Bug#1109262: gdk-pixbuf for trixie?
Simon McVittie
smcv at debian.org
Sat Jul 26 14:47:19 BST 2025
On Sat, 26 Jul 2025 at 14:58:32 +0200, Cyril Brulebois wrote:
>Are you planning to request an unblock for gdk-pixbuf 2.42.12+dfsg-4?
>I'm happpy either way regarding the upcoming RC 3 (and 13.0). Just
>thought I'd drop you a note with the full freeze coming up.
Thanks for the reminder, but the change is not in any upstream release
yet and I did get one report of a regression, although I couldn't
reproduce it and now the reporter can't either (see #1109199). This
makes me cautious about destabilizing the release, so at this point my
inclination is to skip that change for 13.0 and either fix it via
trixie-security or in 13.1, depending on what the security team think.
Is that OK from the -boot point of view?
Upstream no longer recommends gdk-pixbuf as a loader for untrusted
content (it's fine for trusted app resources, but something memory-safe
and with integrated sandboxing like glycin is their new recommendation
for untrusted image viewing), and for libgnome-desktop's thumbnailer,
any exploit risks in gdk-pixbuf are mitigated by libgnome-desktop
sandboxing the decoder with bubblewrap.
Let's take any further discussion regarding CVE-2025-7345 to its
tracking bug, #1109262.
smcv
More information about the pkg-gnome-maintainers
mailing list