- Package:
- src:gdk-pixbuf
- Source:
- src:gdk-pixbuf
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-06-23 20:49:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for gdk-pixbuf. (Choosing RC level, since jmm is planning a DSA, so we should have that fixed as well in trixie) CVE-2025-6199[0]: | A flaw was found in the GIF parser of GdkPixbuf’s LZW decoder. When | an invalid symbol is encountered during decompression, the decoder | sets the reported output size to the full buffer length rather than | the actual number of written bytes. This logic error results in | uninitialized sections of the buffer being included in the output, | potentially leaking arbitrary memory contents in the processed | image. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-6199 https://www.cve.org/CVERecord?id=CVE-2025-6199 [1] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/257 [2] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hello, Bug #1107994 in gdk-pixbuf reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/gnome-team/gdk-pixbuf/-/commit/ca851768ace1210cc2c4a5656fea93c313ec1653 ------------------------------------------------------------------------ d/patches: Add patch from upstream to fix LZW error reporting Setting the reported output size to the full buffer length rather than the actual number of written bytes can cause uninitialized memory contents to be disclosed. (CVE-2025-6199) Closes: #1107994 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1107994
Fix uploaded to trixie and unblock requested. The same patch is likely
to apply cleanly to bookworm - please could the security team take care
of that upload, since you'll need to prepare the advisory anyway?
Thanks,
smcv
We believe that the bug you reported is fixed in the latest version of
gdk-pixbuf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1107994@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated gdk-pixbuf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 20 Jun 2025 09:52:41 +0100
Source: gdk-pixbuf
Architecture: source
Version: 2.42.12+dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 1107994
Changes:
gdk-pixbuf (2.42.12+dfsg-3) unstable; urgency=high
.
* Team upload
* d/p/lzw-Fix-reporting-of-bytes-written-in-decoder.patch:
Add patch from upstream to fix LZW error reporting.
Setting the reported output size to the full buffer length rather than
the actual number of written bytes can cause uninitialized memory
contents to be disclosed. (CVE-2025-6199; Closes: #1107994)
* Set high urgency for security fix
Checksums-Sha1:
20fee1d33f649597eb50f969f8d2faf3d1b446d0 3214 gdk-pixbuf_2.42.12+dfsg-3.dsc
07fc770e07a0a8ecc6b478fc6a01cede71febd29 22448 gdk-pixbuf_2.42.12+dfsg-3.debian.tar.xz
7571df899c54d9ff51071d357b373c34025bd43d 9209 gdk-pixbuf_2.42.12+dfsg-3_source.buildinfo
Checksums-Sha256:
c071f923775e859e5fbf5e0f6a090ad6872cfee44f265cc8c977a40b18c2c8f9 3214 gdk-pixbuf_2.42.12+dfsg-3.dsc
900fcb2d377a5cd7c7bfb0b56ee6bae104f776b561e67147f571d1875130b2b3 22448 gdk-pixbuf_2.42.12+dfsg-3.debian.tar.xz
424db3540599d39d7f97438e1333eab60726a6e2c7c2494191ffa0522f596d82 9209 gdk-pixbuf_2.42.12+dfsg-3_source.buildinfo
Files:
14e5e38923c6fe9d4ebaca990a2a3461 3214 libs optional gdk-pixbuf_2.42.12+dfsg-3.dsc
aeb411a00b0b157caf9b127f9f558aa3 22448 libs optional gdk-pixbuf_2.42.12+dfsg-3.debian.tar.xz
88ebae5f068a450956ca3b69593aea53 9209 libs optional gdk-pixbuf_2.42.12+dfsg-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmhVKPEACgkQI1wJnT6z
MHbABQ//Wqp9vnvadn4RMYN+h96jHhy+dOSSbiejlb9YcS/8aSelauXGAPW/v6BD
z8Cxkswjq0l/SDLre3mndYtnL2kba3zgX8RWSzKeO7A8dkAJw/aU8xul52IHUix7
vRg3NbQKvPIN1+EfjSG6uiuoIAuIoRiCrb5k3RqaFjPHopCy/OH26gXDZrVPXppm
hKBEzJteMOSOPzOb4B2QePn1T0dKQT8pxaxHnrCQYwGXSWGBs7dvKFIQY7UD8/zc
2beHCCOp1Ils6IWEFMh4B/ftX66oqR5Xi6D6OYzPAhR/W9GwCw5RbtOxgDpvXy6b
IPG817PJbcD8l7guaiogpLoOpFsqX1OpGRfl2rOReZpddL+LXecr+j3D3id56lLQ
1jub/CCW/N5jNiSlzyqYEhvYOWvuV24q5qSf0A32lq8nxZv5IkIkKmNpZ+tlB8ZK
NfYghkSLxyGxzm4aRGsba2UcxXK0DSd4K9WCHW7obxz6SsA22l46S5S5xsL13iB7
4aDhhjD+IZJ8YsDfleB46zu2asQWCcUOeMWhCO4pOdqHN+ZCZKdIsQYIJ3hCeH+T
1TxH/TMXwuDMljNxuyX/YetRH1fXgcoOMPXt8H/EbShpc9+o0HJFrVdLL2QaLzXb
c8947geA9rHDx4TzDDxq0AwDRxJ4zrsK5D/1q6NUwWkcw5bIsM4=
=VV3S
-----END PGP SIGNATURE-----
Yes, I've already prepared an upload yesterday, an update will be released
over the weekend.
