Your message dated Sat, 20 Dec 2025 16:32:08 +0000
with message-id <[email protected]>
and subject line Bug#1109341: fixed in rlottie 0.1+dfsg-4.2+deb13u1
has caused the Debian Bug report #1109341,
regarding rlottie: CVE-2025-0634 CVE-2025-53074 CVE-2025-53075
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109341: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109341
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rlottie
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for rlottie.
CVE-2025-0634[0]:
| Use After Free vulnerability in Samsung Open Source rLottie allows
| Remote Code Inclusion.This issue affects rLottie: V0.2.
https://github.com/Samsung/rlottie/pull/571
https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9
CVE-2025-53074[1]:
| Out-of-bounds Read vulnerability in Samsung Open Source rLottie
| allows Overflow Buffers.This issue affects rLottie: V0.2.
https://github.com/Samsung/rlottie/pull/571
https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9
CVE-2025-53075[2]:
| Improper Input Validation vulnerability in Samsung Open Source
| rLottie allows Path Traversal.This issue affects rLottie: V0.2.
https://github.com/Samsung/rlottie/pull/571
https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-0634
https://www.cve.org/CVERecord?id=CVE-2025-0634
[1] https://security-tracker.debian.org/tracker/CVE-2025-53074
https://www.cve.org/CVERecord?id=CVE-2025-53074
[2] https://security-tracker.debian.org/tracker/CVE-2025-53075
https://www.cve.org/CVERecord?id=CVE-2025-53075
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: rlottie
Source-Version: 0.1+dfsg-4.2+deb13u1
Done: Thorsten Alteholz <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rlottie, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <[email protected]> (supplier of updated rlottie package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 25 Nov 2025 12:05:10 +0100
Source: rlottie
Architecture: source
Version: 0.1+dfsg-4.2+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Nicholas Guriev <[email protected]>
Changed-By: Thorsten Alteholz <[email protected]>
Closes: 1109341
Changes:
rlottie (0.1+dfsg-4.2+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload by the LTS Team.
* CVE-2025-0634 (Closes: #1109341)
CVE-2025-53074
CVE-2025-53075
Most patches to fix these issues are already part of:
Fix-crash-on-invalid-data.patch
The remaining boundary check is left in:
CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch
For the sake of completeness, the whole upstream patch
for these CVEs is added in:
CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch.org
Checksums-Sha1:
e658b8d6a633ce137139450a436463ef94ea37c3 2222 rlottie_0.1+dfsg-4.2+deb13u1.dsc
0b0e019a15c60154d4833080dcfaebaf07788c03 23196
rlottie_0.1+dfsg-4.2+deb13u1.debian.tar.xz
8568de692bb493815e36998c933b1ed3aa0f3e23 6926
rlottie_0.1+dfsg-4.2+deb13u1_source.buildinfo
Checksums-Sha256:
531a2886cbc13adcb702b9d1bbd863a185a2b9789e14c83a8fc540149891cb15 2222
rlottie_0.1+dfsg-4.2+deb13u1.dsc
85de45593d68c22d6037d0011ce16ccfc88ac9de7a1c3ec7f27a23da8358aebb 23196
rlottie_0.1+dfsg-4.2+deb13u1.debian.tar.xz
95a41fe31d4bb366d184e760c071c173d7f67ff72bdaeb8c56b6fb666831b9fa 6926
rlottie_0.1+dfsg-4.2+deb13u1_source.buildinfo
Files:
5d7ce82eebac896acf8549756d43adc3 2222 libs optional
rlottie_0.1+dfsg-4.2+deb13u1.dsc
e5eeeea2e4aca02a92494169a399e760 23196 libs optional
rlottie_0.1+dfsg-4.2+deb13u1.debian.tar.xz
76d1d034509e2ab0bbafa4da32ad4a80 6926 libs optional
rlottie_0.1+dfsg-4.2+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmklvxtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYRzwND/0TorzorvD7dfiDWuXMbEQq6znY+ySp
GT/l4pWKojiLIqPYBQnxvzimSGQRrxstWv21vO33AZs3b01V209NL8dI2Brn6X5Y
HfyEF2vqB3Gl+vvKEqY2lLQ9AWmAfHssdLlBGFe1skallhoyyZq30llqcTAYvcTK
5p0N8SkBKA+xMMA+3MLj0KjEWZCmYi3pXJHhIJG8lVxmFbsgmSdIBH3neYH1NpU0
ux4K0yy3BixRlzr4Y3/Vw4fkSyAkT65iPhi6ZFs2xkKr0YWIH1BPBqbtkcgYHthG
fkmCzcNfzE13hbKCigL46AUxguz9stImqP9DpeiSYuTO7YH7A9RIjbrjSbWN5nHT
vmoiJMSs602iDzBI399tKY3S9pvx8vua7lHJnI75BPqYHJQg0P7A3Shh85OP+d7+
XU2gdxnmPcl7OirJeiG26IwzrGvt1L3BN92PqMLhcsrYFukM+AGbVgNoy8lJ9o3n
H4yhmIKc2NnPLcGa2Alw1TyvhR2fI3jacbbFf/wnqPO/+4zzgOr2L9TeCetahllO
zKxZfuJtzLZENlaSBq/elOVF//PFv3iveOiRaZzcPRgRwK5DgvuzDYoMbbUafQ8I
W26F19th/mwlVp4qBbUHJmu9QjCGXweTVwPdmdsgKP11yUopSHmeTTnngsToo4fO
cdXZt52oKm162w==
=8WGg
-----END PGP SIGNATURE-----
pgpPNv_cPSGQ6.pgp
Description: PGP signature
--- End Message ---
