| CARVIEW |
Debian Bug report logs -
#1121041
bookworm-pu: package gdk-pixbuf/2.42.10+dfsg-1+deb12u3
Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;
Affects: src:gdk-pixbuf
Reported by: Carlos Henrique Lima Melara <charles@debian.org>
Date: Thu, 20 Nov 2025 01:35:01 UTC
Severity: normal
Tags: bookworm, pending
Reply or subscribe to this bug.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org> (release.debian.org for {1121041}), gdk-pixbuf@packages.debian.org (additional cc recipient for {1121041}):
Bug#1121041; Package release.debian.org.
(Thu, 20 Nov 2025 01:35:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Carlos Henrique Lima Melara <charles@debian.org>:
New Bug report received and forwarded. Copy sent to gdk-pixbuf@packages.debian.org, debian-release@lists.debian.org.
(Thu, 20 Nov 2025 01:35:02 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: gdk-pixbuf@packages.debian.org Control: affects -1 + src:gdk-pixbuf User: release.debian.org@packages.debian.org Usertags: pu Hi, [ Reason ] The reason for the bookworm-pu bug is CVE-2025-7345 [1][2] which is a potential buffer overflow. The fix was applied already in sid, trixie, bullseye and other ELTS releases with no reports of regressions but one in testing [3] before the release of trixie. After further communication with the reporter, it was dismissed as probably an inconsistent environment on their side. The reported regression was unreproducible in trixie, bullseye and also bookworm (tested in a clean VM with multiple gnome software). [ Impact ] We have a pending CVE and a potential buffer overflow in bookworm. [ Tests ] I have manually reproduced the reported ASAN overflow in bookworm and also verified the patch fixed it. The package's autopkgtest was run and passes without regressions. I have also uploaded it to debusine.d.n [4] to check rdep autopkgtests using the fixed version and no new failures showed up when comparing to the version currently in bookworm [5]. [ Risks ] The patch is pretty trivial, it makes sure there is enough space allocated without bindly trusting what the image headers say and bails out if there isn't enough space. For a correctly defined jpeg image, there shouldn't be any impact since the headers wouldn't lie. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Cherry pick of the patch fixing the CVE, the explanation for it is in Risks section. Aside from that, there are some changes to add salsa-ci and enable the full coverage of it, which includes marking a second test as flaky when running salsa-ci. Also, switch to debian/bookworm in gbp.conf. [ Other info ] Although the last two changes mentioned in Changes section don't impact the archive, they do provide more comfort and assurance before uploading so I think it's worth to keep them. If Stable Release Managers prefer to not have them, please let me know. Cheers, Charles [1] https://security-tracker.debian.org/tracker/CVE-2025-7345 [2] https://bugs.debian.org/1109262 [3] https://bugs.debian.org/1109199 [4] https://debusine.debian.net/debian/developers/work-request/197302/ [5] https://debusine.debian.net/debian/developers/work-request/197416/
[gdk-pixbuf_2.42.10+dfsg-1+deb12u3.diff (text/x-diff, attachment)]
Added indication that 1121041 affects src:gdk-pixbuf
Request was from Carlos Henrique Lima Melara <charles@debian.org>
to submit@bugs.debian.org.
(Thu, 20 Nov 2025 01:35:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org> (release.debian.org for {1121041}):
Bug#1121041; Package release.debian.org.
(Sat, 06 Dec 2025 15:51:01 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to debian-release@lists.debian.org.
(Sat, 06 Dec 2025 15:51:01 GMT) (full text, mbox, link).
Message #12 received at 1121041@bugs.debian.org (full text, mbox, reply):
Control: tags -1 + confirmed On Wed, 2025-11-19 at 22:34 -0300, Carlos Henrique Lima Melara wrote: > [ Reason ] > > The reason for the bookworm-pu bug is CVE-2025-7345 [1][2] which is a > potential buffer overflow. Please go ahead. Regards, Adam
Added tag(s) confirmed.
Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk>
to 1121041-submit@bugs.debian.org.
(Sat, 06 Dec 2025 15:51:01 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org> (release.debian.org for {1121041}):
Bug#1121041; Package release.debian.org.
(Sat, 06 Dec 2025 20:53:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Carlos Henrique Lima Melara <charles@debian.org>:
Extra info received and forwarded to list. Copy sent to debian-release@lists.debian.org.
(Sat, 06 Dec 2025 20:53:02 GMT) (full text, mbox, link).
Message #19 received at 1121041@bugs.debian.org (full text, mbox, reply):
Hi Adam, On Sat, Dec 06, 2025 at 03:48:09PM +0000, Adam D. Barratt wrote: > > On Wed, 2025-11-19 at 22:34 -0300, Carlos Henrique Lima Melara wrote: > > [ Reason ] > > > > The reason for the bookworm-pu bug is CVE-2025-7345 [1][2] which is a > > potential buffer overflow. > > Please go ahead. Thanks and uploaded. Cheers, Charles
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org> (release.debian.org for {1121041}):
Bug#1121041; Package release.debian.org.
(Sun, 07 Dec 2025 17:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Adam D Barratt <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to debian-release@lists.debian.org.
(Sun, 07 Dec 2025 17:09:05 GMT) (full text, mbox, link).
Message #24 received at 1121041@bugs.debian.org (full text, mbox, reply):
package release.debian.org tags 1121041 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: gdk-pixbuf Version: 2.42.10+dfsg-1+deb12u3 Explanation: fix buffer overflow issue [CVE-2025-7345]
Added tag(s) pending; removed tag(s) confirmed.
Request was from Adam D Barratt <adam@adam-barratt.org.uk>
to control@bugs.debian.org.
(Sun, 07 Dec 2025 17:09:10 GMT) (full text, mbox, link).
Message sent on
to Carlos Henrique Lima Melara <charles@debian.org>:
Bug#1121041.
(Sun, 07 Dec 2025 17:09:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Dec 26 16:44:27 2025; Machine Name: berlioz
Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.