Bug#1109262: CVE-2025-7345: gdk-pixbuf: heap buffer overflow in JPEGs with chunked ICC data

[Carlos Henrique Lima Melara]

Hi again,

On Fri, Sep 26, 2025 at 10:00:35AM +0100, Simon McVittie wrote:
> On Thu, 25 Sep 2025 at 23:46:46 -0300, Carlos Henrique Lima Melara wrote:
> > From what I've read, the reporter couldn't reproduce the bug and asked
> > for it to be closed, the fix was unblocked and got into trixie and
> > enough time has passed now, right? Do you still think we should hold off
> > here for (now) oldstable and LTS?
> 
> I think this is at a point where someone could look into it for bookworm and
> LTS (and the change has also made it into a stable release
> upstream).
> 
> I'm not intending to work on this for the older releases myself - if you can
> pick this up, that would be appreciated.

I have cherry-picked the patch for bookworm and it applied cleanly [0].
I was able to reproduce the ASAN failure by recompiling glib and
gdk-pixbuf from bookworm with the necessary bits set up and also
verified applying the patch fixed the overflow. Last but not least, I've
uploaded the bookworm version [1] and the new revision to debusine to do
a [2] manual regression testing in rdeps autopkgtests (debusine still
misses what britney does), all checked out and no regressions were
introduced.

So I'd like to fill a p-u bug for getting it into the next bookworm
point release. I understand it's part of the gnome team, so should I
open a MR for the changes [3] and wait for a reviewer or go on, push
there and fill the p-u bug? Is there any other bureaucracy I have to do
for the gnome team?

Also, I noticed the packaging for both LTS and ELTS is maintained under
lts-team/packages/gdk-pixbuf in salsa [4], but we are trying to move as
much as possible to the same repository where the official packaging is
maintained. Would it be okay to push the LTS and ELTS to
gnome-team/gdk-pixbuf?

> > Did you get any other regression reports in trixie, testing or
> > unstable?
> 
> Not that I've seen.

Ah, and I tested gthumb (and other gnome apps) with the updated version
and it worked, so maybe that report was really just someone with their
system in a bad state.

Cheers,
Charles

P.S.: I might experiment a bit with salsa-ci in my fork before opening
the MR or pushing to the official repository.

[0] https://salsa.debian.org/charles/gdk-pixbuf/-/commit/e7f67183044b30b2dcd57fb012cb3ed88621ba33
[1] https://debusine.debian.net/debian/developers/work-request/197416/
[2] https://debusine.debian.net/debian/developers/work-request/197302/
[3] https://salsa.debian.org/charles/gdk-pixbuf/-/commits/debian/bookworm
[4] https://salsa.debian.org/lts-team/packages/gdk-pixbuf