Cheers,
Moritz
We believe that the bug you reported is fixed in the latest version of gdk-pixbuf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1107994@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Moritz Mühlenhoff <jmm@debian.org> (supplier of updated gdk-pixbuf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Thu, 19 Jun 2025 22:52:54 +0200 Source: gdk-pixbuf Architecture: source Version: 2.42.10+dfsg-1+deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org> Changed-By: Moritz Mühlenhoff <jmm@debian.org> Closes: 1107994 Changes: gdk-pixbuf (2.42.10+dfsg-1+deb12u2) bookworm-security; urgency=medium . * CVE-2025-6199 (Closes: #1107994) Checksums-Sha1: e8b26207baca80b4e71b74373c42b88194dd31d8 3173 gdk-pixbuf_2.42.10+dfsg-1+deb12u2.dsc 08baf45662714b21a1fa78d1ade4926cee1a5506 6439240 gdk-pixbuf_2.42.10+dfsg.orig.tar.xz bb7b0dd3893c3c2c7410f200f2d00f49ec1ff788 22604 gdk-pixbuf_2.42.10+dfsg-1+deb12u2.debian.tar.xz 45a9ba68cb9f237817bffe75ca36064a7d99e5bf 12754 gdk-pixbuf_2.42.10+dfsg-1+deb12u2_amd64.buildinfo Checksums-Sha256: 117f2f12e10c1a81b402f316edc37a1f02377e3475601360a2d50583a3432fca 3173 gdk-pixbuf_2.42.10+dfsg-1+deb12u2.dsc 46663e445468e92f4a0ca876b02aed4f8758595ee3acfaa6ef3ba2b29e1c1930 6439240 gdk-pixbuf_2.42.10+dfsg.orig.tar.xz 0a00c1c52b64abbe5fab1f08cc6c4b1032680c95ca9fdaf148f115011755de4b 22604 gdk-pixbuf_2.42.10+dfsg-1+deb12u2.debian.tar.xz 48595902c18e0862fedde08c3e9eedb700b60fab80d69fee27986c24382ffd36 12754 gdk-pixbuf_2.42.10+dfsg-1+deb12u2_amd64.buildinfo Files: 2be9284ca646cba25e7ec62e1dcf3556 3173 libs optional gdk-pixbuf_2.42.10+dfsg-1+deb12u2.dsc 25dc1bf2c14ae78161f603fe62dad38f 6439240 libs optional gdk-pixbuf_2.42.10+dfsg.orig.tar.xz beaeb389badf5ac82ddc617057d83585 22604 libs optional gdk-pixbuf_2.42.10+dfsg-1+deb12u2.debian.tar.xz af2a900ec1e1eda8e8f5819628c3a18c 12754 libs optional gdk-pixbuf_2.42.10+dfsg-1+deb12u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmhVadQACgkQEMKTtsN8 TjZGRg//ZyFoQ4cbMTS0bGmqSdEk9/rqFpHHjv8knjGVJZpmejt2wj3bpCTOxRQS AWRgPL+LSajm4le5ZG/+jxhc2bqx1frKIEmddwVVXLOuzvSXd8PE3uCLFwWn0M2l RzooBmr10m4pM408jBHOFziWcUaQFo+hl1OivxlIgmobeiIDdOJWwK1tMuzhjr7n 92cOSVuByrpCl6Yx6GWzjBFfv5L5Wk4jar8R2PXxEt0AzwaYmkbG1w3UQ0qVKhLp /m4r8RHuQQInUoQa9BIT6E7RTgJdpzIYSMExx2ojY2z6no5a7xGcKCPwhhKwh6nD lbfKWoS2yQkBWLFIC3uS6z3G+IIhZGnnmiZFhK9Dh9v6GaEY1pGpSSb7N/axYdnI qtkBrIaMXweuElB5evOT+ngWoxHps1i0mbN4GF6mIZFoINDBr8D8b2EWU44a5Q/J SJvrcrWTZjqWvbjInoexI9mDJfX5atQuKCUVEFbLF8KJtDcvJGDdH8XrZdDPKR4H fw9Flm8x+Rm34p3g+oRV5HEujKgnPq9f2RAAQbK3re7oz02lsPk5t1EvbTig4Hti 9u45RvO9pKVZaOcmBD+eJf/1xtWNXX86N5cTItBNFBWm85dvWcJOVvKR0uhUcq+v RaThHyuHMvUCV46lf252jdw4mgxr5Gy8czNAbo5KUv/YZlg8avs= =36jD -----END PGP SIGNATURE-----