On Tue, Jul 15, 2025 at 02:39:16PM +0200, Moritz Mühlenhoff wrote: > Package: rlottie > X-Debbugs-CC: t...@security.debian.org > Severity: grave > Tags: security > > Hi, > > The following vulnerabilities were published for rlottie. > > CVE-2025-0634[0]: > | Use After Free vulnerability in Samsung Open Source rLottie allows > | Remote Code Inclusion.This issue affects rLottie: V0.2. > > https://github.com/Samsung/rlottie/pull/571 > https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9 > > > CVE-2025-53074[1]: > | Out-of-bounds Read vulnerability in Samsung Open Source rLottie > | allows Overflow Buffers.This issue affects rLottie: V0.2. > > https://github.com/Samsung/rlottie/pull/571 > https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9 > > > CVE-2025-53075[2]: > | Improper Input Validation vulnerability in Samsung Open Source > | rLottie allows Path Traversal.This issue affects rLottie: V0.2. > > https://github.com/Samsung/rlottie/pull/571 > https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9 >...
I am not 100% sure whether all of these CVEs can be considered duplicates of old CVEs already fixed in 0.1+dfsg-2 (#988885), but there's clearly overlap in what got fixed: https://sources.debian.org/src/rlottie/0.1%2Bdfsg-4.2/debian/patches/Fix-crash-on-invalid-data.patch/ Apparently the old CVEs were reported against a fork and the new CVEs against the original upstream. cu Adrian
