Bug#1109262: CVE-2025-7345: gdk-pixbuf: heap buffer overflow in JPEGs with chunked ICC data
Simon McVittie
smcv at debian.org
Sat Nov 15 17:56:15 GMT 2025
On Wed, 08 Oct 2025 at 23:18:19 -0300, Carlos Henrique Lima Melara wrote:
>I have cherry-picked the patch for bookworm and it applied cleanly
...
>So I'd like to fill a p-u bug for getting it into the next bookworm
>point release. I understand it's part of the gnome team, so should I
>open a MR for the changes [3] and wait for a reviewer or go on, push
>there and fill the p-u bug? Is there any other bureaucracy I have to do
>for the gnome team?
If you're confident about the patch's correctness, and the bug is fixed
in trixie already, please go ahead.
(If it wasn't fixed in trixie, I'd be asking for a fix queued for trixie
before a corresponding change in bookworm, but I see this particular
patch is one that I uploaded during freeze.)
>Also, I noticed the packaging for both LTS and ELTS is maintained under
>lts-team/packages/gdk-pixbuf in salsa [4], but we are trying to move as
>much as possible to the same repository where the official packaging is
>maintained. Would it be okay to push the LTS and ELTS to
>gnome-team/gdk-pixbuf?
Yes please - our convention is to use the standard DEP-14 branches like
debian/bookworm for changes that are ready to release, or the wip/*
namespace for changes that aren't ready or might be rebased.
>P.S.: I might experiment a bit with salsa-ci in my fork before opening
>the MR or pushing to the official repository.
Please don't make that a blocker, and I would suggest that we might not
actually want to be using salsa-ci for this particular package, because
I seem to remember that at least one test loads a
crafted/corrupted/malformed image which is technically loadable but
causes a very large amount of memory to be allocated.
smcv
More information about the pkg-gnome-maintainers
mailing list