Version in base suite: 0.6.1-2.1

Base version: libwebp_0.6.1-2.1
Target version: libwebp_0.6.1-2.1+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libw/libwebp/libwebp_0.6.1-2.1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libw/libwebp/libwebp_0.6.1-2.1+deb11u1.dsc

 changelog                   |    6 ++++++
 patches/CVE-2023-1999.patch |   33 +++++++++++++++++++++++++++++++++
 patches/series              |    1 +
 3 files changed, 40 insertions(+)

diff -Nru libwebp-0.6.1/debian/changelog libwebp-0.6.1/debian/changelog
--- libwebp-0.6.1/debian/changelog	2021-06-05 17:35:57.000000000 +0000
+++ libwebp-0.6.1/debian/changelog	2023-05-18 22:18:08.000000000 +0000
@@ -1,3 +1,9 @@
+libwebp (0.6.1-2.1+deb11u1) bullseye-security; urgency=medium
+
+  * CVE-2023-1999 (Closes: #1035371)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Fri, 19 May 2023 00:18:08 +0200
+
 libwebp (0.6.1-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libwebp-0.6.1/debian/patches/CVE-2023-1999.patch libwebp-0.6.1/debian/patches/CVE-2023-1999.patch
--- libwebp-0.6.1/debian/patches/CVE-2023-1999.patch	1970-01-01 00:00:00.000000000 +0000
+++ libwebp-0.6.1/debian/patches/CVE-2023-1999.patch	2023-05-18 22:18:08.000000000 +0000
@@ -0,0 +1,33 @@
+Backport of 
+From a486d800b60d0af4cc0836bf7ed8f21e12974129 Mon Sep 17 00:00:00 2001
+From: James Zern <jzern@google.com>
+Date: Wed, 22 Feb 2023 22:15:47 -0800
+Subject: [PATCH] EncodeAlphaInternal: clear result->bw on error
+
+--- libwebp-0.6.1.orig/src/enc/alpha_enc.c
++++ libwebp-0.6.1/src/enc/alpha_enc.c
+@@ -13,6 +13,7 @@
+ 
+ #include <assert.h>
+ #include <stdlib.h>
++#include <string.h>
+ 
+ #include "src/enc/vp8i_enc.h"
+ #include "src/dsp/dsp.h"
+@@ -148,6 +149,7 @@ static int EncodeAlphaInternal(const uin
+       }
+     } else {
+       VP8LBitWriterWipeOut(&tmp_bw);
++      memset(&result->bw, 0, sizeof(result->bw));
+       return 0;
+     }
+   }
+@@ -162,7 +164,7 @@ static int EncodeAlphaInternal(const uin
+   header = method | (filter << 2);
+   if (reduce_levels) header |= ALPHA_PREPROCESSED_LEVELS << 4;
+ 
+-  VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size);
++  if (!VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size)) ok = 0;
+   ok = ok && VP8BitWriterAppend(&result->bw, &header, ALPHA_HEADER_LEN);
+   ok = ok && VP8BitWriterAppend(&result->bw, output, output_size);
+ 
diff -Nru libwebp-0.6.1/debian/patches/series libwebp-0.6.1/debian/patches/series
--- libwebp-0.6.1/debian/patches/series	2021-06-05 17:31:12.000000000 +0000
+++ libwebp-0.6.1/debian/patches/series	2023-05-18 22:18:08.000000000 +0000
@@ -2,3 +2,4 @@
 big-endian
 fix-lintian-warning
 security-fixes.patch
+CVE-2023-1999.patch