There is no CVE or anything else, just the PR. I checked Mapnik and it looks like it might be affected, I have already notified the maintainer.
Jochen On Wed, Jul 16, 2025 at 12:43:33PM +0200, Sebastiaan Couwenberg wrote: > Date: Wed, 16 Jul 2025 12:43:33 +0200 > From: Sebastiaan Couwenberg <sebas...@xs4all.nl> > To: Jochen Topf <joc...@remote.org>, debian-gis@lists.debian.org > Subject: Re: Security fix in Protozero > > On 7/16/25 9:31 AM, Jochen Topf wrote: > > Yesterday I released version 1.8.1 of protozero. It basically only > > contains a security fix (buffer overrun). It would be good if we can get > > this into Trixie. > > Is there a CVE or other reference? > > The commit [0] nor PR [1] mentioned these. > > [0] > https://github.com/mapbox/protozero/commit/72802a4ffe7fbf2fba75f316da4531d2561f7eea > [1] https://github.com/mapbox/protozero/pull/133 > > > The way I am using protozero in my code (libosmium etc.) this bug can > > not be triggered, but it might affect others. > > The other rdeps of protozero in Debian are mapnik & qtlocation-opensource-src. > > Kind Regards, > > Bas > > -- > GPG Key ID: 4096R/6750F10AE88D4AF1 > Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1 -- Jochen Topf joc...@remote.org https://www.jochentopf.com/ +49-351-31778688
