Your message dated Mon, 23 Jun 2025 20:47:09 +0000
with message-id <e1uto4l-006fiq...@fasolo.debian.org>
and subject line Bug#1107994: fixed in gdk-pixbuf 2.42.10+dfsg-1+deb12u2
has caused the Debian Bug report #1107994,
regarding gdk-pixbuf: CVE-2025-6199
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1107994: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107994
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gdk-pixbuf
Version: 2.42.12+dfsg-2
Severity: grave
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/257
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for gdk-pixbuf.
(Choosing RC level, since jmm is planning a DSA, so we should have
that fixed as well in trixie)
CVE-2025-6199[0]:
| A flaw was found in the GIF parser of GdkPixbuf’s LZW decoder. When
| an invalid symbol is encountered during decompression, the decoder
| sets the reported output size to the full buffer length rather than
| the actual number of written bytes. This logic error results in
| uninitialized sections of the buffer being included in the output,
| potentially leaking arbitrary memory contents in the processed
| image.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-6199
https://www.cve.org/CVERecord?id=CVE-2025-6199
[1] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/257
[2]
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gdk-pixbuf
Source-Version: 2.42.10+dfsg-1+deb12u2
Done: Moritz Mühlenhoff <j...@debian.org>
We believe that the bug you reported is fixed in the latest version of
gdk-pixbuf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1107...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <j...@debian.org> (supplier of updated gdk-pixbuf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 19 Jun 2025 22:52:54 +0200
Source: gdk-pixbuf
Architecture: source
Version: 2.42.10+dfsg-1+deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian GNOME Maintainers
<pkg-gnome-maintain...@lists.alioth.debian.org>
Changed-By: Moritz Mühlenhoff <j...@debian.org>
Closes: 1107994
Changes:
gdk-pixbuf (2.42.10+dfsg-1+deb12u2) bookworm-security; urgency=medium
.
* CVE-2025-6199 (Closes: #1107994)
Checksums-Sha1:
e8b26207baca80b4e71b74373c42b88194dd31d8 3173
gdk-pixbuf_2.42.10+dfsg-1+deb12u2.dsc
08baf45662714b21a1fa78d1ade4926cee1a5506 6439240
gdk-pixbuf_2.42.10+dfsg.orig.tar.xz
bb7b0dd3893c3c2c7410f200f2d00f49ec1ff788 22604
gdk-pixbuf_2.42.10+dfsg-1+deb12u2.debian.tar.xz
45a9ba68cb9f237817bffe75ca36064a7d99e5bf 12754
gdk-pixbuf_2.42.10+dfsg-1+deb12u2_amd64.buildinfo
Checksums-Sha256:
117f2f12e10c1a81b402f316edc37a1f02377e3475601360a2d50583a3432fca 3173
gdk-pixbuf_2.42.10+dfsg-1+deb12u2.dsc
46663e445468e92f4a0ca876b02aed4f8758595ee3acfaa6ef3ba2b29e1c1930 6439240
gdk-pixbuf_2.42.10+dfsg.orig.tar.xz
0a00c1c52b64abbe5fab1f08cc6c4b1032680c95ca9fdaf148f115011755de4b 22604
gdk-pixbuf_2.42.10+dfsg-1+deb12u2.debian.tar.xz
48595902c18e0862fedde08c3e9eedb700b60fab80d69fee27986c24382ffd36 12754
gdk-pixbuf_2.42.10+dfsg-1+deb12u2_amd64.buildinfo
Files:
2be9284ca646cba25e7ec62e1dcf3556 3173 libs optional
gdk-pixbuf_2.42.10+dfsg-1+deb12u2.dsc
25dc1bf2c14ae78161f603fe62dad38f 6439240 libs optional
gdk-pixbuf_2.42.10+dfsg.orig.tar.xz
beaeb389badf5ac82ddc617057d83585 22604 libs optional
gdk-pixbuf_2.42.10+dfsg-1+deb12u2.debian.tar.xz
af2a900ec1e1eda8e8f5819628c3a18c 12754 libs optional
gdk-pixbuf_2.42.10+dfsg-1+deb12u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmhVadQACgkQEMKTtsN8
TjZGRg//ZyFoQ4cbMTS0bGmqSdEk9/rqFpHHjv8knjGVJZpmejt2wj3bpCTOxRQS
AWRgPL+LSajm4le5ZG/+jxhc2bqx1frKIEmddwVVXLOuzvSXd8PE3uCLFwWn0M2l
RzooBmr10m4pM408jBHOFziWcUaQFo+hl1OivxlIgmobeiIDdOJWwK1tMuzhjr7n
92cOSVuByrpCl6Yx6GWzjBFfv5L5Wk4jar8R2PXxEt0AzwaYmkbG1w3UQ0qVKhLp
/m4r8RHuQQInUoQa9BIT6E7RTgJdpzIYSMExx2ojY2z6no5a7xGcKCPwhhKwh6nD
lbfKWoS2yQkBWLFIC3uS6z3G+IIhZGnnmiZFhK9Dh9v6GaEY1pGpSSb7N/axYdnI
qtkBrIaMXweuElB5evOT+ngWoxHps1i0mbN4GF6mIZFoINDBr8D8b2EWU44a5Q/J
SJvrcrWTZjqWvbjInoexI9mDJfX5atQuKCUVEFbLF8KJtDcvJGDdH8XrZdDPKR4H
fw9Flm8x+Rm34p3g+oRV5HEujKgnPq9f2RAAQbK3re7oz02lsPk5t1EvbTig4Hti
9u45RvO9pKVZaOcmBD+eJf/1xtWNXX86N5cTItBNFBWm85dvWcJOVvKR0uhUcq+v
RaThHyuHMvUCV46lf252jdw4mgxr5Gy8czNAbo5KUv/YZlg8avs=
=36jD
-----END PGP SIGNATURE-----
pgphhnM_JlwDH.pgp
Description: PGP signature
--- End Message ---
