Hi,

On 08/07/2026 16:41, Nicholas Guriev wrote:
Dear LTS Team,

Several flaws caused by C++ undefined behaviour in the rlottie package that I
maintain were reported as CVEs. rLottie is a platform-independent library for
rendering vector-based animations and art. Its format is used by Telegram
Desktop, the only reverse dependency in Debian.

I uploaded the fixes to these issues into unstable almost month ago.
Afterwards, I prepared the updates to trixie and bookworm. And now I propose to
apply the fixes to bullseye, the current LTS. Along with the fixes I have
backported other patches from newer releases that improve overall stability.

I pushed the changes to Salsa and, when CI built the package [1], tested it in
Debian 11.11 booted from Live ISO image in VirtualBox. No visual glitches were
seen on animated stickers in Telegram Desktop 4.6.5 from bullseye-backports.

You will find the complete debdiff attached to this email. Though, I think it
is difficult to read disparate patches from the debian/ folder, so I am also
attaching the difference in the upstream source tree with all patches applied.

  [1]: 
https://salsa.debian.org/debian/rlottie/-/jobs/9923623/artifacts/browse/debian/output/

Can you upload to bullseye-security?

Cheers,
Emilio

Reply via email to