On 5/5/26 5:28 AM, Simon McVittie wrote:
Control: tags -1 + moreinfo
On Sun, 03 May 2026 at 12:09:56 +0100, Adam D. Barratt wrote:
On Tue, 2026-04-21 at 00:40 -0300, Aquila Macedo wrote:
This upload updates libsdl2-image in trixie with upstream fixes for
CVE-2026-35444 and closely related parser hardening fixes in the same
area of code.
Please note that this trixie-pu was not coordinated with the package's
maintainer(s), and I haven't had a response after querying the
contents of this proposed update in the CVE tracking bug
<https://bugs.debian.org/1134510>. I think it should include at least
the follow-up commit
https://github.com/libsdl-org/SDL_image/commit/1aedddcbd205c4e1ea0f99fdb2c785acc8e2489b,
which arranges for SDL's error/exception mechanism to be used
correctly when parsing an invalid XCF file.
In the CVE tracking bug, I also mentioned that there were other
robustness fixes pending review at the time. Those have now been
released (in 2.8.12 and 3.4.4 upstream) so now would be a good time
for anyone interested in backporting invalid-image parsing fixes to
take another look at libsdl2-image (and libsdl3-image). I'm not sure
why CVE-2026-35444, specifically, got a CVE ID but out-of-bounds
accesses in the LBM and XPM parsers didn't.
Aquila, if you have some time available and an interest in this
package (or this CVE), please could you reassess the various fixes in
2.8.10/2.8.12 and 3.4.2/3.4.4 and propose a new update? Or if you no
longer have time available for this package, I'll try to get to it at
some point, but probably not in time for Debian 13.5.
Thanks,
smcv
Hi Simon,
Thanks for the detailed feedback, and sorry for not getting back to this
earlier.
To clarify the context, I'm not working on this on behalf of any company
or group, and there is no incentive based on the number of CVEs removed.
I was looking through the Security Tracker and decided to help with some
security-related fixes.
When I first looked at CVE-2026-35444 around Apr 8, the Security Tracker
entry was still listed as unfixed for libsdl2-image, libsdl3-image and
sdl-image1.2.
The no-dsa/minor classification for trixie/bookworm was added later, on
Apr 14:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fc2dc066e5cdf4c2cb87ccbb6acba724423dac0
For context, I already had a minimal patch prepared by Apr 10, before
that classification was added, and I sent it to the Security Team for
review. I also let you know about it around that time.
Your points make sense. I'll review the update again, including the
follow-up SDL_SetError commit you mentioned, the XPM null pointer fix,
and the other robustness fixes released in 2.8.12 and 3.4.4. I'll also
take a look at the related libsdl3-image side before proposing a new update.
Thanks again for the guidance.
Aquila Macedo
