Am Mon, Mar 31, 2025 at 10:26:11PM -0300 schrieb Carlos Henrique Lima Melara:
> Hi,
>
> On Sat, Mar 22, 2025 at 11:08:18AM -0300, Carlos Henrique Lima Melara wrote:
> > I'm planning to fix [CVE-2025-27795] and [CVE-2025-27796] for Debian LTS
> > (disclaimer: it's a pro-bono upload as part of onboarding in Freexian's
> > LTS team) and I saw they also affect bookworm. Therefore I'd be more
> > than happy to help fix them in our current stable release.
>
> Turns out CVE-2025-27795 and CVE-2025-27796 don't affect bullseye.
> CVE-2025-27796 also doesn't affect bookworm, but CVE-2025-27795 does so
> I prepared the fix and attached the debdiff against the current version
> in bookworm. I didn't know if it's going to be via security team or
> proposed-updates, so I picked one - but can change on request.
>
> I also tested it in bookworm to see if it fixed the vulnerability and it
> indeed refuses to allocate resources to a very big jpeg-XL file
> (attached an example from the upstream).
Thanks! We can fix this via a DSA. Your debdiff looks good, please build
with -sa and upload to security-master.
Cheers,
Moritz
