Package: release.debian.org Severity: normal X-Debbugs-Cc: gdk-pix...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:gdk-pixbuf User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package gdk-pixbuf [ Reason ] CVE-2025-6199 [ Impact ] Fixes a local information disclosure vulnerability when parsing malformed GIF files. [ Tests ] Automated tests (build-time test and autopkgtest) still pass, including parsing of valid and invalid GIF files. `eog ~/Pictures` successfully decodes valid JPEG and PNG images. `eog /usr/libexec/installed-tests/SDL3_image` successfully decodes valid images of several types including GIF. There is no specific test coverage for CVE-2025-6199. It was found by code inspection and I am not aware of a proof-of-concept exploit. [ Risks ] Key package, but the change is very narrowly targeted. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] debian/.gitignore was already present in the source tree, but appears in the debdiff because the previous uploader built with dpkg-buildpackage options that exclude it (most likely git-buildpackage's default, debuild -i -I), whereas I built with options that preserve the entire source tree (-I.git) and uploaded with dgit. Its addition is harmless. unblock gdk-pixbuf/2.42.12+dfsg-3
