On Sat, Apr 05, 2025 at 04:55:37PM +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Sat, Apr 05, 2025 at 04:47:13PM +0200, Moritz Mühlenhoff wrote:
> > Am Mon, Mar 31, 2025 at 10:26:11PM -0300 schrieb Carlos Henrique Lima
> > Melara:
> > > Hi,
> > >
> > > On Sat, Mar 22, 2025 at 11:08:18AM -0300, Carlos Henrique Lima Melara
> > > wrote:
> > > > I'm planning to fix [CVE-2025-27795] and [CVE-2025-27796] for Debian LTS
> > > > (disclaimer: it's a pro-bono upload as part of onboarding in Freexian's
> > > > LTS team) and I saw they also affect bookworm. Therefore I'd be more
> > > > than happy to help fix them in our current stable release.
> > >
> > > Turns out CVE-2025-27795 and CVE-2025-27796 don't affect bullseye.
> > > CVE-2025-27796 also doesn't affect bookworm, but CVE-2025-27795 does so
> > > I prepared the fix and attached the debdiff against the current version
> > > in bookworm. I didn't know if it's going to be via security team or
> > > proposed-updates, so I picked one - but can change on request.
> > >
> > > I also tested it in bookworm to see if it fixed the vulnerability and it
> > > indeed refuses to allocate resources to a very big jpeg-XL file
> > > (attached an example from the upstream).
> >
> > Thanks! We can fix this via a DSA. Your debdiff looks good, please build
> > with -sa and upload to security-master.
>
> I would suggest that we actually wait until the question around
> https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/210#note_601333
> is clarified so that we potentially do not need to handle the two CVEs
> separately.
>
> It is not fully clear yet if CVE-2025-27796 is really not affecting
> bookworm.
Ok, Carlos can you please reach out to graphicsmagick upstream to clarify?
Cheers,
Moritz
