Bug#1121041: bookworm-pu: package gdk-pixbuf/2.42.10+dfsg-1+deb12u3

Carlos Henrique Lima Melara charles at debian.org
Thu Nov 20 01:34:01 GMT 2025 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: gdk-pixbuf at packages.debian.org
Control: affects -1 + src:gdk-pixbuf
User: release.debian.org at packages.debian.org
Usertags: pu

Hi,

[ Reason ]

The reason for the bookworm-pu bug is CVE-2025-7345 [1][2] which is a
potential buffer overflow. The fix was applied already in sid, trixie,
bullseye and other ELTS releases with no reports of regressions but one
in testing [3] before the release of trixie. After further communication
with the reporter, it was dismissed as probably an inconsistent
environment on their side. The reported regression was unreproducible in
trixie, bullseye and also bookworm (tested in a clean VM with multiple
gnome software).

[ Impact ]

We have a pending CVE and a potential buffer overflow in bookworm.

[ Tests ]

I have manually reproduced the reported ASAN overflow in bookworm and
also verified the patch fixed it. The package's autopkgtest was run and
passes without regressions. I have also uploaded it to debusine.d.n [4]
to check rdep autopkgtests using the fixed version and no new failures
showed up when comparing to the version currently in bookworm [5].

[ Risks ]

The patch is pretty trivial, it makes sure there is enough space
allocated without bindly trusting what the image headers say and bails
out if there isn't enough space. For a correctly defined jpeg image,
there shouldn't be any impact since the headers wouldn't lie.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

Cherry pick of the patch fixing the CVE, the explanation for it is in
Risks section. Aside from that, there are some changes to add
salsa-ci and enable the full coverage of it, which includes marking a
second test as flaky when running salsa-ci. Also, switch to
debian/bookworm in gbp.conf.

[ Other info ]

Although the last two changes mentioned in Changes section don't impact
the archive, they do provide more comfort and assurance before uploading
so I think it's worth to keep them. If Stable Release Managers prefer to
not have them, please let me know.

Cheers,
Charles

[1] https://security-tracker.debian.org/tracker/CVE-2025-7345
[2] https://bugs.debian.org/1109262
[3] https://bugs.debian.org/1109199
[4] https://debusine.debian.net/debian/developers/work-request/197302/
[5] https://debusine.debian.net/debian/developers/work-request/197416/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdk-pixbuf_2.42.10+dfsg-1+deb12u3.diff
Type: text/x-diff
Size: 6965 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20251119/d8f27f4e/attachment.diff>

More information about the pkg-gnome-maintainers mailing list