Your message dated Sat, 10 Jan 2026 11:59:45 +0000
with message-id <[email protected]>
and subject line Released with 12.13
has caused the Debian Bug report #1121041,
regarding bookworm-pu: package gdk-pixbuf/2.42.10+dfsg-1+deb12u3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121041: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121041
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:gdk-pixbuf
User: [email protected]
Usertags: pu
Hi,
[ Reason ]
The reason for the bookworm-pu bug is CVE-2025-7345 [1][2] which is a
potential buffer overflow. The fix was applied already in sid, trixie,
bullseye and other ELTS releases with no reports of regressions but one
in testing [3] before the release of trixie. After further communication
with the reporter, it was dismissed as probably an inconsistent
environment on their side. The reported regression was unreproducible in
trixie, bullseye and also bookworm (tested in a clean VM with multiple
gnome software).
[ Impact ]
We have a pending CVE and a potential buffer overflow in bookworm.
[ Tests ]
I have manually reproduced the reported ASAN overflow in bookworm and
also verified the patch fixed it. The package's autopkgtest was run and
passes without regressions. I have also uploaded it to debusine.d.n [4]
to check rdep autopkgtests using the fixed version and no new failures
showed up when comparing to the version currently in bookworm [5].
[ Risks ]
The patch is pretty trivial, it makes sure there is enough space
allocated without bindly trusting what the image headers say and bails
out if there isn't enough space. For a correctly defined jpeg image,
there shouldn't be any impact since the headers wouldn't lie.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Cherry pick of the patch fixing the CVE, the explanation for it is in
Risks section. Aside from that, there are some changes to add
salsa-ci and enable the full coverage of it, which includes marking a
second test as flaky when running salsa-ci. Also, switch to
debian/bookworm in gbp.conf.
[ Other info ]
Although the last two changes mentioned in Changes section don't impact
the archive, they do provide more comfort and assurance before uploading
so I think it's worth to keep them. If Stable Release Managers prefer to
not have them, please let me know.
Cheers,
Charles
[1] https://security-tracker.debian.org/tracker/CVE-2025-7345
[2] https://bugs.debian.org/1109262
[3] https://bugs.debian.org/1109199
[4] https://debusine.debian.net/debian/developers/work-request/197302/
[5] https://debusine.debian.net/debian/developers/work-request/197416/
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/changelog gdk-pixbuf-2.42.10+dfsg/debian/changelog
--- gdk-pixbuf-2.42.10+dfsg/debian/changelog 2025-06-19 17:52:54.000000000 -0300
+++ gdk-pixbuf-2.42.10+dfsg/debian/changelog 2025-10-22 22:45:57.000000000 -0300
@@ -1,3 +1,23 @@
+gdk-pixbuf (2.42.10+dfsg-1+deb12u3) bookworm; urgency=medium
+
+ * Team upload.
+
+ [ Jeremy Bícha ]
+ * debian/gbp.conf: Branch for bookworm.
+
+ [ Carlos Henrique Lima Melara ]
+ * debian/patches/CVE-2025-7345.patch: import patch from upstream.
+ - CVE-2025-7345: A flaw exists in gdk‑pixbuf within the
+ gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in
+ glib’s g_base64_encode_step (glib/gbase64.c) potentially leading to a
+ buffer overflow. (Closes: #1109262)
+ * debian/salsa-ci.yml: build with nocheck and pass SALSA_CI=true for
+ autopkgtest job.
+ * debian/tests/installed-tests{,flaky}: check SALSA_CI variable to decide
+ what is flaky or not.
+
+ -- Carlos Henrique Lima Melara <[email protected]> Wed, 22 Oct 2025 22:45:57 -0300
+
gdk-pixbuf (2.42.10+dfsg-1+deb12u2) bookworm-security; urgency=medium
* CVE-2025-6199 (Closes: #1107994)
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/gbp.conf gdk-pixbuf-2.42.10+dfsg/debian/gbp.conf
--- gdk-pixbuf-2.42.10+dfsg/debian/gbp.conf 2025-06-19 17:52:54.000000000 -0300
+++ gdk-pixbuf-2.42.10+dfsg/debian/gbp.conf 2025-10-22 22:45:57.000000000 -0300
@@ -1,6 +1,6 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/bookworm
upstream-branch = upstream/latest
[buildpackage]
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/patches/CVE-2025-7345.patch gdk-pixbuf-2.42.10+dfsg/debian/patches/CVE-2025-7345.patch
--- gdk-pixbuf-2.42.10+dfsg/debian/patches/CVE-2025-7345.patch 1969-12-31 21:00:00.000000000 -0300
+++ gdk-pixbuf-2.42.10+dfsg/debian/patches/CVE-2025-7345.patch 2025-10-22 22:45:57.000000000 -0300
@@ -0,0 +1,55 @@
+From 4af78023ce7d3b5e3cec422a59bb4f48fa4f5886 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <[email protected]>
+Date: Fri, 11 Jul 2025 11:02:05 -0400
+Subject: [PATCH] jpeg: Be more careful with chunked icc data
+
+We we inadvertendly trusting the sequence numbers not to lie.
+If they do we would report a larger data size than we actually
+allocated, leading to out of bounds memory access in base64
+encoding later on.
