Debian Bug report logs - #1121041
bookworm-pu: package gdk-pixbuf/2.42.10+dfsg-1+deb12u3

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Affects: src:gdk-pixbuf

Reported by: Carlos Henrique Lima Melara <charles@debian.org>

Date: Thu, 20 Nov 2025 01:35:01 UTC

Severity: normal

Tags: bookworm, pending

Reply or subscribe to this bug.

Display info messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org> (release.debian.org for {1121041}), gdk-pixbuf@packages.debian.org (additional cc recipient for {1121041}):
Bug#1121041; Package release.debian.org. (Thu, 20 Nov 2025 01:35:02 GMT) (full text, mbox, link).

Acknowledgement sent to Carlos Henrique Lima Melara <charles@debian.org>:
New Bug report received and forwarded. Copy sent to gdk-pixbuf@packages.debian.org, debian-release@lists.debian.org. (Thu, 20 Nov 2025 01:35:02 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: gdk-pixbuf@packages.debian.org
Control: affects -1 + src:gdk-pixbuf
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

[ Reason ]

The reason for the bookworm-pu bug is CVE-2025-7345 [1][2] which is a
potential buffer overflow. The fix was applied already in sid, trixie,
bullseye and other ELTS releases with no reports of regressions but one
in testing [3] before the release of trixie. After further communication
with the reporter, it was dismissed as probably an inconsistent
environment on their side. The reported regression was unreproducible in
trixie, bullseye and also bookworm (tested in a clean VM with multiple
gnome software).

[ Impact ]

We have a pending CVE and a potential buffer overflow in bookworm.

[ Tests ]

I have manually reproduced the reported ASAN overflow in bookworm and
also verified the patch fixed it. The package's autopkgtest was run and
passes without regressions. I have also uploaded it to debusine.d.n [4]
to check rdep autopkgtests using the fixed version and no new failures
showed up when comparing to the version currently in bookworm [5].

[ Risks ]

The patch is pretty trivial, it makes sure there is enough space
allocated without bindly trusting what the image headers say and bails
out if there isn't enough space. For a correctly defined jpeg image,
there shouldn't be any impact since the headers wouldn't lie.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

Cherry pick of the patch fixing the CVE, the explanation for it is in
Risks section. Aside from that, there are some changes to add
salsa-ci and enable the full coverage of it, which includes marking a
second test as flaky when running salsa-ci. Also, switch to
debian/bookworm in gbp.conf.

[ Other info ]

Although the last two changes mentioned in Changes section don't impact
the archive, they do provide more comfort and assurance before uploading
so I think it's worth to keep them. If Stable Release Managers prefer to
not have them, please let me know.

Cheers,
Charles

[1] https://security-tracker.debian.org/tracker/CVE-2025-7345
[2] https://bugs.debian.org/1109262
[3] https://bugs.debian.org/1109199
[4] https://debusine.debian.net/debian/developers/work-request/197302/
[5] https://debusine.debian.net/debian/developers/work-request/197416/

[gdk-pixbuf_2.42.10+dfsg-1+deb12u3.diff (text/x-diff, attachment)]

Added indication that 1121041 affects src:gdk-pixbuf Request was from Carlos Henrique Lima Melara <charles@debian.org> to submit@bugs.debian.org. (Thu, 20 Nov 2025 01:35:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org> (release.debian.org for {1121041}):
Bug#1121041; Package release.debian.org. (Sat, 06 Dec 2025 15:51:01 GMT) (full text, mbox, link).

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to debian-release@lists.debian.org. (Sat, 06 Dec 2025 15:51:01 GMT) (full text, mbox, link).

Message #12 received at 1121041@bugs.debian.org (full text, mbox, reply):

Control: tags -1 + confirmed

On Wed, 2025-11-19 at 22:34 -0300, Carlos Henrique Lima Melara wrote:
> [ Reason ]
> 
> The reason for the bookworm-pu bug is CVE-2025-7345 [1][2] which is a
> potential buffer overflow.

Please go ahead.

Regards,

Adam

Added tag(s) confirmed. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to 1121041-submit@bugs.debian.org. (Sat, 06 Dec 2025 15:51:01 GMT) (full text, mbox, link).

Acknowledgement sent to Carlos Henrique Lima Melara <charles@debian.org>:
Extra info received and forwarded to list. Copy sent to debian-release@lists.debian.org. (Sat, 06 Dec 2025 20:53:02 GMT) (full text, mbox, link).

Message #19 received at 1121041@bugs.debian.org (full text, mbox, reply):

Hi Adam,

On Sat, Dec 06, 2025 at 03:48:09PM +0000, Adam D. Barratt wrote:
> 
> On Wed, 2025-11-19 at 22:34 -0300, Carlos Henrique Lima Melara wrote:
> > [ Reason ]
> > 
> > The reason for the bookworm-pu bug is CVE-2025-7345 [1][2] which is a
> > potential buffer overflow.
> 
> Please go ahead.

Thanks and uploaded.

Cheers,
Charles

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org> (release.debian.org for {1121041}):
Bug#1121041; Package release.debian.org. (Sun, 07 Dec 2025 17:09:05 GMT) (full text, mbox, link).

Acknowledgement sent to Adam D Barratt <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to debian-release@lists.debian.org. (Sun, 07 Dec 2025 17:09:05 GMT) (full text, mbox, link).

Message #24 received at 1121041@bugs.debian.org (full text, mbox, reply):

package release.debian.org
tags 1121041 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: gdk-pixbuf
Version: 2.42.10+dfsg-1+deb12u3

Explanation: fix buffer overflow issue [CVE-2025-7345]

Added tag(s) pending; removed tag(s) confirmed. Request was from Adam D Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sun, 07 Dec 2025 17:09:10 GMT) (full text, mbox, link).

Message sent on to Carlos Henrique Lima Melara <charles@debian.org>:
Bug#1121041. (Sun, 07 Dec 2025 17:09:28 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 2 09:33:44 2026; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #1121041 bookworm-pu: package gdk-pixbuf/2.42.10+dfsg-1+deb12u3

Debian Bug report logs - #1121041
bookworm-pu: package gdk-pixbuf/2.42.10+dfsg-1+deb12u3