Your message dated Tue, 18 Nov 2025 15:36:00 +0000
with message-id <[email protected]>
and subject line Bug#1109341: fixed in rlottie 0.1+dfsg-4.3
has caused the Debian Bug report #1109341,
regarding rlottie: CVE-2025-0634 CVE-2025-53074 CVE-2025-53075
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109341: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109341
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rlottie
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for rlottie.
CVE-2025-0634[0]:
| Use After Free vulnerability in Samsung Open Source rLottie allows
| Remote Code Inclusion.This issue affects rLottie: V0.2.
https://github.com/Samsung/rlottie/pull/571
https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9
CVE-2025-53074[1]:
| Out-of-bounds Read vulnerability in Samsung Open Source rLottie
| allows Overflow Buffers.This issue affects rLottie: V0.2.
https://github.com/Samsung/rlottie/pull/571
https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9
CVE-2025-53075[2]:
| Improper Input Validation vulnerability in Samsung Open Source
| rLottie allows Path Traversal.This issue affects rLottie: V0.2.
https://github.com/Samsung/rlottie/pull/571
https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-0634
https://www.cve.org/CVERecord?id=CVE-2025-0634
[1] https://security-tracker.debian.org/tracker/CVE-2025-53074
https://www.cve.org/CVERecord?id=CVE-2025-53074
[2] https://security-tracker.debian.org/tracker/CVE-2025-53075
https://www.cve.org/CVERecord?id=CVE-2025-53075
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: rlottie
Source-Version: 0.1+dfsg-4.3
Done: Thorsten Alteholz <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rlottie, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <[email protected]> (supplier of updated rlottie package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 18 Nov 2025 12:05:10 +0100
Source: rlottie
Architecture: source
Version: 0.1+dfsg-4.3
Distribution: unstable
Urgency: medium
Maintainer: Nicholas Guriev <[email protected]>
Changed-By: Thorsten Alteholz <[email protected]>
Closes: 1109341 1113469
Changes:
rlottie (0.1+dfsg-4.3) unstable; urgency=medium
.
* Non-maintainer upload.
* add cmake4.patch (Closes: #1113469)
* CVE-2025-0634 (Closes: #1109341)
CVE-2025-53074
CVE-2025-53075
Most patches to fix these issues are already part of:
Fix-crash-on-invalid-data.patch
The remaining boundary check is left in:
CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch
For the sake of completeness, the whole upstream patch
for these CVEs is added in:
CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch.org
Checksums-Sha1:
91f9725dd560c47c2856946ebf3b6c78139b612f 2190 rlottie_0.1+dfsg-4.3.dsc
b5c6a1fbed15d57b45f8321aa2fd9fa10dd376f9 2899072 rlottie_0.1+dfsg.orig.tar.xz
df95145390aa9de6b7fea74789c209cb08494e89 23340
rlottie_0.1+dfsg-4.3.debian.tar.xz
bdc80109f5b3adfe7da37c885f6aaad6ca3d0b10 7770
rlottie_0.1+dfsg-4.3_amd64.buildinfo
Checksums-Sha256:
f2f88d3e9690165b46aff3c8208f0831d19366b53f86d6f0f0657ab9dac00048 2190
rlottie_0.1+dfsg-4.3.dsc
23ef230681bfec7ed6f2d1e3918fed9456874392594297f9a5b70e0bc58a80eb 2899072
rlottie_0.1+dfsg.orig.tar.xz
2bd62071470d57d401676981136a1add828a36abf138ddb85e7b0b249eaecb67 23340
rlottie_0.1+dfsg-4.3.debian.tar.xz
171d90bc083bfed207c5dabdc5cc0648178a723bcf35173acd689902e01960f0 7770
rlottie_0.1+dfsg-4.3_amd64.buildinfo
Files:
17b9990249ab33226da650ef8f3c5c99 2190 libs optional rlottie_0.1+dfsg-4.3.dsc
4a1a9402dd50e0f917b01b762c98a7c8 2899072 libs optional
rlottie_0.1+dfsg.orig.tar.xz
ee29b980deb5c0ec087b35b87204ef39 23340 libs optional
rlottie_0.1+dfsg-4.3.debian.tar.xz
c7072e61279d6f8d6ca5b0f307acf376 7770 libs optional
rlottie_0.1+dfsg-4.3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmkcjJBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYRwMhD/4vvhox6ZlLjCzIO69Qc7KKILYFy0SI
hnK5ueZgHtAE3/avX1mGZTArOO/Fh+zPFKiOVrSpjXB9SgTIjuAbZV9J6K0oht+8
MYhVB+iRnfTgNc9J4hYNlG1SNtYKOLRzqxWQk3AeRo7r/Yse3xyY61F9l5Qmp2Tm
m8/HrYrXO10qCGImT3C7fnoJ7EBSA7LBlk+86TVCN4Tk0XJaLgDTUPqM4xWMVx/6
4T3G1EcndBN09YaPyFmXQyW6zG/RKedwz8LnADXE3+sp2YvDySIxvI/hUAI7MzQE
hRNrxAzAXd8TBAKrE6jg332uNgIjR3QR1CKxkdubjkqF9uZ3jsK+yL4LIbsjhmcH
XoaG8N6lI2WQUCq+qmim638XC57LINGZGSTXySex1I2FHQ0cZYEqOD0KLVuS5jOU
L6mDt2jgBWYzIBrE5bdHxE3t+L+uC929WiEox81eGLI8RNa18nqL/AVxVgFAwDTY
Dlra8GP3VuCVhrcgS7Hsu8g1d9ZlBv6cplUKbx4s+VSiYjAWO6p7l31qm8CEGZcQ
eJNlRYgICtfE1V4B2HJYY4NZoQ5qf9wLJ8EIFgxOPXsliQUz8UFnmt2a8dKFhegI
fJ2yjKNDahax1a2w04OTfm/tcA/RzK7nm9TgC/Ka/yf7dpRUSfP9LKjK6Y0iCL/D
gas46wq/5bKnCg==
=PgqH
-----END PGP SIGNATURE-----
pgpvKt90LeynT.pgp
Description: PGP signature
--- End Message ---
