sail - Debian Package Tracker

general

source: sail (main)
version: 0.9.10-1
maintainer: Sudip Mukherjee (DMD)
arch: any
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 0.9.8-1+deb13u1
testing: 0.9.10-1
unstable: 0.9.10-1

versioned links

0.9.8-1+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.9.10-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libsail-c++-dev (1 bugs: 1, 0, 0, 0)
libsail-c++0t64
libsail-common-dev (1 bugs: 1, 0, 0, 0)
libsail-common0t64
libsail-dev (2 bugs: 1, 1, 0, 0)
libsail-manip-dev (1 bugs: 1, 0, 0, 0)
libsail-manip0t64
libsail0t64
sail-codecs

action needed

Marked for autoremoval on 13 May: #1133734 high

Version 0.9.10-1 of sail is marked for autoremoval from testing on Wed 13 May 2026. It is affected by #1133734. You should try to prevent the removal by fixing these RC bugs.

Created: 2026-04-21 Last update: 2026-04-24 18:00

Multiarch hinter reports 4 issue(s) high

There are issues with the multiarch metadata for this package.

libsail-c++-dev conflicts on 2 files starting with /usr/lib/cmake/sailc++/SailC++ on any two of amd64, arm64, armhf, i386 and 4 more
libsail-common-dev conflicts on 3 files starting with /usr/ on any two of amd64, arm64, armhf, i386 and 4 more
libsail-dev conflicts on 2 files starting with /usr/lib/cmake/sail/Sail on any two of amd64, arm64, armhf, i386 and 4 more
libsail-manip-dev conflicts on 2 files starting with /usr/lib/cmake/sailmanip/SailManip on any two of amd64, arm64, armhf, i386 and 4 more

Created: 2023-12-31 Last update: 2026-04-24 16:46

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2026-27168: SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. All versions are vulnerable to Heap-based Buffer Overflow through the XWD parser's use of the bytes_per_line value. The value os read directly from the file as the read size in io->strict_read(), and is never compared to the actual size of the destination buffer. An attacker can provide an XWD file with an arbitrarily large bytes_per_line, causing a massive write operation beyond the buffer heap allocated for the image pixels. The issue did not have a fix at the time of publication.
CVE-2026-40492: SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel` independently. When `pixmap_depth=8` (BPP8_INDEXED, 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed `bytes_per_line` validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.
CVE-2026-40493: SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but the pixel buffer is allocated based on the resolved pixel format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel write overshoots, causing a deterministic heap buffer overflow on every row. Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch.
CVE-2026-40494: SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.

Created: 2026-02-21 Last update: 2026-04-19 14:02

4 security issues in forky high

There are 4 open security issues in forky.

4 important issues:

CVE-2026-27168: SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. All versions are vulnerable to Heap-based Buffer Overflow through the XWD parser's use of the bytes_per_line value. The value os read directly from the file as the read size in io->strict_read(), and is never compared to the actual size of the destination buffer. An attacker can provide an XWD file with an arbitrarily large bytes_per_line, causing a massive write operation beyond the buffer heap allocated for the image pixels. The issue did not have a fix at the time of publication.
CVE-2026-40492: SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel` independently. When `pixmap_depth=8` (BPP8_INDEXED, 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed `bytes_per_line` validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.
CVE-2026-40493: SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but the pixel buffer is allocated based on the resolved pixel format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel write overshoots, causing a deterministic heap buffer overflow on every row. Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch.
CVE-2026-40494: SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.

Created: 2026-02-21 Last update: 2026-04-19 14:02

4 low-priority security issues in trixie low

There are 4 open security issues in trixie.

4 issues left for the package maintainer to handle:

CVE-2026-27168: (needs triaging) SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. All versions are vulnerable to Heap-based Buffer Overflow through the XWD parser's use of the bytes_per_line value. The value os read directly from the file as the read size in io->strict_read(), and is never compared to the actual size of the destination buffer. An attacker can provide an XWD file with an arbitrarily large bytes_per_line, causing a massive write operation beyond the buffer heap allocated for the image pixels. The issue did not have a fix at the time of publication.
CVE-2026-40492: (needs triaging) SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel` independently. When `pixmap_depth=8` (BPP8_INDEXED, 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed `bytes_per_line` validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.
CVE-2026-40493: (needs triaging) SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but the pixel buffer is allocated based on the resolved pixel format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel write overshoots, causing a deterministic heap buffer overflow on every row. Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch.
CVE-2026-40494: (needs triaging) SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-02-21 Last update: 2026-04-19 14:02

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).

Created: 2025-12-23 Last update: 2026-03-31 15:01

news

[rss feed]

[2026-01-04] sail 0.9.10-1 MIGRATED to testing (Debian testing watch)
[2025-12-29] Accepted sail 0.9.10-1 (source) into unstable (Sudip Mukherjee)
[2025-11-02] Accepted sail 0.9.8-1+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sudip Mukherjee)
[2025-09-07] sail 0.9.9-1 MIGRATED to testing (Debian testing watch)
[2025-09-02] Accepted sail 0.9.9-1 (source) into unstable (Sudip Mukherjee)
[2025-04-12] sail 0.9.8-1 MIGRATED to testing (Debian testing watch)
[2025-04-06] Accepted sail 0.9.8-1 (source) into unstable (Sudip Mukherjee)
[2024-12-30] sail 0.9.7-1 MIGRATED to testing (Debian testing watch)
[2024-12-24] Accepted sail 0.9.7-1 (source) into unstable (Sudip Mukherjee)
[2024-10-20] sail 0.9.6-1 MIGRATED to testing (Debian testing watch)
[2024-10-14] Accepted sail 0.9.6-1 (source) into unstable (Sudip Mukherjee)
[2024-05-30] sail 0.9.5-1 MIGRATED to testing (Debian testing watch)
[2024-05-24] Accepted sail 0.9.5-1 (source) into unstable (Sudip Mukherjee)
[2024-04-25] sail 0.9.0+repack-2.1 MIGRATED to testing (Debian testing watch)
[2024-03-17] sail REMOVED from testing (Debian testing watch)
[2024-02-29] Accepted sail 0.9.0+repack-2.1 (source) into unstable (Benjamin Drung)
[2024-02-03] Accepted sail 0.9.0+repack-2.1~exp1 (source) into experimental (Sergio Durigan Junior)
[2024-01-07] sail 0.9.0+repack-2 MIGRATED to testing (Debian testing watch)
[2023-12-31] Accepted sail 0.9.0+repack-2 (source) into unstable (Sudip Mukherjee)
[2023-12-30] Accepted sail 0.9.0+repack-1 (source amd64) into unstable (Debian FTP Masters) (signed by: Sudip Mukherjee)

bugs [bug history graph]

all: 7
RC: 5
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.9.10-1