Hi Salvatore, trixie / bookworm versions uploaded.
-- Cheers, tobi On Sun, Nov 30, 2025 at 08:44:10PM +0100, Salvatore Bonaccorso wrote: > Hi Tobias, > > On Sun, Nov 30, 2025 at 06:44:41PM +0100, Tobias Frost wrote: > > On Fri, Nov 28, 2025 at 02:22:18PM +0100, Salvatore Bonaccorso wrote: > > > Hi Tobias, > > > > > > On Tue, Nov 25, 2025 at 09:15:21PM +0100, Tobias Frost wrote: > > > > Hi Salvatore, > > > > > > > > attached is the libpng debdiff for trixie. > > > > The diff is also available on salsa: > > > > https://salsa.debian.org/debian/libpng1.6/-/compare/debian%2F1.6.48-1...debian%2Ftrixie?from_project_id=26504 > > > > > > Thanks for attaching the debdiff. > > > > > > > Salsa-CI is currently busy rebuilding all r-deps, I'll > > > > check the results tomorrow (there will be builds running into timeouts, > > > > I'll compile those locally as well.) > > > > > > > > (I'll also start working on bookworm asap, but didn't want to delay > > > > sharing the trixie debdiff) > > > > > > Ok, please come back to us as well once you have it. We should release > > > both updates at the same time for trixie-security and > > > bookworm-security. > > > > > > > > > > diff -Nru libpng1.6-1.6.48/debian/changelog > > > > libpng1.6-1.6.48/debian/changelog > > > > --- libpng1.6-1.6.48/debian/changelog 2025-05-05 21:11:18.000000000 > > > > +0200 > > > > +++ libpng1.6-1.6.48/debian/changelog 2025-11-23 18:21:02.000000000 > > > > +0100 > > > > @@ -1,3 +1,15 @@ > > > > +libpng1.6 (1.6.48-1+deb13u1) trixie; urgency=medium > > > > > > This should be targetting trixie-security. The rest is ok, although > > > for I prefer to make explitily a urgency=high (but it is not > > > technically needed). > > > > fixed the suite. > > Thanks. > > > > > + * Security upload targeting trixie. > > > > + * Backport fixes for: > > > > + - CVE-2025-64505 - Heap buffer over-read (Closes: #1121219) > > > > > > I think we should have applied here first the upstream commit > > > ea094764f343 ("Fix a memory leak in function `png_set_quantize`; > > > refactor"). This affect directly the code which we are fixing and > > > fixes a memory leak in png_set_quantize. It does not have a CVE > > > afaict, but it might be worth applying before the CVE-2025-64505 fix > > > as done in the upstream code, in particular because it is the same > > > Samsung-PENTEST reporter discovering the issues with CVE assigned. > > > > Well, > > https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42 > > tells commit 6a528eb is the fix for the CVE, which is what I've applied. > > > > The memory leak is not related to the CVE. As the discusison in the > > upstream PR #748 shows, png_quantitize *should* only be called once > > anyways; only subsequent calls will leak 256 bytes of memory. > > > > On top of the memory-leak-fix, ea094764f343 has additional refactoring, > > namely eliminating the struct member png_structrp->quantize_sort, so the > > effective fix is adding this line: > > png_free(png_ptr, png_ptr->quantize_index); > > All other lines in this commit are refactoring. > > > > So certainly we can have this commit in the update, if you prefer > > that; I'd prefer at least not to have the refactoring bits, even if the > > code is straight forward. > > Yes I'm aware it is not part of the respective CVE fix, but it was > directly related to another (diffrent), rather more negligible > security issue, and it makes the other fix directly applicaple, so I > was aksing about your opinion. > > If you feel more conformtable without, then let's to that (I in fact > tried to cross check what other did, but apparently e.g. Ubuntu did > not yet update, and other neither. So let's keep your oginal propsed > one. > > > > Can you clarify on the above question surrounding CVE-2025-64505? > > > Or is it too intrusive to backport to the 1.6.48 version in trixie? > > > > > > Additionally were you able the update against the published verfiers > > > form the GHSAs? > > > > I was able to check against the pocs for 505 and 506 (as attached to > > upstream issues 688 and 691) and after the updateI couldn't trigger them > > anymore. I was not able to get the poc for 65018 compiled. > > Ok perfect, thank you. Please go ahead with the uploads to > security-master, both built with -sa and have fixed target suite. > > I will then take care of the DSA release once things are ready. > > Regards, > Salvatore
signature.asc
Description: PGP signature
