Bug#1109262: CVE-2025-7345: gdk-pixbuf: heap buffer overflow in JPEGs with chunked ICC data
Carlos Henrique Lima Melara
charles at debian.org
Thu Nov 20 01:57:12 GMT 2025
On Sat, Nov 15, 2025 at 05:56:15PM +0000, Simon McVittie wrote:
> On Wed, 08 Oct 2025 at 23:18:19 -0300, Carlos Henrique Lima Melara wrote:
> > I have cherry-picked the patch for bookworm and it applied cleanly
> ...
> > So I'd like to fill a p-u bug for getting it into the next bookworm
> > point release. I understand it's part of the gnome team, so should I
> > open a MR for the changes [3] and wait for a reviewer or go on, push
> > there and fill the p-u bug? Is there any other bureaucracy I have to do
> > for the gnome team?
>
> If you're confident about the patch's correctness, and the bug is fixed in
> trixie already, please go ahead.
Ack, filled #1121041.
>
> (If it wasn't fixed in trixie, I'd be asking for a fix queued for trixie
> before a corresponding change in bookworm, but I see this particular patch
> is one that I uploaded during freeze.)
Surely :-)
> > Also, I noticed the packaging for both LTS and ELTS is maintained under
> > lts-team/packages/gdk-pixbuf in salsa [4], but we are trying to move as
> > much as possible to the same repository where the official packaging is
> > maintained. Would it be okay to push the LTS and ELTS to
> > gnome-team/gdk-pixbuf?
>
> Yes please - our convention is to use the standard DEP-14 branches like
> debian/bookworm for changes that are ready to release, or the wip/*
> namespace for changes that aren't ready or might be rebased.
Ack.
> > P.S.: I might experiment a bit with salsa-ci in my fork before opening
> > the MR or pushing to the official repository.
>
> Please don't make that a blocker, and I would suggest that we might not
> actually want to be using salsa-ci for this particular package, because I
> seem to remember that at least one test loads a crafted/corrupted/malformed
> image which is technically loadable but causes a very large amount of memory
> to be allocated.
I did manage to get it working (though not as cleanly as I'd like) [1]
so I sent the pu with these changes included, let's await SRM's reply.
If they are ok with the upload, I'll push the changes to
gnome-team/gdk-pixbuf and tag the commit.
Cheers and thanks for the many replies,
Charles
[1] https://salsa.debian.org/gnome-team/gdk-pixbuf/-/merge_requests/6/diffs?commit_id=17c4f3bbd549cdb82e0e4d746ed7b3b5d2c8a48e
More information about the pkg-gnome-maintainers
mailing list