Hello, On Wed Feb 11, 2026 at 9:35 AM CET, Shaik Moin via lists.openembedded.org wrote: > CVE: CVE-2025-6199 > Upstream-Status: Backport > [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32.patch] > > Backport the fix for CVE-2025-6199 > Add below patch to fix > 0001-gdk-pixbuf-Add-support-patch-to-fix-CVE-2025-6199.patch
Thank you for the patch but it needs improvements: * The commit message body should not have "CVE:" and "Upstream-Status:" those are for patches. * The commit message should justify why you import this particular patch. Is it the patch cited by the NVD report? another source? > Signed-off-by: Shaik Moin <[email protected]> > --- > ...d-support-patch-to-fix-CVE-2025-6199.patch | 36 +++++++++++++++++++ > .../gdk-pixbuf/gdk-pixbuf_2.42.12.bb | 1 + > 2 files changed, 37 insertions(+) > create mode 100644 > meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-gdk-pixbuf-Add-support-patch-to-fix-CVE-2025-6199.patch > > diff --git > a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-gdk-pixbuf-Add-support-patch-to-fix-CVE-2025-6199.patch > > b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-gdk-pixbuf-Add-support-patch-to-fix-CVE-2025-6199.patch > new file mode 100644 > index 0000000000..aa8bfec8f4 > --- /dev/null > +++ > b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-gdk-pixbuf-Add-support-patch-to-fix-CVE-2025-6199.patch > @@ -0,0 +1,36 @@ > +From 140200be0b4d5355aab76a6fd474e17d117045ca Mon Sep 17 00:00:00 2001 > +From: lumi <[email protected]> > +Date: Sat, 7 Jun 2025 22:27:06 +0200 > +Subject: [PATCH] lzw: Fix reporting of bytes written in decoder > + > +When the LZW decoder encounters an invalid code, it stops > +processing the image and returns the whole buffer size. > +It should return the amount of bytes written, instead. > + > +Fixes #257 > + > +CVE: CVE-2025-6199 > + > +Upstream-Status: Backport > [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32.patch] I'd rather have the simpler link https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32 (without the .patch extension): it makes checking if the patch is in a branch really easy. > + > +Signed-off-by: Shaik Moin <[email protected]> > +--- > + gdk-pixbuf/lzw.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c > +index 15293560b..4f3dd8beb 100644 > +--- a/gdk-pixbuf/lzw.c > ++++ b/gdk-pixbuf/lzw.c > +@@ -208,7 +208,7 @@ lzw_decoder_feed (LZWDecoder *self, > + /* Invalid code received - just stop here */ > + if (self->code >= self->code_table_size) { > + self->last_code = self->eoi_code; > +- return output_length; > ++ return n_written; > + } > + > + /* Convert codeword into indexes */ > +-- > +2.34.1 > + > diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb > b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb > index ff1c7a1fb2..8579614bb1 100644 > --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb > +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb > @@ -21,6 +21,7 @@ SRC_URI = > "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \ > file://fatal-loader.patch \ > > file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \ > file://CVE-2025-7345.patch \ > + > file://0001-gdk-pixbuf-Add-support-patch-to-fix-CVE-2025-6199.patch \ Can you please name this patch "CVE-2025-6199.patch" to follow conventions? Also, this CVE impacts whinlatter, please send a patch for whinlatter. Thanks! > " > > SRC_URI[sha256sum] = > "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7" -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231622): https://lists.openembedded.org/g/openembedded-core/message/231622 Mute This Topic: https://lists.openembedded.org/mt/117753593/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
