Your message dated Sun, 07 Dec 2025 17:17:27 +0000
with message-id <[email protected]>
and subject line Bug#1109262: fixed in gdk-pixbuf 2.42.10+dfsg-1+deb12u3
has caused the Debian Bug report #1109262,
regarding CVE-2025-7345: gdk-pixbuf: heap buffer overflow in JPEGs with chunked
ICC data
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109262: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109262
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libgdk-pixbuf-2.0-0
Version: 2.42.12+dfsg-3
Severity: important
Tags: security upstream moreinfo help
X-Debbugs-Cc: Debian Security Team <[email protected]>,
[email protected]
Forwarded: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/249
Control: fixed -1 2.42.12+dfsg-4
I happened to notice that a buffer overflow was reported and fixed
upstream, involving parsing a JPEG file with multiple chunks of embedded
ICC colour-correction data. (It has not been fixed in a release, only in
the upstream development branch.)
The buffer overflow was discovered by OSS-Fuzz, using an out-of-tree
fuzzing driver running on a customized version of Ubuntu 20.04 with
instrumented, AddressSanitizer'ized versions of GLib and gdk-pixbuf, and
it doesn't seem like the reproducer is necessarily a simple JPEG file
that can be loaded manually - as with many fuzzing-based CVEs, the
reporter is assuming that everyone knows how their elaborate fuzzing
machinery works.
Since uploading the fixed version to unstable, we've had a report of a
regression, https://bugs.debian.org/1109199, which I forwarded upstream
as https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/262. I cannot
reproduce the regression, and the regression reporter has not provided
enough details to make it actionable - I suspect that they might have a
JPEG image containing very specific ICC data which triggers some related
bug. (Or it might be user error - who can say?)
I think we should probably leave this unfixed in stable and LTS for now,
until we have a better idea of whether the regression is a real thing.
cc -lts to warn off the LTS team from doing anything overzealous for now.
I am by no means an expert on either the gdk-pixbuf codebase, the finer
points of JPEG parsing, or reproducing fuzzer-generated crashes in a
more reasonable environment, so I would very much appreciate it if
someone who is better at those topics (and ideally someone who can spend
their paid time on it!) can take it from here.
Thanks,
smcv
--- End Message ---
--- Begin Message ---
Source: gdk-pixbuf
Source-Version: 2.42.10+dfsg-1+deb12u3
Done: Carlos Henrique Lima Melara <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gdk-pixbuf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carlos Henrique Lima Melara <[email protected]> (supplier of updated
gdk-pixbuf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 22 Oct 2025 22:45:57 -0300
Source: gdk-pixbuf
Architecture: source
Version: 2.42.10+dfsg-1+deb12u3
Distribution: bookworm
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Carlos Henrique Lima Melara <[email protected]>
Closes: 1109262
Changes:
gdk-pixbuf (2.42.10+dfsg-1+deb12u3) bookworm; urgency=medium
.
* Team upload.
.
[ Jeremy Bícha ]
* debian/gbp.conf: Branch for bookworm.
.
[ Carlos Henrique Lima Melara ]
* debian/patches/CVE-2025-7345.patch: import patch from upstream.
- CVE-2025-7345: A flaw exists in gdk‑pixbuf within the
gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in
glib’s g_base64_encode_step (glib/gbase64.c) potentially leading to a
buffer overflow. (Closes: #1109262)
* debian/salsa-ci.yml: build with nocheck and pass SALSA_CI=true for
autopkgtest job.
* debian/tests/installed-tests{,flaky}: check SALSA_CI variable to decide
what is flaky or not.
Checksums-Sha1:
9bcefabc5c83a3babfc54fe360fae480f82e7f8b 3210
gdk-pixbuf_2.42.10+dfsg-1+deb12u3.dsc
bdef6b068102866a8b8d74ba834324e02843baf0 23752
gdk-pixbuf_2.42.10+dfsg-1+deb12u3.debian.tar.xz
3298c482651004af7536797a101e9361a563a88d 12908
gdk-pixbuf_2.42.10+dfsg-1+deb12u3_amd64.buildinfo
Checksums-Sha256:
810ef1d90b134ddb3f39c20a128f31fd5cb0d8d8697996d8f3bfe5e8f4de0350 3210
gdk-pixbuf_2.42.10+dfsg-1+deb12u3.dsc
4c7342c8790cee4e6f1007e6772055f7df1c89294d9a1b2ef50cfc8f53f06767 23752
gdk-pixbuf_2.42.10+dfsg-1+deb12u3.debian.tar.xz
417421a0c96f4a0f1044aa1b2368ad692b0c6bab681cd168a3975315885b288b 12908
gdk-pixbuf_2.42.10+dfsg-1+deb12u3_amd64.buildinfo
Files:
53afe143e6161fe1ecfbf71f1264200b 3210 libs optional
gdk-pixbuf_2.42.10+dfsg-1+deb12u3.dsc
17267acd987cfeb10b5c0eae351d8238 23752 libs optional
gdk-pixbuf_2.42.10+dfsg-1+deb12u3.debian.tar.xz
aee5ea52d1330ec604490554b4949790 12908 libs optional
gdk-pixbuf_2.42.10+dfsg-1+deb12u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJNBAEBCgA3FiEECgzx8d8+AINglLHJt4M9ggJ8mQsFAmk0krQZHGNoYXJsZXNt
ZWxhcmFAcmlzZXVwLm5ldAAKCRC3gz2CAnyZC7lxD/wKBzTClNAb3N03sxEX0nal
+ZOKtFZITNPNj50Dlmv+Ee5L+OIJISaawF5hwlAcGKVeDBWvBFzGzFMIp3mqrghf
MUdoSqnl26LVdSftmXUwZ/JiIYMCVlC90teJUNLm7GfxhkD6/6a/+oouD/G9ZSVW
g0sbrPJXZ+mGfwNq8dX/00Zyo1HGyT7kZRQDZZXroZOkaKnQltTRJrviSMp78V3D
7P2kjhZDber9HxrMW+FYlIChhJYpmASdI37UN5cOyQqjmW3iWXk67gR1+bGzN5FP
fZt2weL8KCtKHmU/nStF7BYXeMfrBrUgWWpFxW+fEYxAotUjWTQSi1CoegI3rEsv
aI70dvzhcYIw5OHVXW3kFxTrh4ZSKkObs6DWpA8lnVRy5SXCvNNQGjaBt0BFWGQM
R2K1u8xcP4bMr2rBjPz2cPicMOrdMiZa9IlRCbgGrUb5n9pv+Lzv6NW6pJniUUdV
B6JkXrsX27fptPc8VtWR0+oWD0hlN5cxjonayXzL3pISmmi1WBDh19oi6ie+O9xA
uSj8Oi26njy2r2b/i8WyC9Nuy2XTgm/rZdZfZIPOvvleOm5POq28e4RUERMCll9u
1sGMn9HwCIuQGFI74uAIl/ncpW7RnxWOz8yDQGggRN1PVB32kf7/6/MvbTK+EHv2
HJGwePvj5/KZqy/j9cE4HQ==
=RB4r
-----END PGP SIGNATURE-----
pgpomUK6R4OzQ.pgp
Description: PGP signature
--- End Message ---
