Your message dated Fri, 26 Dec 2025 14:47:44 +0000
with message-id <[email protected]>
and subject line Bug#1109341: fixed in rlottie 0.1+dfsg-4+deb12u1
has caused the Debian Bug report #1109341,
regarding rlottie: CVE-2025-0634 CVE-2025-53074 CVE-2025-53075
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109341: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109341
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rlottie
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for rlottie.
CVE-2025-0634[0]:
| Use After Free vulnerability in Samsung Open Source rLottie allows
| Remote Code Inclusion.This issue affects rLottie: V0.2.
https://github.com/Samsung/rlottie/pull/571
https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9
CVE-2025-53074[1]:
| Out-of-bounds Read vulnerability in Samsung Open Source rLottie
| allows Overflow Buffers.This issue affects rLottie: V0.2.
https://github.com/Samsung/rlottie/pull/571
https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9
CVE-2025-53075[2]:
| Improper Input Validation vulnerability in Samsung Open Source
| rLottie allows Path Traversal.This issue affects rLottie: V0.2.
https://github.com/Samsung/rlottie/pull/571
https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-0634
https://www.cve.org/CVERecord?id=CVE-2025-0634
[1] https://security-tracker.debian.org/tracker/CVE-2025-53074
https://www.cve.org/CVERecord?id=CVE-2025-53074
[2] https://security-tracker.debian.org/tracker/CVE-2025-53075
https://www.cve.org/CVERecord?id=CVE-2025-53075
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: rlottie
Source-Version: 0.1+dfsg-4+deb12u1
Done: Thorsten Alteholz <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rlottie, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <[email protected]> (supplier of updated rlottie package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 25 Nov 2025 12:05:10 +0100
Source: rlottie
Architecture: source
Version: 0.1+dfsg-4+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Nicholas Guriev <[email protected]>
Changed-By: Thorsten Alteholz <[email protected]>
Closes: 1109341
Changes:
rlottie (0.1+dfsg-4+deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload by the LTS Team.
* CVE-2025-0634 (Closes: #1109341)
CVE-2025-53074
CVE-2025-53075
Most patches to fix these issues are already part of:
Fix-crash-on-invalid-data.patch
The remaining boundary check is left in:
CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch
For the sake of completeness, the whole upstream patch
for these CVEs is added in:
CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch.org
Checksums-Sha1:
2bf1ad9550b6b56be87bb4f0066d1403199a5299 2214 rlottie_0.1+dfsg-4+deb12u1.dsc
b5c6a1fbed15d57b45f8321aa2fd9fa10dd376f9 2899072 rlottie_0.1+dfsg.orig.tar.xz
4583059c5c944d7ab0414b87f5ea6a6b2112c7ef 22472
rlottie_0.1+dfsg-4+deb12u1.debian.tar.xz
47b3f95e2a9ec3d272bf9e2ffc6f9de154743112 8004
rlottie_0.1+dfsg-4+deb12u1_amd64.buildinfo
Checksums-Sha256:
326aa015a6f35fd751b4d1d653c56297ca9fe6c0c5bc9640f6f6c3c1df886b8b 2214
rlottie_0.1+dfsg-4+deb12u1.dsc
23ef230681bfec7ed6f2d1e3918fed9456874392594297f9a5b70e0bc58a80eb 2899072
rlottie_0.1+dfsg.orig.tar.xz
94264e7d4b75dfdd3655ef9e269798ddf0134ad50d81d019855be884afe5084b 22472
rlottie_0.1+dfsg-4+deb12u1.debian.tar.xz
12d034b242bcae01e821e62666f61014a941e7b0886619587cd15af238644d40 8004
rlottie_0.1+dfsg-4+deb12u1_amd64.buildinfo
Files:
3e5de5569baa4aef3b75d1b3e7c46ca0 2214 libs optional
rlottie_0.1+dfsg-4+deb12u1.dsc
4a1a9402dd50e0f917b01b762c98a7c8 2899072 libs optional
rlottie_0.1+dfsg.orig.tar.xz
fccd0ed8ea983b4a6000d7829d973f65 22472 libs optional
rlottie_0.1+dfsg-4+deb12u1.debian.tar.xz
181a2c23668300f785f995004dd2824b 8004 libs optional
rlottie_0.1+dfsg-4+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmk8VzNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR9lqEACagBHKAu47apmCgek8Fm7cJC2OVNHr
9UZHfc/mY5kJgT1sV9FVa6os3cZjKBJuIBEMtdnLyQjU8i60O3utlQlzVHpjW9DM
26gqt20tZZ3PgFD5NJ9UimO81wcpu64dNutffQfE6xPNHWOdeb032FX7Ii05b729
0yt3bMhy8OPYHKEgmYHRQmKnlc48SkKFwg2PYQNuM1AmbNo5B6gWxIZizNUicqwP
8+oPaKjelQG//gYzXhsOByYVKwZaMWS9J272FNawY3Vbb3V0ZR6nCM6GdxbQQLUW
UFNvEblaNyllTscoad+hnKpjUK5PCDzA4UuGxfGkiEBsTV+JxMOcfNnT4WPpgjs6
/3NsJMSW52xO1x95TebSEupwqb0hqEYUqJEuIDHYWGOWO4wsGSiFrHgoo56vpNL0
ul81sbMhgchTV/tXq5Sd4c46T7zIDNA5MwcdekbarzStYSTpyzziLmSjDGm97yVe
MzcZvA06r9/tYaTPn1uVZf15DRh6VNA5+HYUQALZDUcfQ2BZJgvVCgM33t8ZIVUE
7Jf3hu/KXZCUkLY9tX6RyDAMwQhCWLx1KnmtheW58+DW4n4U05kcRT8H4z7XRxPi
j428R8r40Edtp8Fo1tcq54RZJXbz6LiFjKqV0V7KC6NFtg24Eyip3EDljtIDV8xZ
u5VaAHshH2Zplw==
=4AEt
-----END PGP SIGNATURE-----
pgpkanCKs5EVd.pgp
Description: PGP signature
--- End Message ---
