Version in base suite: 11.1.0-5

Base version: pillow_11.1.0-5
Target version: pillow_11.1.0-5+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pillow/pillow_11.1.0-5.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pillow/pillow_11.1.0-5+deb13u1.dsc

 changelog                    |    6 +++
 patches/CVE-2026-25990.patch |   68 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 75 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpnuxzjzk8/pillow_11.1.0-5.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpnuxzjzk8/pillow_11.1.0-5+deb13u1.dsc: no acceptable signature found
diff -Nru pillow-11.1.0/debian/changelog pillow-11.1.0/debian/changelog
--- pillow-11.1.0/debian/changelog	2025-02-06 13:26:25.000000000 +0000
+++ pillow-11.1.0/debian/changelog	2026-02-18 19:20:45.000000000 +0000
@@ -1,3 +1,9 @@
+pillow (11.1.0-5+deb13u1) trixie-security; urgency=medium
+
+  * CVE-2026-25990 (Closes: #1127925)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Wed, 18 Feb 2026 20:20:45 +0100
+
 pillow (11.1.0-5) unstable; urgency=medium
 
   * Don't remove the pyproject.toml file.
diff -Nru pillow-11.1.0/debian/patches/CVE-2026-25990.patch pillow-11.1.0/debian/patches/CVE-2026-25990.patch
--- pillow-11.1.0/debian/patches/CVE-2026-25990.patch	1970-01-01 00:00:00.000000000 +0000
+++ pillow-11.1.0/debian/patches/CVE-2026-25990.patch	2026-02-18 19:20:45.000000000 +0000
@@ -0,0 +1,68 @@
+From 9000313cc5d4a31bdcdd6d7f0781101abab553aa Mon Sep 17 00:00:00 2001
+From: Andrew Murray <3112309+radarhere@users.noreply.github.com>
+Date: Wed, 11 Feb 2026 10:24:50 +1100
+Subject: [PATCH] Fix OOB Write with invalid tile extents (#9427)
+
+--- pillow-11.1.0.orig/Tests/test_file_psd.py
++++ pillow-11.1.0/Tests/test_file_psd.py
+@@ -177,3 +177,20 @@ def test_layer_crashes(test_file: str) -
+         with Image.open(f) as im:
+             with pytest.raises(SyntaxError):
+                 im.layers
++
++
++@pytest.mark.parametrize(
++    "test_file",
++    [
++        "Tests/images/psd-oob-write.psd",
++        "Tests/images/psd-oob-write-x.psd",
++        "Tests/images/psd-oob-write-y.psd",
++    ],
++)
++def test_bounds_crash(test_file: str) -> None:
++    with Image.open(test_file) as im:
++        assert isinstance(im, PsdImagePlugin.PsdImageFile)
++        im.seek(im.n_frames)
++
++        with pytest.raises(ValueError):
++            im.load()
+--- pillow-11.1.0.orig/Tests/test_imagefile.py
++++ pillow-11.1.0/Tests/test_imagefile.py
+@@ -149,6 +149,13 @@ class TestImageFile:
+         with pytest.raises(OSError):
+             p.close()
+ 
++    @pytest.mark.parametrize("xy", ((-1, 0), (0, -1)))
++    def test_negative_tile_extents(self, xy: tuple[int, int]) -> None:
++        im = Image.new("1", (1, 1))
++        fp = BytesIO()
++        with pytest.raises(SystemError, match="tile cannot extend outside image"):
++            ImageFile._save(im, fp, [ImageFile._Tile("raw", xy + (1, 1), 0, "1")])
++
+     def test_no_format(self) -> None:
+         buf = BytesIO(b"\x00" * 255)
+ 
+--- pillow-11.1.0.orig/src/decode.c
++++ pillow-11.1.0/src/decode.c
+@@ -186,7 +186,8 @@ _setimage(ImagingDecoderObject *decoder,
+         state->ysize = y1 - y0;
+     }
+ 
+-    if (state->xsize <= 0 || state->xsize + state->xoff > (int)im->xsize ||
++    if (state->xoff < 0 || state->xsize <= 0 ||
++        state->xsize + state->xoff > (int)im->xsize || state->yoff < 0 ||
+         state->ysize <= 0 || state->ysize + state->yoff > (int)im->ysize) {
+         PyErr_SetString(PyExc_ValueError, "tile cannot extend outside image");
+         return NULL;
+--- pillow-11.1.0.orig/src/encode.c
++++ pillow-11.1.0/src/encode.c
+@@ -253,7 +253,8 @@ _setimage(ImagingEncoderObject *encoder,
+         state->ysize = y1 - y0;
+     }
+ 
+-    if (state->xsize <= 0 || state->xsize + state->xoff > im->xsize ||
++    if (state->xoff < 0 || state->xsize <= 0 ||
++        state->xsize + state->xoff > im->xsize || state->yoff < 0 ||
+         state->ysize <= 0 || state->ysize + state->yoff > im->ysize) {
+         PyErr_SetString(PyExc_SystemError, "tile cannot extend outside image");
+         return NULL;
diff -Nru pillow-11.1.0/debian/patches/series pillow-11.1.0/debian/patches/series
--- pillow-11.1.0/debian/patches/series	2025-01-23 03:41:09.000000000 +0000
+++ pillow-11.1.0/debian/patches/series	2026-02-18 19:20:45.000000000 +0000
@@ -5,3 +5,4 @@
 no-sphinx-dater.diff
 no-sphinx-fail-on-warning.diff
 intersphinx-local.diff
+CVE-2026-25990.patch