Your message dated Fri, 30 May 2025 19:48:22 +0000
with message-id <e1ul5ii-00b76n...@fasolo.debian.org>
and subject line Bug#1105883: fixed in libavif 0.11.1-1+deb12u1
has caused the Debian Bug report #1105883,
regarding libavif: CVE-2025-48175
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1105883: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105883
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libavif
Version: 1.2.1-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/AOMediaCodec/libavif/pull/2769
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for libavif.
CVE-2025-48175[0]:
| In libavif before 1.3.0, avifImageRGBToYUV in reformat.c has integer
| overflows in multiplications involving rgbRowBytes, yRowBytes,
| uRowBytes, and vRowBytes.
The report at [1] is not public yet at time of writing this bugreport.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48175
https://www.cve.org/CVERecord?id=CVE-2025-48175
[1]
https://github.com/AOMediaCodec/libavif/security/advisories/GHSA-762c-2538-h844
[2] https://github.com/AOMediaCodec/libavif/pull/2769
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libavif
Source-Version: 0.11.1-1+deb12u1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libavif, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1105...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated libavif package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 25 May 2025 17:51:18 +0200
Source: libavif
Architecture: source
Version: 0.11.1-1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Multimedia Maintainers <debian-multime...@lists.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1105883 1105885
Changes:
libavif (0.11.1-1+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add integer overflow checks to makeRoom (CVE-2025-48174)
(Closes: #1105885)
* Avoid integer overflow in (32-bit) int or unsigned int arithmetic
operations (CVE-2025-48175) (Closes: #1105883)
Checksums-Sha1:
d59f31c294e5344e6247f37a49dfd5b31fb4989e 2763 libavif_0.11.1-1+deb12u1.dsc
5d9b62d2853cba9d4adef1d4f217b67741e07d94 5826813 libavif_0.11.1.orig.tar.gz
5662e96cf71fb4beb6822e064cff910e55832895 7608
libavif_0.11.1-1+deb12u1.debian.tar.xz
Checksums-Sha256:
87b4faee8aba6052663493f484f7b58754f727fdc33024e5bbb6e821f5de58bd 2763
libavif_0.11.1-1+deb12u1.dsc
0eb49965562a0e5e5de58389650d434cff32af84c34185b6c9b7b2fccae06d4e 5826813
libavif_0.11.1.orig.tar.gz
1c8169da17c31882c0e008e661152bbb697ff49c97fd94a9565a5053cd72c21c 7608
libavif_0.11.1-1+deb12u1.debian.tar.xz
Files:
3870586659ec661c7a2ec96061efbe1d 2763 libs optional
libavif_0.11.1-1+deb12u1.dsc
dde524dfc0e0e37a468277b128662990 5826813 libs optional
libavif_0.11.1.orig.tar.gz
011ba4479544a620de35ab083f81afd9 7608 libs optional
libavif_0.11.1-1+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmgzPplfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EUpEQAJjmFIlu09m0vds2/ejvc9CZr0DZPb60
VegtHPlAo+eF57XR+Ojz7uQRs7/xF8LHzDC+r4/HEzcWLjeIwqe4mh3yLisb03Ae
fPrZcI4Xyd/cZ3jFQBFpg2/9BfFifnKExRy2UO3pu7x1ZFqYzwzic+2tnQRflcE4
w2ziW2tu2UJRkM1FPmmWfEdoCccxVtn9dorTrsmhrQBarP6jpfjyWTczwyfioyEn
i9fGnJpcnpigmc0uFUr/uQxPmILGNJ4qxzgcf+jRQ/y7LedeZ7uYGJjTu4ljRqoJ
HLzCcpsKVQwx7lqY5RkQPdARs2Z1wwz13hNMHriZGVQusD6Z++CtVTEBzDUiLD5m
gJiJmaePXXGKlApRmygKEZpZP4mDSmfp0uYvT//UuGWtuL/Invx4nQlTqSI8qEgy
b5nX+KZ3EsT7RERnXgpTkmWVUAH/ejaV+c2YxkihVikiudpURinYcFmSu35L2hsq
/fZbyIcUHUeyShW6n4U7PoUTa5eogjoOTYL1IKstluOi917b3obc9VoQoC9xeJxj
+SqEoO3wKvBAngDNXzwmh+256nhMRbCEnnYdCM3XBg5gW76kfN5C2WL1+Km+gBcD
MaTUh9qoZc7ZSJDJ2sF9+0VBt1tV2WGv4PJ5+ZofvxQRm7cckiTitwXLRwHVsQZQ
ZyoufXH3uNg6
=fffy
-----END PGP SIGNATURE-----
pgpq5c2l603Kk.pgp
Description: PGP signature
--- End Message ---
