Hi, On Sat, Apr 05, 2025 at 04:47:13PM +0200, Moritz Mühlenhoff wrote: > Am Mon, Mar 31, 2025 at 10:26:11PM -0300 schrieb Carlos Henrique Lima Melara: > > Hi, > > > > On Sat, Mar 22, 2025 at 11:08:18AM -0300, Carlos Henrique Lima Melara wrote: > > > I'm planning to fix [CVE-2025-27795] and [CVE-2025-27796] for Debian LTS > > > (disclaimer: it's a pro-bono upload as part of onboarding in Freexian's > > > LTS team) and I saw they also affect bookworm. Therefore I'd be more > > > than happy to help fix them in our current stable release. > > > > Turns out CVE-2025-27795 and CVE-2025-27796 don't affect bullseye. > > CVE-2025-27796 also doesn't affect bookworm, but CVE-2025-27795 does so > > I prepared the fix and attached the debdiff against the current version > > in bookworm. I didn't know if it's going to be via security team or > > proposed-updates, so I picked one - but can change on request. > > > > I also tested it in bookworm to see if it fixed the vulnerability and it > > indeed refuses to allocate resources to a very big jpeg-XL file > > (attached an example from the upstream). > > Thanks! We can fix this via a DSA. Your debdiff looks good, please build > with -sa and upload to security-master.
I would suggest that we actually wait until the question around https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/210#note_601333 is clarified so that we potentially do not need to handle the two CVEs separately. It is not fully clear yet if CVE-2025-27796 is really not affecting bookworm. Regards, Salvatore
