Version in base suite: 2.16-2 Base version: lcms2_2.16-2 Target version: lcms2_2.16-2+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lcms2/lcms2_2.16-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lcms2/lcms2_2.16-2+deb13u2.dsc changelog | 12 ++++++++++++ patches/CVE-2026-41254.patch | 38 ++++++++++++++++++++++++++++++++++++++ patches/CVE-2026-42798.patch | 25 +++++++++++++++++++++++++ patches/series | 2 ++ 4 files changed, 77 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpv0bhkinl/lcms2_2.16-2.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpv0bhkinl/lcms2_2.16-2+deb13u2.dsc: no acceptable signature found diff -Nru lcms2-2.16/debian/changelog lcms2-2.16/debian/changelog --- lcms2-2.16/debian/changelog 2024-10-13 11:49:12.000000000 +0000 +++ lcms2-2.16/debian/changelog 2026-05-07 22:01:34.000000000 +0000 @@ -1,3 +1,15 @@ +lcms2 (2.16-2+deb13u2) trixie-security; urgency=medium + + * CVE-2026-42798 (Closes: #1135320) + + -- Moritz Mühlenhoff Fri, 08 May 2026 00:01:34 +0200 + +lcms2 (2.16-2+deb13u1) trixie-security; urgency=medium + + * CVE-2026-41254 (Closes: #1134335) + + -- Moritz Mühlenhoff Thu, 30 Apr 2026 20:12:43 +0200 + lcms2 (2.16-2) unstable; urgency=medium [ Florian Ernst ] diff -Nru lcms2-2.16/debian/patches/CVE-2026-41254.patch lcms2-2.16/debian/patches/CVE-2026-41254.patch --- lcms2-2.16/debian/patches/CVE-2026-41254.patch 1970-01-01 00:00:00.000000000 +0000 +++ lcms2-2.16/debian/patches/CVE-2026-41254.patch 2026-04-30 18:12:37.000000000 +0000 @@ -0,0 +1,38 @@ +From da6110b1d14abc394633a388209abd5ebedd7ab0 Mon Sep 17 00:00:00 2001 +From: Marti Maria +Date: Thu, 19 Feb 2026 09:07:20 +0100 +Subject: [PATCH] Fix integer overflow in CubeSize() + +From e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc Mon Sep 17 00:00:00 2001 +From: Marti Maria +Date: Thu, 12 Mar 2026 22:57:35 +0100 +Subject: [PATCH] check for overflow + + +--- lcms2-2.16.orig/src/cmslut.c ++++ lcms2-2.16/src/cmslut.c +@@ -460,19 +460,20 @@ void EvaluateCLUTfloatIn16(const cmsFloa + static + cmsUInt32Number CubeSize(const cmsUInt32Number Dims[], cmsUInt32Number b) + { +- cmsUInt32Number rv, dim; ++ cmsUInt32Number dim; ++ cmsUInt64Number rv; + + _cmsAssert(Dims != NULL); + + for (rv = 1; b > 0; b--) { + + dim = Dims[b-1]; +- if (dim <= 1) return 0; // Error +- +- rv *= dim; ++ if (dim <= 1) return 0; + + // Check for overflow + if (rv > UINT_MAX / dim) return 0; ++ ++ rv *= dim; + } + + // Again, prevent overflow diff -Nru lcms2-2.16/debian/patches/CVE-2026-42798.patch lcms2-2.16/debian/patches/CVE-2026-42798.patch --- lcms2-2.16/debian/patches/CVE-2026-42798.patch 1970-01-01 00:00:00.000000000 +0000 +++ lcms2-2.16/debian/patches/CVE-2026-42798.patch 2026-05-07 22:01:34.000000000 +0000 @@ -0,0 +1,25 @@ +From 6a686019825a89b715d16671f18d049523354176 Mon Sep 17 00:00:00 2001 +From: Marti Maria +Date: Thu, 19 Feb 2026 08:48:50 +0100 +Subject: [PATCH] Fix for ParseCube integer overflow in LUT allocation + +--- lcms2-2.16.orig/src/cmscgats.c ++++ lcms2-2.16/src/cmscgats.c +@@ -3128,7 +3128,16 @@ cmsBool ParseCube(cmsIT8* cube, cmsStage + + if (lut_size > 0) { + +- int nodes = lut_size * lut_size * lut_size; ++ int nodes; ++ ++ /** ++ * Professional LUT‑generation tools (e.g., Nobe LutBake) list 65×65×65 as their highest supported size. ++ */ ++ if (lut_size > 65) ++ return SynError(cube, "LUT size '%d' is over maximum of 65", lut_size); ++ ++ nodes = lut_size * lut_size * lut_size; ++ + + cmsFloat32Number* lut_table = _cmsMalloc(cube->ContextID, nodes * 3 * sizeof(cmsFloat32Number)); + if (lut_table == NULL) return FALSE; diff -Nru lcms2-2.16/debian/patches/series lcms2-2.16/debian/patches/series --- lcms2-2.16/debian/patches/series 2024-10-13 11:49:12.000000000 +0000 +++ lcms2-2.16/debian/patches/series 2026-05-07 22:01:34.000000000 +0000 @@ -3,3 +3,5 @@ unbreak-API-compatibility.patch build-plugins-as-static-libraries-only.patch keep-src-tree-clean.patch +CVE-2026-41254.patch +CVE-2026-42798.patch