Your message dated Fri, 20 Jun 2025 09:40:56 +0000
with message-id <e1usyey-0087yf...@fasolo.debian.org>
and subject line Bug#1107994: fixed in gdk-pixbuf 2.42.12+dfsg-3
has caused the Debian Bug report #1107994,
regarding gdk-pixbuf: CVE-2025-6199
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1107994: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107994
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gdk-pixbuf
Version: 2.42.12+dfsg-2
Severity: grave
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/257
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for gdk-pixbuf.
(Choosing RC level, since jmm is planning a DSA, so we should have
that fixed as well in trixie)
CVE-2025-6199[0]:
| A flaw was found in the GIF parser of GdkPixbuf’s LZW decoder. When
| an invalid symbol is encountered during decompression, the decoder
| sets the reported output size to the full buffer length rather than
| the actual number of written bytes. This logic error results in
| uninitialized sections of the buffer being included in the output,
| potentially leaking arbitrary memory contents in the processed
| image.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-6199
https://www.cve.org/CVERecord?id=CVE-2025-6199
[1] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/257
[2]
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gdk-pixbuf
Source-Version: 2.42.12+dfsg-3
Done: Simon McVittie <s...@debian.org>
We believe that the bug you reported is fixed in the latest version of
gdk-pixbuf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1107...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated gdk-pixbuf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 20 Jun 2025 09:52:41 +0100
Source: gdk-pixbuf
Architecture: source
Version: 2.42.12+dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers
<pkg-gnome-maintain...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Closes: 1107994
Changes:
gdk-pixbuf (2.42.12+dfsg-3) unstable; urgency=high
.
* Team upload
* d/p/lzw-Fix-reporting-of-bytes-written-in-decoder.patch:
Add patch from upstream to fix LZW error reporting.
Setting the reported output size to the full buffer length rather than
the actual number of written bytes can cause uninitialized memory
contents to be disclosed. (CVE-2025-6199; Closes: #1107994)
* Set high urgency for security fix
Checksums-Sha1:
20fee1d33f649597eb50f969f8d2faf3d1b446d0 3214 gdk-pixbuf_2.42.12+dfsg-3.dsc
07fc770e07a0a8ecc6b478fc6a01cede71febd29 22448
gdk-pixbuf_2.42.12+dfsg-3.debian.tar.xz
7571df899c54d9ff51071d357b373c34025bd43d 9209
gdk-pixbuf_2.42.12+dfsg-3_source.buildinfo
Checksums-Sha256:
c071f923775e859e5fbf5e0f6a090ad6872cfee44f265cc8c977a40b18c2c8f9 3214
gdk-pixbuf_2.42.12+dfsg-3.dsc
900fcb2d377a5cd7c7bfb0b56ee6bae104f776b561e67147f571d1875130b2b3 22448
gdk-pixbuf_2.42.12+dfsg-3.debian.tar.xz
424db3540599d39d7f97438e1333eab60726a6e2c7c2494191ffa0522f596d82 9209
gdk-pixbuf_2.42.12+dfsg-3_source.buildinfo
Files:
14e5e38923c6fe9d4ebaca990a2a3461 3214 libs optional
gdk-pixbuf_2.42.12+dfsg-3.dsc
aeb411a00b0b157caf9b127f9f558aa3 22448 libs optional
gdk-pixbuf_2.42.12+dfsg-3.debian.tar.xz
88ebae5f068a450956ca3b69593aea53 9209 libs optional
gdk-pixbuf_2.42.12+dfsg-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmhVKPEACgkQI1wJnT6z
MHbABQ//Wqp9vnvadn4RMYN+h96jHhy+dOSSbiejlb9YcS/8aSelauXGAPW/v6BD
z8Cxkswjq0l/SDLre3mndYtnL2kba3zgX8RWSzKeO7A8dkAJw/aU8xul52IHUix7
vRg3NbQKvPIN1+EfjSG6uiuoIAuIoRiCrb5k3RqaFjPHopCy/OH26gXDZrVPXppm
hKBEzJteMOSOPzOb4B2QePn1T0dKQT8pxaxHnrCQYwGXSWGBs7dvKFIQY7UD8/zc
2beHCCOp1Ils6IWEFMh4B/ftX66oqR5Xi6D6OYzPAhR/W9GwCw5RbtOxgDpvXy6b
IPG817PJbcD8l7guaiogpLoOpFsqX1OpGRfl2rOReZpddL+LXecr+j3D3id56lLQ
1jub/CCW/N5jNiSlzyqYEhvYOWvuV24q5qSf0A32lq8nxZv5IkIkKmNpZ+tlB8ZK
NfYghkSLxyGxzm4aRGsba2UcxXK0DSd4K9WCHW7obxz6SsA22l46S5S5xsL13iB7
4aDhhjD+IZJ8YsDfleB46zu2asQWCcUOeMWhCO4pOdqHN+ZCZKdIsQYIJ3hCeH+T
1TxH/TMXwuDMljNxuyX/YetRH1fXgcoOMPXt8H/EbShpc9+o0HJFrVdLL2QaLzXb
c8947geA9rHDx4TzDDxq0AwDRxJ4zrsK5D/1q6NUwWkcw5bIsM4=
=VV3S
-----END PGP SIGNATURE-----
pgpj5jCHD52W8.pgp
Description: PGP signature
--- End Message ---
