Bug#1138575: jpeg-xl: CVE-2025-70103
xiao sheng wen(肖盛文)
atzlinux at sina.com
Mon Jun 1 04:52:41 BST 2026
Hi,
在 2026/6/1 03:07, Salvatore Bonaccorso 写道:
> Source: jpeg-xl
> Version: 0.11.2-5
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/libjxl/libjxl/issues/4337
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for jpeg-xl.
>
> CVE-2025-70103[0]:
> | Heap buffer overflow vulnerability in libjxl 0.12.0 via crafted PBM
> | images to the jxl::extras::DecodeImagePNM function in file
> | lib/extras/dec/pnm.cc.
The libjxl upstream is not release version 0.12.0 now,
why record this CVE on un-release version?
Is it should record on the released version 0.11.2 ?
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2025-70103
> https://www.cve.org/CVERecord?id=CVE-2025-70103
> [1] https://github.com/libjxl/libjxl/issues/4337
> [2] https://www.openwall.com/lists/oss-security/2026/05/30/7
> [3] https://github.com/libjxl/libjxl/pull/4380
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
Regards,
--
肖盛文 xiao sheng wen -- Debian Developer(atzlinux)
Debian QA page: https://qa.debian.org/developer.php?login=atzlinux%40debian.org
GnuPG Public Key: 0x00186602339240CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-phototools-devel/attachments/20260601/a9db2e31/attachment.sig>
More information about the Pkg-phototools-devel
mailing list