Your message dated Sat, 21 Mar 2026 08:33:35 +0000
with message-id <[email protected]>
and subject line Bug#1128068: fixed in jpeg-xl 0.11.2-0.1
has caused the Debian Bug report #1128068,
regarding jpeg-xl: CVE-2025-12474
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128068: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128068
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jpeg-xl
Version: 0.11.1-6
Severity: important
Tags: security upstream
Forwarded: https://github.com/libjxl/libjxl/pull/4495
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for jpeg-xl.
CVE-2025-12474[0]:
| A specially-crafted file can cause libjxl's decoder to read pixel
| data from uninitialized (but allocated) memory. This can be done by
| causing the decoder to reference an outside-image-bound area in a
| subsequent patches. An incorrect optimization causes the decoder to
| omit populating those areas.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-12474
https://www.cve.org/CVERecord?id=CVE-2025-12474
[1] https://github.com/libjxl/libjxl/pull/4495
[2]
https://github.com/libjxl/libjxl/commit/4523cf652f568f1fbb57bf9a10ae3caae785cd9f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jpeg-xl
Source-Version: 0.11.2-0.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jpeg-xl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated jpeg-xl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 19 Mar 2026 13:38:01 +0200
Source: jpeg-xl
Architecture: source
Version: 0.11.2-0.1
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1114914 1123400 1128067 1128068
Changes:
jpeg-xl (0.11.2-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* New upstream release.
- CVE-2025-12474: Decoder read from uninitialized (but allocated)
memory (Closes: #1128068)
- CVE-2026-1837: Decoder write to uninitialized unallocated memory
(Closes: #1128067)
* Disable a failing test. (Closes: #1123400)
* Increase the test timeout. (Closes: #1114914)
* Backport a loong64 FTBFS fix.
Checksums-Sha1:
2ec6464b3fad683caecb67b494cfa94363f3e886 3199 jpeg-xl_0.11.2-0.1.dsc
2acaf75909eea67cc7d861a9a918733d5f630db8 1882762 jpeg-xl_0.11.2.orig.tar.gz
15c94f80eb2d5b8511cbd94d54c48b836247f642 22548 jpeg-xl_0.11.2-0.1.debian.tar.xz
Checksums-Sha256:
24e0f11be1c7f6cf4e03fb4913a2fe4f04ec4970e561d3e2dbbd71e3aa7a28a7 3199
jpeg-xl_0.11.2-0.1.dsc
ab38928f7f6248e2a98cc184956021acb927b16a0dee71b4d260dc040a4320ea 1882762
jpeg-xl_0.11.2.orig.tar.gz
f31146cd85fd4a55142c5e5baccc9e0958a41565f06f1dcde2497abf1bbb518a 22548
jpeg-xl_0.11.2-0.1.debian.tar.xz
Files:
ac7efc4ee3f63559a68a670bb4f7db26 3199 graphics optional jpeg-xl_0.11.2-0.1.dsc
eda39db6e7a58b73be9124381862b9d1 1882762 graphics optional
jpeg-xl_0.11.2.orig.tar.gz
3008a8ee3e667a63c5b609b77f2f8516 22548 graphics optional
jpeg-xl_0.11.2-0.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmm8C4wACgkQiNJCh6LY
mLHNHQ//UMAUzctrGnkksVjz/t1ZUeBrspbpdCK+FCviXwTvrUQaJrXj7RDdFBIk
U32yKSi5XSd7Gx5Bg7RzzHgptsEmyn3mcKmcEKwEB/edbRND2ahxIf3uS957Ss3p
l0PH60CVGdfqogmuRGMjWVB4w3B9yVJO/Oysk/1Mz8NQwibZrs1auQsnhwoXuguU
ESu/qMh+io8O7GBIxTlO8HqF8sFkXuGvwyd0RnuIwmHA4KVT6pRMU4GktRhXFGdI
uI/jLpdKWWkKDMfZFbgTQPGlNI2cSIz2dnf/A1vNrGST1i1qHh5C1asFr/FXByK1
cvEIz9gK5Mfdb638DoH2hlxJPqPyrMkphBklwJFaN1dsqX51IzaOh2GxBJfSe1L/
VepU1zLUZQ7oFiMTIl3p1qfb3Ja/X5UtxzWfGuYLyKn7u7gpJOUQaJwsMGwtXCEk
fjchupyUD91N1A/89A9BQpKlgOYKSXwEItiKCOBqb2RDuSxLJ9PyUVawV5UMMuG8
ctDujWyu/AL3j+uTMtutMzLF/hvY5v3PT7diu78HuGTgVDPUol0VV14he9lS6XRk
3qiR4m2MD1hneXHdZ4F320NGJB/dg9Xby7g5Ltf67dBh8+LfPe+XI/9dapQrPz6+
2gVjJkUbSF0PJt4CPkXqjvGGh1VSCjDKsnSeTCxbbGJpdzzyQbU=
=KhjL
-----END PGP SIGNATURE-----
pgprIV4YczkL_.pgp
Description: PGP signature
--- End Message ---
