From atzlinux at sina.com  Mon Jun  1 04:52:41 2026
From: atzlinux at sina.com (=?UTF-8?B?eGlhbyBzaGVuZyB3ZW4o6IKW55ub5paHKQ==?=)
Date: Mon, 1 Jun 2026 11:52:41 +0800
Subject: Bug#1138575: jpeg-xl: CVE-2025-70103
In-Reply-To: <178025445978.831712.4238070275982601323.reportbug@eldamar.lan>
References: <178025445978.831712.4238070275982601323.reportbug@eldamar.lan>
 <178025445978.831712.4238070275982601323.reportbug@eldamar.lan>
Message-ID: <27f79f3c-02d6-4857-bcac-4ccf5c022089@sina.com>

Hi,

? 2026/6/1 03:07, Salvatore Bonaccorso ??:
> Source: jpeg-xl
> Version: 0.11.2-5
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/libjxl/libjxl/issues/4337
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for jpeg-xl.
> 
> CVE-2025-70103[0]:
> | Heap buffer overflow vulnerability in libjxl 0.12.0 via crafted PBM
> | images to the jxl::extras::DecodeImagePNM function in file
> | lib/extras/dec/pnm.cc.

The libjxl upstream is not release version 0.12.0 now, 
why record this CVE on un-release version?  

Is it should record on the released version 0.11.2 ?

> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2025-70103
>     https://www.cve.org/CVERecord?id=CVE-2025-70103
> [1] https://github.com/libjxl/libjxl/issues/4337
> [2] https://www.openwall.com/lists/oss-security/2026/05/30/7
> [3] https://github.com/libjxl/libjxl/pull/4380
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
> 

Regards,

-- 
??? xiao sheng wen -- Debian Developer(atzlinux)
Debian QA page: https://qa.debian.org/developer.php?login=atzlinux%40debian.org
GnuPG Public Key: 0x00186602339240CB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-phototools-devel/attachments/20260601/a9db2e31/attachment.sig>

From noreply at release.debian.org  Mon Jun  1 05:39:06 2026
From: noreply at release.debian.org (Debian testing watch)
Date: Mon, 01 Jun 2026 04:39:06 +0000
Subject: feh 3.12.2-1 MIGRATED to testing
Message-ID: <E1wTuQc-002y7w-38@respighi.debian.org>

FYI: The status of the feh source package
in Debian's testing distribution has changed.

  Previous version: 3.12.1-1
  Current version:  3.12.2-1

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.