Bug#1107994: gdk-pixbuf: CVE-2025-6199
Salvatore Bonaccorso
carnil at debian.org
Wed Jun 18 19:54:55 BST 2025
Source: gdk-pixbuf
Version: 2.42.12+dfsg-2
Severity: grave
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/257
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for gdk-pixbuf.
(Choosing RC level, since jmm is planning a DSA, so we should have
that fixed as well in trixie)
CVE-2025-6199[0]:
| A flaw was found in the GIF parser of GdkPixbuf’s LZW decoder. When
| an invalid symbol is encountered during decompression, the decoder
| sets the reported output size to the full buffer length rather than
| the actual number of written bytes. This logic error results in
| uninitialized sections of the buffer being included in the output,
| potentially leaking arbitrary memory contents in the processed
| image.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-6199
https://www.cve.org/CVERecord?id=CVE-2025-6199
[1] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/257
[2] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list