Your message dated Sat, 10 Jan 2026 11:52:34 +0000
with message-id <[email protected]>
and subject line Released with 13.3
has caused the Debian Bug report #1121433,
regarding trixie-pu: package rlottie/0.1+dfsg-4.2+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121433: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121433
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
User: [email protected]
Usertags: pu
The attached debdiff for rlottie fixes CVE-2025-0634, CVE-2025-53074 and
CVE-2025-53075 in Trixie. All CVEs are marked as no-dsa from the security
team.
The same patch has been uploaded to unstable and nobody complained yet.
Actually those CVEs have been already fixed partially by
Fix-crash-on-invalid-data.patch. Only one boundary check was left for
this upload.
Thorsten
diff -Nru rlottie-0.1+dfsg/debian/changelog rlottie-0.1+dfsg/debian/changelog
--- rlottie-0.1+dfsg/debian/changelog 2024-08-29 10:05:10.000000000 +0200
+++ rlottie-0.1+dfsg/debian/changelog 2025-11-25 12:05:10.000000000 +0100
@@ -1,3 +1,19 @@
+rlottie (0.1+dfsg-4.2+deb13u1) trixie; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2025-0634 (Closes: #1109341)
+ CVE-2025-53074
+ CVE-2025-53075
+ Most patches to fix these issues are already part of:
+ Fix-crash-on-invalid-data.patch
+ The remaining boundary check is left in:
+ CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch
+ For the sake of completeness, the whole upstream patch
+ for these CVEs is added in:
+ CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch.org
+
+ -- Thorsten Alteholz <[email protected]> Tue, 25 Nov 2025 12:05:10 +0100
+
rlottie (0.1+dfsg-4.2) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru
rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch
rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch
---
rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch
1970-01-01 01:00:00.000000000 +0100
+++
rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch
2025-11-18 19:02:16.000000000 +0100
@@ -0,0 +1,30 @@
+From 507ea027e47d3e1dc7ddbd9994621215eae7ebb9 Mon Sep 17 00:00:00 2001
+From: Michal Maciola <[email protected]>
+Date: Thu, 15 May 2025 20:51:09 +0200
+Subject: [PATCH] Fix security vulnerabilities in Lottie file handling Add
+ validation checks to address potential vulnerabilities in case of a malicious
+ Lottie file
+
+Adds:
+- Type check for CompLayer() before casting to model::Layer
+- Bounds checking for Gradient::populate()
+- Frames vector empty check
+- Rejection of outliers
+---
+ src/vector/freetype/v_ft_raster.cpp | 5 +++++
+
+Index: rlottie-0.1+dfsg/src/vector/freetype/v_ft_raster.cpp
+===================================================================
+--- rlottie-0.1+dfsg.orig/src/vector/freetype/v_ft_raster.cpp 2025-11-07
12:19:43.655591929 +0100
++++ rlottie-0.1+dfsg/src/vector/freetype/v_ft_raster.cpp 2025-11-07
12:19:43.651591895 +0100
+@@ -550,6 +550,10 @@
+ dx = to_x - ras.x;
+ dy = to_y - ras.y;
+
++ if (SW_FT_ABS(dx) > 10000000 || SW_FT_ABS(dy) > 10000000) {
++ goto End;
++ }
++
+ fx1 = ras.x - SUBPIXELS(ex1);
+ fy1 = ras.y - SUBPIXELS(ey1);
+
diff -Nru
rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch.org
rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch.org
---
rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch.org
1970-01-01 01:00:00.000000000 +0100
+++
rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch.org
2025-11-18 19:02:16.000000000 +0100
@@ -0,0 +1,134 @@
+From 507ea027e47d3e1dc7ddbd9994621215eae7ebb9 Mon Sep 17 00:00:00 2001
+From: Michal Maciola <[email protected]>
+Date: Thu, 15 May 2025 20:51:09 +0200
+Subject: [PATCH] Fix security vulnerabilities in Lottie file handling Add
+ validation checks to address potential vulnerabilities in case of a malicious
+ Lottie file
+
+Adds:
+- Type check for CompLayer() before casting to model::Layer
+- Bounds checking for Gradient::populate()
+- Frames vector empty check
+- Rejection of outliers
+---
+ src/lottie/lottieitem.cpp | 1 +
+ src/lottie/lottiemodel.cpp | 15 ++++++++++++---
+ src/lottie/lottiemodel.h | 21 +++++++++++++--------
+ src/vector/freetype/v_ft_raster.cpp | 5 +++++
+ 4 files changed, 31 insertions(+), 11 deletions(-)
+
+diff --git a/src/lottie/lottieitem.cpp b/src/lottie/lottieitem.cpp
+index c5540f3f..c70f3273 100644
+--- a/src/lottie/lottieitem.cpp
++++ b/src/lottie/lottieitem.cpp
+@@ -479,6 +479,7 @@ renderer::CompLayer::CompLayer(model::Layer *layerModel,
VArenaAlloc *allocator)
+ // as lottie model keeps the data in front-toback-order.
