Version in base suite: 11.1.0-5+deb13u1

Base version: pillow_11.1.0-5+deb13u1
Target version: pillow_11.1.0-5+deb13u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pillow/pillow_11.1.0-5+deb13u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pillow/pillow_11.1.0-5+deb13u2.dsc

 changelog                    |    6 ++++++
 patches/CVE-2026-40192.patch |   37 +++++++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 44 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpsg9yhd_n/pillow_11.1.0-5+deb13u1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpsg9yhd_n/pillow_11.1.0-5+deb13u2.dsc: no acceptable signature found
diff -Nru pillow-11.1.0/debian/changelog pillow-11.1.0/debian/changelog
--- pillow-11.1.0/debian/changelog	2026-02-18 19:20:45.000000000 +0000
+++ pillow-11.1.0/debian/changelog	2026-04-16 22:02:02.000000000 +0000
@@ -1,3 +1,9 @@
+pillow (11.1.0-5+deb13u2) trixie-security; urgency=medium
+
+  * CVE-2026-40192
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Fri, 17 Apr 2026 00:02:02 +0200
+
 pillow (11.1.0-5+deb13u1) trixie-security; urgency=medium
 
   * CVE-2026-25990 (Closes: #1127925)
diff -Nru pillow-11.1.0/debian/patches/CVE-2026-40192.patch pillow-11.1.0/debian/patches/CVE-2026-40192.patch
--- pillow-11.1.0/debian/patches/CVE-2026-40192.patch	1970-01-01 00:00:00.000000000 +0000
+++ pillow-11.1.0/debian/patches/CVE-2026-40192.patch	2026-04-16 22:02:02.000000000 +0000
@@ -0,0 +1,37 @@
+From 3cb854e8b2bab43f40e342e665f9340d861aa628 Mon Sep 17 00:00:00 2001
+From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
+Date: Wed, 1 Apr 2026 00:02:08 +0300
+Subject: [PATCH] Only read as much data from gzip-decompressed data as
+ necessary (#9521)
+
+--- pillow-11.1.0.orig/src/PIL/FitsImagePlugin.py
++++ pillow-11.1.0/src/PIL/FitsImagePlugin.py
+@@ -128,17 +128,18 @@ class FitsGzipDecoder(ImageFile.PyDecode
+ 
+     def decode(self, buffer: bytes | Image.SupportsArrayInterface) -> tuple[int, int]:
+         assert self.fd is not None
+-        value = gzip.decompress(self.fd.read())
++        with gzip.open(self.fd) as fp:
++            value = fp.read(self.state.xsize * self.state.ysize * 4)
+ 
+-        rows = []
+-        offset = 0
+-        number_of_bits = min(self.args[0] // 8, 4)
+-        for y in range(self.state.ysize):
+-            row = bytearray()
+-            for x in range(self.state.xsize):
+-                row += value[offset + (4 - number_of_bits) : offset + 4]
+-                offset += 4
+-            rows.append(row)
++            rows = []
++            offset = 0
++            number_of_bits = min(self.args[0] // 8, 4)
++            for y in range(self.state.ysize):
++                row = bytearray()
++                for x in range(self.state.xsize):
++                    row += value[offset + (4 - number_of_bits) : offset + 4]
++                    offset += 4
++                rows.append(row)
+         self.set_as_raw(bytes([pixel for row in rows[::-1] for pixel in row]))
+         return -1, 0
+ 
diff -Nru pillow-11.1.0/debian/patches/series pillow-11.1.0/debian/patches/series
--- pillow-11.1.0/debian/patches/series	2026-02-18 19:20:45.000000000 +0000
+++ pillow-11.1.0/debian/patches/series	2026-04-16 22:02:02.000000000 +0000
@@ -6,3 +6,4 @@
 no-sphinx-fail-on-warning.diff
 intersphinx-local.diff
 CVE-2026-25990.patch
+CVE-2026-40192.patch