Hi, As I've unfortunatly missed this mail before I've sent the update today; just a short head-up that I'll check/incorporate the suggested changes.
On Fri, Nov 28, 2025 at 02:22:18PM +0100, Salvatore Bonaccorso wrote: > Hi Tobias, > > On Tue, Nov 25, 2025 at 09:15:21PM +0100, Tobias Frost wrote: > > Hi Salvatore, > > > > attached is the libpng debdiff for trixie. > > The diff is also available on salsa: > > https://salsa.debian.org/debian/libpng1.6/-/compare/debian%2F1.6.48-1...debian%2Ftrixie?from_project_id=26504 > > Thanks for attaching the debdiff. > > > Salsa-CI is currently busy rebuilding all r-deps, I'll > > check the results tomorrow (there will be builds running into timeouts, > > I'll compile those locally as well.) > > > > (I'll also start working on bookworm asap, but didn't want to delay > > sharing the trixie debdiff) > > Ok, please come back to us as well once you have it. We should release > both updates at the same time for trixie-security and > bookworm-security. > > > > diff -Nru libpng1.6-1.6.48/debian/changelog > > libpng1.6-1.6.48/debian/changelog > > --- libpng1.6-1.6.48/debian/changelog 2025-05-05 21:11:18.000000000 > > +0200 > > +++ libpng1.6-1.6.48/debian/changelog 2025-11-23 18:21:02.000000000 > > +0100 > > @@ -1,3 +1,15 @@ > > +libpng1.6 (1.6.48-1+deb13u1) trixie; urgency=medium > > This should be targetting trixie-security. The rest is ok, although > for I prefer to make explitily a urgency=high (but it is not > technically needed). > > > + * Security upload targeting trixie. > > + * Backport fixes for: > > + - CVE-2025-64505 - Heap buffer over-read (Closes: #1121219) > > I think we should have applied here first the upstream commit > ea094764f343 ("Fix a memory leak in function `png_set_quantize`; > refactor"). This affect directly the code which we are fixing and > fixes a memory leak in png_set_quantize. It does not have a CVE > afaict, but it might be worth applying before the CVE-2025-64505 fix > as done in the upstream code, in particular because it is the same > Samsung-PENTEST reporter discovering the issues with CVE assigned. > > Would you concur on this? > > > + - CVE-2025-64506 - Heap buffer over-read (Closes: #1121218) > > + - CVE-2025-64720 - Heap buffer overflow (Closes: #1121217) > > + - CVE-2025-65018 - Heap buffer overflow (Closes: #1121216) > > Those looks good to me. > > > + * Set gbp.conf for trixie and enable salsa CI > > We usually do not do that, but there is clear benefit of running > additional test coverage, so ok! > > Can you clarify on the above question surrounding CVE-2025-64505? > Or is it too intrusive to backport to the 1.6.48 version in trixie? > > Additionally were you able the update against the published verfiers > form the GHSAs? > > Regards, > Salvatore