+
+This has been assigned CVE-2025-7345.
+
+Fixes: #249
+
+Origin: upstream, https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/4af78023ce7d3b5e3cec422a59bb4f48fa4f5886
+Bug: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/249
+Bug-Debian: https://bugs.debian.org/1109262
+Last-Update: 2025-09-30
+---
+ gdk-pixbuf/io-jpeg.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
+index 9cfd29718..103820c5a 100644
+--- a/gdk-pixbuf/io-jpeg.c
++++ b/gdk-pixbuf/io-jpeg.c
+@@ -359,6 +359,7 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
+ context->icc_profile = g_new (gchar, chunk_size);
+ /* copy the segment data to the profile space */
+ memcpy (context->icc_profile, marker->data + 14, chunk_size);
++ ret = TRUE;
+ goto out;
+ }
+
+@@ -380,12 +381,15 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
+ /* copy the segment data to the profile space */
+ memcpy (context->icc_profile + offset, marker->data + 14, chunk_size);
+
+- /* it's now this big plus the new data we've just copied */
+- context->icc_profile_size += chunk_size;
++ context->icc_profile_size = MAX (context->icc_profile_size, offset + chunk_size);
+
+ /* success */
+ ret = TRUE;
+ out:
++ if (!ret) {
++ g_free (context->icc_profile);
++ context->icc_profile = NULL;
++ }
+ return ret;
+ }
+
+--
+GitLab
+
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/patches/series gdk-pixbuf-2.42.10+dfsg/debian/patches/series
--- gdk-pixbuf-2.42.10+dfsg/debian/patches/series 2025-06-19 17:52:54.000000000 -0300
+++ gdk-pixbuf-2.42.10+dfsg/debian/patches/series 2025-10-22 22:45:57.000000000 -0300
@@ -6,3 +6,4 @@
ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch
ANI-Validate-anih-chunk-size.patch
CVE-2025-6199.patch
+CVE-2025-7345.patch
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/salsa-ci.yml gdk-pixbuf-2.42.10+dfsg/debian/salsa-ci.yml
--- gdk-pixbuf-2.42.10+dfsg/debian/salsa-ci.yml 1969-12-31 21:00:00.000000000 -0300
+++ gdk-pixbuf-2.42.10+dfsg/debian/salsa-ci.yml 2025-10-22 22:45:57.000000000 -0300
@@ -0,0 +1,15 @@
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'bookworm'
+ # crossbuild is only supported for unstable
+ SALSA_CI_DISABLE_CROSSBUILD_ARM64: 1
+ # the udeb intentionally has this, but udebs can't have overrides
+ SALSA_CI_LINTIAN_SUPPRESS_TAGS: 'package-contains-mime-cache-file'
+ # pixbuf-fail test only fail in salsa-ci, so skip testing when building
+ DEB_BUILD_OPTIONS: nocheck
+ # And tell autopkgtest we are building in salsa-ci so it is marked as flaky
+ SALSA_CI_AUTOPKGTEST_ARGS: "--env SALSA_CI=true"
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests
--- gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests 2025-06-19 17:52:54.000000000 -0300
+++ gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests 2025-10-22 22:45:57.000000000 -0300
@@ -1,6 +1,13 @@
#!/bin/sh
-set -eu
+set -e
+
+if [ -n "$SALSA_CI" ]; then
+ # pixbuf-fail triggers oom-killer in salsa-ci
+ flaky_tests_regex='^gdk-pixbuf/pixbuf-\(randomly-modified\|fail\)\.test$'
+else
+ flaky_tests_regex='^gdk-pixbuf/pixbuf-randomly-modified\.test$'
+fi
namespace=gdk-pixbuf/
@@ -9,7 +16,7 @@
set -- $(
gnome-desktop-testing-runner -l "$namespace" |
cut -f1 -d' ' |
- grep -v '^gdk-pixbuf/pixbuf-randomly-modified\.test$'
+ grep -v "$flaky_tests_regex"
)
if [ -z "$*" ]; then
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests-flaky gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests-flaky
--- gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests-flaky 2025-06-19 17:52:54.000000000 -0300
+++ gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests-flaky 2025-10-22 22:45:57.000000000 -0300
@@ -1,9 +1,19 @@
#!/bin/sh
-set -eu
+set -e
+if [ -n "$SALSA_CI" ]; then
+ # pixbuf-fail triggers oom-killer in salsa-ci
+ flaky_tests="gdk-pixbuf/pixbuf-randomly-modified.test \
+ gdk-pixbuf/pixbuf-fail.test"
+else
+ flaky_tests="gdk-pixbuf/pixbuf-randomly-modified.test"
+fi
+
+# Deliberately word-splitting:
+# shellcheck disable=SC2086
exec gnome-desktop-testing-runner \
--report-directory="$AUTOPKGTEST_ARTIFACTS" \
--tap \
-gdk-pixbuf/pixbuf-randomly-modified.test \
+$flaky_tests \
${NULL+}
--- End Message ---
--- Begin Message ---
Package: release.debian.org\nVersion: 12.13\n\nThis update has been released as
part of Debian 12.13.
--- End Message ---
