Version in base suite: 2.42.12+dfsg-4 Base version: gdk-pixbuf_2.42.12+dfsg-4 Target version: gdk-pixbuf_2.42.12+dfsg-4+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gdk-pixbuf/gdk-pixbuf_2.42.12+dfsg-4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gdk-pixbuf/gdk-pixbuf_2.42.12+dfsg-4+deb13u1.dsc .gitignore | 20 ------ changelog | 8 ++ patches/jpeg-Reject-unsupported-number-of-components.patch | 43 +++++++++++++ patches/series | 1 4 files changed, 52 insertions(+), 20 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmppank7xjm/gdk-pixbuf_2.42.12+dfsg-4.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmppank7xjm/gdk-pixbuf_2.42.12+dfsg-4+deb13u1.dsc: no acceptable signature found diff -Nru gdk-pixbuf-2.42.12+dfsg/debian/.gitignore gdk-pixbuf-2.42.12+dfsg/debian/.gitignore --- gdk-pixbuf-2.42.12+dfsg/debian/.gitignore 2025-07-12 15:56:46.000000000 +0000 +++ gdk-pixbuf-2.42.12+dfsg/debian/.gitignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,20 +0,0 @@ -/*.debhelper.log -/*.substvars -/.debhelper/ -/build-mime/ -/debhelper-build-stamp -/files -/gdk-pixbuf-tests/ -/gir1.2-gdkpixbuf-2.0/ -/libgdk-pixbuf-2.0-0-udeb/ -/libgdk-pixbuf-2.0-0.postinst -/libgdk-pixbuf-2.0-0.postrm -/libgdk-pixbuf-2.0-0.triggers -/libgdk-pixbuf-2.0-0/ -/libgdk-pixbuf-2.0-dev/ -/libgdk-pixbuf2.0-0-udeb/ -/libgdk-pixbuf2.0-bin/ -/libgdk-pixbuf2.0-common/ -/libgdk-pixbuf2.0-doc/ -/tmp-udeb/ -/tmp/ diff -Nru gdk-pixbuf-2.42.12+dfsg/debian/changelog gdk-pixbuf-2.42.12+dfsg/debian/changelog --- gdk-pixbuf-2.42.12+dfsg/debian/changelog 2025-07-12 15:56:46.000000000 +0000 +++ gdk-pixbuf-2.42.12+dfsg/debian/changelog 2026-04-04 20:42:18.000000000 +0000 @@ -1,3 +1,11 @@ +gdk-pixbuf (2.42.12+dfsg-4+deb13u1) trixie-security; urgency=high + + * Non-maintainer upload by the Security Team. + * jpeg: Reject unsupported number of components (CVE-2026-5201) + (Closes: #1132501) + + -- Salvatore Bonaccorso Sat, 04 Apr 2026 22:42:18 +0200 + gdk-pixbuf (2.42.12+dfsg-4) unstable; urgency=high * Team upload diff -Nru gdk-pixbuf-2.42.12+dfsg/debian/patches/jpeg-Reject-unsupported-number-of-components.patch gdk-pixbuf-2.42.12+dfsg/debian/patches/jpeg-Reject-unsupported-number-of-components.patch --- gdk-pixbuf-2.42.12+dfsg/debian/patches/jpeg-Reject-unsupported-number-of-components.patch 1970-01-01 00:00:00.000000000 +0000 +++ gdk-pixbuf-2.42.12+dfsg/debian/patches/jpeg-Reject-unsupported-number-of-components.patch 2026-04-04 20:41:08.000000000 +0000 @@ -0,0 +1,43 @@ +From: Matthias Clasen +Date: Mon, 30 Mar 2026 12:21:56 -0400 +Subject: jpeg: Reject unsupported number of components +Origin: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/6cce9311e70b969cbcc6e3e1e74ae1756ed02d5b +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-5201 +Bug-Debian: https://bugs.debian.org/1132501 +Bug: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/304 + +This condition was already checked for incremental loading. +This commit adds the same check in the nonincremental +code path. + +Closes: #304 +--- + gdk-pixbuf/io-jpeg.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c +index 103820c5af81..a225998b18be 100644 +--- a/gdk-pixbuf/io-jpeg.c ++++ b/gdk-pixbuf/io-jpeg.c +@@ -630,6 +630,18 @@ gdk_pixbuf__real_jpeg_image_load (FILE *f, struct jpeg_decompress_struct *cinfo, + cinfo->do_fancy_upsampling = FALSE; + cinfo->do_block_smoothing = FALSE; + ++ /* Reject unsupported component counts */ ++ if (cinfo->output_components != 3 && cinfo->output_components != 4 && ++ !(cinfo->output_components == 1 && ++ cinfo->out_color_space == JCS_GRAYSCALE)) { ++ g_set_error (error, ++ GDK_PIXBUF_ERROR, ++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE, ++ _("Unsupported number of color components (%d)"), ++ cinfo->output_components); ++ goto out; ++ } ++ + pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, + cinfo->out_color_components == 4 ? TRUE : FALSE, + 8, +-- +2.53.0 + diff -Nru gdk-pixbuf-2.42.12+dfsg/debian/patches/series gdk-pixbuf-2.42.12+dfsg/debian/patches/series --- gdk-pixbuf-2.42.12+dfsg/debian/patches/series 2025-07-12 15:56:46.000000000 +0000 +++ gdk-pixbuf-2.42.12+dfsg/debian/patches/series 2026-04-04 20:41:15.000000000 +0000 @@ -4,3 +4,4 @@ tests-Tolerate-either-CORRUPT_IMAGE-or-INSUFFICIENT_MEMOR.patch lzw-Fix-reporting-of-bytes-written-in-decoder.patch jpeg-Be-more-careful-with-chunked-icc-data.patch +jpeg-Reject-unsupported-number-of-components.patch