Hi, On Sat, Apr 26, 2025 at 09:03:44AM +0200, Roland Rosenfeld wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: fig2...@packages.debian.org > Control: affects -1 + src:fig2dev > > [ Reason ] > This fixes CVE-2025-46397, CVE-2025-46398, CVE-2025-46399, > CVE-2025-46400, some seg-faults/stack-overflows in different fig2dev > drivers. > > [ Impact ] > Segmentation faults with some special cases and a minor security > issue. > > [ Tests ] > salsa-ci passed except reprotest (this seems to build the package with > sid instead of bookworm, with uses a newer different ghostscript > version, resulting in a slightly different gray rastering with two > more dots in an example, so one test in the testsuite fails): > https://salsa.debian.org/debian/fig2dev/-/pipelines/856098 > > The patch for CVE-2025-46397 adds a new test case. > > [ Risks ] > Hopefully none... > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > - fix for CVE-2025-46397 > - fix for CVE-2025-46398 > - fix for CVE-2025-46399 > - fix for CVE-2025-46400 > > [ Other info ] > I agreed with the security-team (Moritz Mühlenhoff), that these are > minor security issues, that from my point of view should not need a > DSA but it's better to go via a point release.
FWIW, the CVEs have been rejected in meanwhile as there is no real security impact. I think still it is worth you might upload your package for the upcoming point release, but please drop the CVE id mentionings. Regards, Salvatore
