Version in base suite: 5.2.2-1

Base version: giflib_5.2.2-1
Target version: giflib_5.2.2-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/giflib/giflib_5.2.2-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/giflib/giflib_5.2.2-1+deb13u1.dsc

 changelog                    |    7 ++++++
 patches/CVE-2026-23868.patch |   21 ++++++++++++++++++
 patches/CVE-2026-26740.patch |   48 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    2 +
 4 files changed, 78 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpo7j1kk0c/giflib_5.2.2-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpo7j1kk0c/giflib_5.2.2-1+deb13u1.dsc: no acceptable signature found
diff -Nru giflib-5.2.2/debian/changelog giflib-5.2.2/debian/changelog
--- giflib-5.2.2/debian/changelog	2024-02-25 17:44:51.000000000 +0000
+++ giflib-5.2.2/debian/changelog	2026-06-13 15:19:16.000000000 +0000
@@ -1,3 +1,10 @@
+giflib (5.2.2-1+deb13u1) trixie; urgency=medium
+
+  * CVE-2026-23868 (Closes: #1130495) 
+  * CVE-2026-26740 (Closes: #1131368)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Sat, 13 Jun 2026 17:19:16 +0200
+
 giflib (5.2.2-1) unstable; urgency=medium
 
   [ Debian Janitor]
diff -Nru giflib-5.2.2/debian/patches/CVE-2026-23868.patch giflib-5.2.2/debian/patches/CVE-2026-23868.patch
--- giflib-5.2.2/debian/patches/CVE-2026-23868.patch	1970-01-01 00:00:00.000000000 +0000
+++ giflib-5.2.2/debian/patches/CVE-2026-23868.patch	2026-06-13 15:17:46.000000000 +0000
@@ -0,0 +1,21 @@
+commit f5b7267aed3665ef025c13823e454170d031c106
+Author: Eric S. Raymond <esr@thyrsus.com>
+Date:   Wed Mar 4 18:49:49 2026 -0500
+
+--- giflib-5.2.2.orig/gifalloc.c
++++ giflib-5.2.2/gifalloc.c
+@@ -349,6 +349,14 @@ SavedImage *GifMakeSavedImage(GifFileTyp
+ 			 * aliasing problems.
+ 			 */
+ 
++			/* Null out aliased pointers before any allocations
++			 * so that FreeLastSavedImage won't free CopyFrom's
++			 * data if an allocation fails partway through. */
++			sp->ImageDesc.ColorMap = NULL;
++			sp->RasterBits = NULL;
++			sp->ExtensionBlocks = NULL;
++			sp->ExtensionBlockCount = 0;
++ 
+ 			/* first, the local color map */
+ 			if (CopyFrom->ImageDesc.ColorMap != NULL) {
+ 				sp->ImageDesc.ColorMap = GifMakeMapObject(
diff -Nru giflib-5.2.2/debian/patches/CVE-2026-26740.patch giflib-5.2.2/debian/patches/CVE-2026-26740.patch
--- giflib-5.2.2/debian/patches/CVE-2026-26740.patch	1970-01-01 00:00:00.000000000 +0000
+++ giflib-5.2.2/debian/patches/CVE-2026-26740.patch	2026-06-13 15:19:11.000000000 +0000
@@ -0,0 +1,48 @@
+From a3a600aa97c24734dde0b0951542488095f38ad4 Mon Sep 17 00:00:00 2001
+From: rootvector2 <dxbnaveed.k@gmail.com>
+Date: Sat, 16 May 2026 00:41:28 +0530
+Subject: [PATCH] Fix heap buffer overflow in EGifGCBToSavedExtension
+
+EGifGCBToExtension() unconditionally writes 4 bytes into the buffer
+passed to it, but EGifGCBToSavedExtension() invoked it on ep->Bytes
+without checking ep->ByteCount.  DGifSlurp() preserves whatever
+sub-block size the source GIF declared when it stores extension
+blocks, so a malformed GIF whose Graphics Control Extension declares
+a sub-block size less than 4 leaves a saved extension shorter than
+the 4 bytes EGifGCBToExtension() then writes.  Tools that round-trip
+a GIF through DGifSlurp() and EGifGCBToSavedExtension() (for example
+giftool -d, -t, -u and -x) corrupt the heap on such input.
+
+Resize the existing extension to exactly 4 bytes before writing,
+matching the invariant DGifExtensionToGCB() enforces on the read side.
+
+Reproduced under AddressSanitizer with a 40-byte crafted GIF whose
+Graphics Control Extension declares a 1-byte sub-block; giftool -d
+then triggers a 1-byte heap write past the end of the ep->Bytes
+allocation made in GifAddExtensionBlock().
+---
+ egif_lib.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- giflib-5.2.2.orig/egif_lib.c
++++ giflib-5.2.2/egif_lib.c
+@@ -678,6 +678,19 @@ int EGifGCBToSavedExtension(const Graphi
+ 		ExtensionBlock *ep =
+ 		    &GifFile->SavedImages[ImageIndex].ExtensionBlocks[i];
+ 		if (ep->Function == GRAPHICS_EXT_FUNC_CODE) {
++			/* A Graphics Control Block is always 4 bytes.  If
++			 * the existing block came from a malformed GIF and
++			 * is shorter, resize it so EGifGCBToExtension does
++			 * not write past the end of ep->Bytes. */
++			if (ep->ByteCount != 4) {
++				GifByteType *new_bytes =
++				    (GifByteType *)realloc(ep->Bytes, 4);
++				if (new_bytes == NULL) {
++					return GIF_ERROR;
++				}
++				ep->Bytes = new_bytes;
++				ep->ByteCount = 4;
++			}
+ 			EGifGCBToExtension(GCB, ep->Bytes);
+ 			return GIF_OK;
+ 		}
diff -Nru giflib-5.2.2/debian/patches/series giflib-5.2.2/debian/patches/series
--- giflib-5.2.2/debian/patches/series	2024-02-25 17:29:30.000000000 +0000
+++ giflib-5.2.2/debian/patches/series	2026-06-13 15:18:11.000000000 +0000
@@ -5,3 +5,5 @@
 dont-spoil-tests-with-stderr.patch
 giflib_quantize-header.patch
 Clean-up-memory-better-at-end-of-run-CVE-2021-40633.patch
+CVE-2026-23868.patch
+CVE-2026-26740.patch