Bug#1109262: CVE-2025-7345: gdk-pixbuf: heap buffer overflow in JPEGs with chunked ICC data
Carlos Henrique Lima Melara
charles at debian.org
Fri Sep 26 03:46:46 BST 2025
Hi Simon,
On Mon, Jul 14, 2025 at 12:15:36PM +0100, Simon McVittie wrote:
>
>
> I think we should probably leave this unfixed in stable and LTS for now,
> until we have a better idea of whether the regression is a real thing.
> cc -lts to warn off the LTS team from doing anything overzealous for now.
>From what I've read, the reporter couldn't reproduce the bug and asked
for it to be closed, the fix was unblocked and got into trixie and
enough time has passed now, right? Do you still think we should hold off
here for (now) oldstable and LTS?
> Since uploading the fixed version to unstable, we've had a report of a
> regression, https://bugs.debian.org/1109199, which I forwarded upstream
> as https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/262. I cannot
> reproduce the regression, and the regression reporter has not provided
> enough details to make it actionable - I suspect that they might have a
> JPEG image containing very specific ICC data which triggers some related
> bug. (Or it might be user error - who can say?)
Did you get any other regression reports in trixie, testing or unstable?
Anyway, I'll try the report's application to see if the bug is triggered
by the fix in bookworm and bullseye.
Cheers,
Charles
More information about the pkg-gnome-maintainers
mailing list