+ for (auto it = mLayerData->mChildren.crbegin();
+ it != mLayerData->mChildren.rend(); ++it) {
++ if ((*it)->type() != model::Object::Type::Layer) continue;
+ auto model = static_cast<model::Layer *>(*it);
+ auto item = createLayerItem(model, allocator);
+ if (item) mLayers.push_back(item);
+diff --git a/src/lottie/lottiemodel.cpp b/src/lottie/lottiemodel.cpp
+index 1bca99d2..0f816f6f 100644
+--- a/src/lottie/lottiemodel.cpp
++++ b/src/lottie/lottiemodel.cpp
+@@ -250,11 +250,16 @@ void model::Gradient::populate(VGradientStops &stops,
int frameNo)
+ auto size = gradData.mGradient.size();
+ float * ptr = gradData.mGradient.data();
+ int colorPoints = mColorPoints;
+- if (colorPoints == -1) { // for legacy bodymovin (ref: lottie-android)
++ size_t colorPointsSize = colorPoints * 4;
++ if (!ptr) return;
++ if (colorPoints < 0 || colorPointsSize > size) { // for legacy bodymovin
(ref: lottie-android)
+ colorPoints = int(size / 4);
+ }
+- auto opacityArraySize = size - colorPoints * 4;
+- float *opacityPtr = ptr + (colorPoints * 4);
++ auto opacityArraySize = size - colorPointsSize;
++ if (opacityArraySize % 2 != 0) {
++ opacityArraySize = 0;
++ }
++ float *opacityPtr = ptr + colorPointsSize;
+ stops.clear();
+ for (int i = 0; i < colorPoints; i++) {
+ float colorStop = ptr[0];
+@@ -267,6 +272,10 @@ void model::Gradient::populate(VGradientStops &stops, int
frameNo)
+ }
+ ptr += 4;
+ }
++
++ if (stops.empty()) {
++ stops.push_back(std::make_pair(0.0f, VColor(255, 255, 255, 255)));
++ }
+ }
+
+ float model::Gradient::getOpacityAtPosition(float *opacities, size_t
opacityArraySize, float position)
+diff --git a/src/lottie/lottiemodel.h b/src/lottie/lottiemodel.h
+index 1e66ff15..c51cc4a2 100644
+--- a/src/lottie/lottiemodel.h
++++ b/src/lottie/lottiemodel.h
+@@ -239,20 +239,23 @@ class KeyFrames {
+
+ T value(int frameNo) const
+ {
+- if (frames_.front().start_ >= frameNo)
+- return frames_.front().value_.start_;
+- if (frames_.back().end_ <= frameNo) return frames_.back().value_.end_;
+-
+- for (const auto &keyFrame : frames_) {
+- if (frameNo >= keyFrame.start_ && frameNo < keyFrame.end_)
+- return keyFrame.value(frameNo);
++ if (!frames_.empty()) {
++ if (frames_.front().start_ >= frameNo)
++ return frames_.front().value_.start_;
++ if (frames_.back().end_ <= frameNo) return
frames_.back().value_.end_;
++
++ for (const auto &keyFrame : frames_) {
++ if (frameNo >= keyFrame.start_ && frameNo < keyFrame.end_)
++ return keyFrame.value(frameNo);
++ }
+ }
+ return {};
+ }
+
+ float angle(int frameNo) const
+ {
+- if ((frames_.front().start_ >= frameNo) ||
++ if (frames_.empty() ||
++ (frames_.front().start_ >= frameNo) ||
+ (frames_.back().end_ <= frameNo))
+ return 0;
+
+@@ -265,6 +268,8 @@ class KeyFrames {
+
+ bool changed(int prevFrame, int curFrame) const
+ {
++ if (frames_.empty()) return false;
++
+ auto first = frames_.front().start_;
+ auto last = frames_.back().end_;
+
+diff --git a/src/vector/freetype/v_ft_raster.cpp
b/src/vector/freetype/v_ft_raster.cpp
+index e48ad1b1..24b0d427 100644
+--- a/src/vector/freetype/v_ft_raster.cpp
++++ b/src/vector/freetype/v_ft_raster.cpp
+@@ -537,6 +537,10 @@ static void gray_render_line(RAS_ARG_ TPos to_x, TPos
to_y)
+ dx = to_x - ras.x;
+ dy = to_y - ras.y;
+
++ if (SW_FT_ABS(dx) > 10000000 || SW_FT_ABS(dy) > 10000000) {
++ goto End;
++ }
++
+ fx1 = ras.x - SUBPIXELS(ex1);
+ fy1 = ras.y - SUBPIXELS(ey1);
+
+@@ -707,6 +711,7 @@ static void gray_render_conic(RAS_ARG_ const SW_FT_Vector*
control,
+ gray_split_conic(arc);
+ arc += 2;
+ top++;
++ if (top >= 32) return; // levels size is 32
+ levels[top] = levels[top - 1] = level - 1;
+ continue;
+ }
diff -Nru rlottie-0.1+dfsg/debian/patches/series
rlottie-0.1+dfsg/debian/patches/series
--- rlottie-0.1+dfsg/debian/patches/series 2024-08-29 10:05:10.000000000
+0200
+++ rlottie-0.1+dfsg/debian/patches/series 2025-11-18 19:02:45.000000000
+0100
@@ -25,3 +25,5 @@
No-deadlock.patch
Atomic-render.patch
fix-static-variable-delete.patch
+
+CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org\nVersion: 13.3\n\nThis update has been released as
part of Debian 13.3.
--- End Message ---
