Hi, 在 2026/6/1 03:07, Salvatore Bonaccorso 写道: > Source: jpeg-xl > Version: 0.11.2-5 > Severity: important > Tags: security upstream > Forwarded: https://github.com/libjxl/libjxl/issues/4337 > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerability was published for jpeg-xl. > > CVE-2025-70103[0]: > | Heap buffer overflow vulnerability in libjxl 0.12.0 via crafted PBM > | images to the jxl::extras::DecodeImagePNM function in file > | lib/extras/dec/pnm.cc.
The libjxl upstream is not release version 0.12.0 now, why record this CVE on un-release version? Is it should record on the released version 0.11.2 ? > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2025-70103 > https://www.cve.org/CVERecord?id=CVE-2025-70103 > [1] https://github.com/libjxl/libjxl/issues/4337 > [2] https://www.openwall.com/lists/oss-security/2026/05/30/7 > [3] https://github.com/libjxl/libjxl/pull/4380 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore > Regards, -- 肖盛文 xiao sheng wen -- Debian Developer(atzlinux) Debian QA page: https://qa.debian.org/developer.php?login=atzlinux%40debian.org GnuPG Public Key: 0x00186602339240CB
OpenPGP_signature.asc
Description: OpenPGP digital signature
