Bug#1108085: unblock: gdk-pixbuf/2.42.12+dfsg-3
Simon McVittie
smcv at debian.org
Fri Jun 20 10:33:17 BST 2025
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: gdk-pixbuf at packages.debian.org, team at security.debian.org
Control: affects -1 + src:gdk-pixbuf
User: release.debian.org at packages.debian.org
Usertags: unblock
Please unblock package gdk-pixbuf
[ Reason ]
CVE-2025-6199
[ Impact ]
Fixes a local information disclosure vulnerability when parsing malformed
GIF files.
[ Tests ]
Automated tests (build-time test and autopkgtest) still pass, including
parsing of valid and invalid GIF files.
`eog ~/Pictures` successfully decodes valid JPEG and PNG images.
`eog /usr/libexec/installed-tests/SDL3_image` successfully decodes
valid images of several types including GIF.
There is no specific test coverage for CVE-2025-6199. It was found by
code inspection and I am not aware of a proof-of-concept exploit.
[ Risks ]
Key package, but the change is very narrowly targeted.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
debian/.gitignore was already present in the source tree, but appears in
the debdiff because the previous uploader built with dpkg-buildpackage
options that exclude it (most likely git-buildpackage's default,
debuild -i -I), whereas I built with options that preserve the entire
source tree (-I.git) and uploaded with dgit. Its addition is harmless.
unblock gdk-pixbuf/2.42.12+dfsg-3
More information about the pkg-gnome-maintainers
mailing list