion/extract.c
+@@ -143,8 +143,8 @@ vips_extract_area_build( VipsObject *obj
+ 		build( object ) )
+ 		return( -1 );
+ 
+-	if( extract->left + extract->width > extract->in->Xsize ||
+-		extract->top + extract->height > extract->in->Ysize ||
++	if ((guint64) extract->left + extract->width > extract->in->Xsize ||
++		(guint64) extract->top + extract->height > extract->in->Ysize ||
+ 		extract->left < 0 || extract->top < 0 ||
+ 		extract->width <= 0 || extract->height <= 0 ) {
+ 		vips_error( class->nickname, "%s", _( "bad extract area" ) );
+@@ -385,7 +385,7 @@ vips_extract_band_build( VipsObject *obj
+ 		bandary->in = &extract->in;
+ 		bandary->out_bands = extract->n;
+ 
+-		if( extract->band + extract->n > bands ) {
++		if ((guint64) extract->band + extract->n > bands) {
+ 			vips_error( class->nickname, 
+ 				"%s", _( "bad extract band" ) );
+ 			return( -1 );
diff -Nru vips-8.14.1/debian/patches/series vips-8.14.1/debian/patches/series
--- vips-8.14.1/debian/patches/series	2025-04-30 18:53:34.000000000 +0000
+++ vips-8.14.1/debian/patches/series	2026-04-06 05:36:49.000000000 +0000
@@ -3,3 +3,9 @@
 CVE-2023-40032.patch
 CVE-2025-29769/01-9ab6784f6.patch
 CVE-2025-29769/02-8effeb912.patch
+CVE-2026-3283_CVE-2026-3284.patch
+CVE-2026-3282.patch
+CVE-2026-3281.patch
+CVE-2026-3147.patch
+CVE-2026-3145_CVE-2026-3146.patch
+CVE-2026-2913.patch