Your message dated Thu, 04 Jun 2026 17:47:15 +0000
with message-id <[email protected]>
and subject line Bug#1138779: fixed in thorvg 1.0.6+dfsg-1
has caused the Debian Bug report #1138779,
regarding thorvg: CVE-2026-45729
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138779: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138779
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: thorvg
Version: 1.0.3+dfsg2-4
Severity: grave
Tags: security upstream
Forwarded: https://github.com/thorvg/thorvg/pull/4387
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for thorvg.
CVE-2026-45729[0]:
| Thor Vector Graphics (ThorVG) is a production-ready vector graphics
| engine. Prior to version 1.0.5, a null pointer dereference in
| SvgLoader::run() allows any caller that passes untrusted SVG data to
| Picture::load() to crash the process with a 6-byte payload. This
| issue has been patched in version 1.0.5.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-45729
https://www.cve.org/CVERecord?id=CVE-2026-45729
[1] https://github.com/thorvg/thorvg/pull/4387
[2] https://github.com/thorvg/thorvg/security/advisories/GHSA-f863-8ghq-7h64
[3]
https://github.com/thorvg/thorvg/commit/599db59600aefab904fc8465bd86ac29e1de168c
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: thorvg
Source-Version: 1.0.6+dfsg-1
Done: Jongmin Kim <[email protected]>
We believe that the bug you reported is fixed in the latest version of
thorvg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jongmin Kim <[email protected]> (supplier of updated thorvg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 Jun 2026 01:46:38 +0900
Source: thorvg
Architecture: source
Version: 1.0.6+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Jongmin Kim <[email protected]>
Changed-By: Jongmin Kim <[email protected]>
Closes: 1138779
Changes:
thorvg (1.0.6+dfsg-1) unstable; urgency=high
.
* New upstream release 1.0.6, fixing CVE-2026-45729 (Closes: #1138779)
* Update symbols to 1.0.6
* Revise renamed path in copyright
* Revise to new backend engines: 'cpu,gl'
* Revise the list of non-free files
* Remove applied patch: replace-path-max
* Refresh patch for updated upstream release
Checksums-Sha1:
4d790e5f21167481e2a864a3b08bd2a3e5515908 2028 thorvg_1.0.6+dfsg-1.dsc
f91fe3d02ae4d09066842d7b670cfe55bd622723 2815548 thorvg_1.0.6+dfsg.orig.tar.xz
976c45839d8718771850f5ad2c45d9f702ac7096 56012
thorvg_1.0.6+dfsg-1.debian.tar.xz
5cb2c8fe34e45c4755bbd55957768bbab0c8319e 7184
thorvg_1.0.6+dfsg-1_amd64.buildinfo
Checksums-Sha256:
1d0cbf8459740f75d292754a7460a641e8731a8dd7fa241de8b4c53ef9d0ca25 2028
thorvg_1.0.6+dfsg-1.dsc
4d38701597545c087f97e86059d2578cb4c6ea7e4e136a83a4fa2507a57fb8cf 2815548
thorvg_1.0.6+dfsg.orig.tar.xz
a133ef391c8befc47bb8e5803747e1605d99fe1a81f50824994cc93c2a37a6a3 56012
thorvg_1.0.6+dfsg-1.debian.tar.xz
b5fce09b76a1933929843500a67be997f30f59d7c88d71d29c977b85742f07fe 7184
thorvg_1.0.6+dfsg-1_amd64.buildinfo
Files:
27e4b63ad9518e8cadba040ff1ddf61d 2028 libs optional thorvg_1.0.6+dfsg-1.dsc
cba89ad0825115a5a03606f331ffe589 2815548 libs optional
thorvg_1.0.6+dfsg.orig.tar.xz
5509bba4f381503621e1da41ec58d4f3 56012 libs optional
thorvg_1.0.6+dfsg-1.debian.tar.xz
184519a97eb6fe753d1cdaeb1423f628 7184 libs optional
thorvg_1.0.6+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/y/olA10eBDwRZb+NFDpXZ0DR6gFAmohsywACgkQNFDpXZ0D
R6gw8A//fF7AYqMo/Is94b/0YF5dgW+WqX/L2TGkknyGZ10j2UYn1rolw0eDWadn
WNIeQyArGl+kwTqwiCR0iktUL/Fj32kkUSMV690P+vGh5pOlO4pM/VyBKnmdt0LH
dLJjybuDXsU2WE5hZkBbqsnenFng8t9IOjTKpUzIoR85GESWKjpQ1bnFx7+Nf4ql
rIZQn3UlW02uvp769HkGdOdNLD6g05syGIR54wBcgeIKlpVS+NQDsI8FPH9MHNAI
HFP+ooQnVztbVskRqTxBbKYqgO4wZnOHm+d3n88mzqnFtUgZc6PDLal2mHlMrYcq
vEL9tPdSjYqhxGihoQa8IPlAfALw2hA4ZkRianqkNcZVzAh79wmb71q5TBXrAlOf
CD0z49M2Jey6AOankYxQdbrlcnpPHaEnN+nITJ5XcUVDCfVba2dXytlnDgnPu7mM
u5M4+s9IyWltnHGNQGSF0Yhpgr7yqGEgrASuASY+ux88EPy2PiCNJUuYvkr5N5dY
MNTQahPwrMVVYXeFcd8rHQxZDZTz8pb5BbJzOT6zTZN/aFTQvd6pdzrpkpkp0oEt
swPN8+0/CTCblhho/gYJ6qoeRu7Hl62Qm5tEjDLDTFGBYvvcOZTV3ABhDdGqN271
+kWbihIycRHSk3AbJvVw6leUOA9lefZE6pMoi4q+/kcJXQ938tg=
=Nsu3
-----END PGP SIGNATURE-----
pgpDWHd2TH1EX.pgp
Description: PGP signature
--- End Message ---
