Your message dated Sat, 30 Aug 2025 12:50:15 +0000
with message-id <[email protected]>
and subject line Bug#1111614: fixed in retroarch 1.20.0+dfsg-3
has caused the Debian Bug report #1111614,
regarding retroarch: CVE-2025-9136
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111614: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111614
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: retroarch
Version: 1.20.0+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/libretro/RetroArch/pull/17555
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for retroarch.
CVE-2025-9136[0]:
| A flaw has been found in libretro RetroArch 1.18.0/1.19.0/1.20.0.
| This affects the function filestream_vscanf of the file libretro-
| common/streams/file_stream.c. This manipulation causes out-of-bounds
| read. The attack needs to be launched locally. Upgrading to version
| 1.21.0 mitigates this issue. It is recommended to upgrade the
| affected component.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-9136
https://www.cve.org/CVERecord?id=CVE-2025-9136
[1] https://github.com/libretro/RetroArch/pull/17555
[2]
https://github.com/libretro/RetroArch/commit/b0999db885a0f1530f0e968c7450a4f0aa624b65
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: retroarch
Source-Version: 1.20.0+dfsg-3
Done: Jonathan McDowell <[email protected]>
We believe that the bug you reported is fixed in the latest version of
retroarch, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan McDowell <[email protected]> (supplier of updated retroarch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Aug 2025 13:20:14 +0100
Source: retroarch
Architecture: source
Version: 1.20.0+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Games Team <[email protected]>
Changed-By: Jonathan McDowell <[email protected]>
Closes: 1111614
Changes:
retroarch (1.20.0+dfsg-3) unstable; urgency=medium
.
* Fix CVE-2025-9136 (out of bounds read) (Closes: 1111614)
Checksums-Sha1:
98f200bbd5d24d173f9e5664aa9e90ca2299a8f7 2031 retroarch_1.20.0+dfsg-3.dsc
f654c8ce0793af96130dc4bfbc4e0dedbbf910ad 25784
retroarch_1.20.0+dfsg-3.debian.tar.xz
3e5052cad8ee0d90663b1888670e2b67f06d0b17 17792
retroarch_1.20.0+dfsg-3_amd64.buildinfo
Checksums-Sha256:
934e25dd582395d1694f5e8697ab5663ce0fa6f260d6e53bb56787b8fd744ddf 2031
retroarch_1.20.0+dfsg-3.dsc
62fb847b9bf6f5d2cbeba9607e597dfa198a8430aa446a030b062f7fe60bdb33 25784
retroarch_1.20.0+dfsg-3.debian.tar.xz
0864c84a7afe22fe3899f0971284ebfb330549aa33d8bb47388dcc6bbbf16e50 17792
retroarch_1.20.0+dfsg-3_amd64.buildinfo
Files:
fec750f560c15c1a4f598e813f206f12 2031 otherosfs optional
retroarch_1.20.0+dfsg-3.dsc
12a179df36fcfc38807821f2b67cffb5 25784 otherosfs optional
retroarch_1.20.0+dfsg-3.debian.tar.xz
7e664fcf95cef45da5e0857997257328 17792 otherosfs optional
retroarch_1.20.0+dfsg-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSAYP1ALvrBQa1odmMPwJuF4mk8PAUCaLLvuwAKCRAPwJuF4mk8
PGiVAP9uEqwE1vh8QS/32W4nNgqm9tE3N7FYVYG5Q2Hv0YyhNQD+OA8hoZF2UN6Y
ELiwnPOO1/a45CRYqr1yRLa3mVoVXgA=
=13oZ
-----END PGP SIGNATURE-----
pgpJx9pbnR0uu.pgp
Description: PGP signature
--- End Message ---
