Hi,

The following vulnerabilities were published for Google Chrome, but
are apparently in Skia.

With Skia now packaged we need some upstream commitment for transparent
security handling, specifically we need to know which commits fix
which CVE.

Are you in touch with upstream, is there some channel where they could
keep you notified?


CVE-2025-32318[0]:
| In Skia, there is a possible out of bounds write due to a heap
| buffer overflow. This could lead to remote escalation of privilege
| with no additional execution privileges needed. User interaction is
| not needed for exploitation.

CVE-2026-5870[1]:
| Integer overflow in Skia in Google Chrome prior to 147.0.7727.55
| allowed a remote attacker to execute arbitrary code inside a sandbox
| via a crafted HTML page. (Chromium security severity: High)

CVE-2026-6364[2]:
| Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101
| allowed a remote attacker to obtain potentially sensitive
| information from process memory via a crafted file. (Chromium
| security severity: Medium)

CVE-2026-6298[3]:
| Heap buffer overflow in Skia in Google Chrome prior to
| 147.0.7727.101 allowed a remote attacker to obtain potentially
| sensitive information from process memory via a crafted HTML page.
| (Chromium security severity: Critical)


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-32318
https://www.cve.org/CVERecord?id=CVE-2025-32318
[1] https://security-tracker.debian.org/tracker/CVE-2026-5870
https://www.cve.org/CVERecord?id=CVE-2026-5870
[2] https://security-tracker.debian.org/tracker/CVE-2026-6364
https://www.cve.org/CVERecord?id=CVE-2026-6364
[3] https://security-tracker.debian.org/tracker/CVE-2026-6298
https://www.cve.org/CVERecord?id=CVE-2026-6298

Please adjust the affected versions in the BTS as needed.

Hi,

Thank you for the detailed bug report! I noticed some other CVEs in the
tracker earlier, but as some of them disappeared previously I assume
they were deemed to not apply to the packaged version in spite of the
difficulties with connecting CVEs to upstream commits.

I am working on this, it is a bit difficult as it is not possible to
submit new bugs to the bug tracker, presumably due to spam. I have
raised this issue in a patch I submitted upstream, so hopefully the
situation will improve soon. I am also in contact with a previous Skia
developer. They are perhaps able to help if my efforts so far are not
successful.

I have done some digging for the CVEs mentioned, and I will shortly
detail my findings below. One thing that makes this difficult is that I
have (understandably) not found additional details as to *where* in Skia
these issues are (so I can determine if they are fixed and/or develop
patches). Does Debian have access to more details that I can access
somehow? With this information I could probably track down fixes fairly
easily (although it is of course preferable if I could get this
information directly from upstream).

Looking at the bulletin referenced in the CVE, it notes the reference
A-383366951. Looking it up in Google's issue tracker (linked from [0])
it leads me to [1]. I note that the date of the bug report is earlier
than the CVE, so the ID might reference some other bug tracker (but I
know that public announcement is not always done immediately to give
vendors time to patch the issue, for example). However, the issue
references a location inside Skia that can be triggered by e.g. decoding
PNG files. It makes sense that this could lead to privilege escalation
by e.g. sending a notification with a PNG to the system notifications
process.

If my understanding of the above is correct, then this CVE is fixed in
commit 4076192f7458b29054211385b43c06335c46d7df [2], which is included
in the packaged version. I have asked upstream about this, as I would
like it verified.


As for the other CVEs, there have been 3 commits to the stable branch
for milestone 146 since the release I packaged, as below (I have
reordered them to fit the commit ordering).

 > CVE-2026-6364[2]:
 > | Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101
 > | allowed a remote attacker to obtain potentially sensitive
 > | information from process memory via a crafted file. (Chromium
 > | security severity: Medium)

The first one, 30d129c8800b5626c46fb83fa62db10b9b22b319 (review linked
in the commit [3]) speaks about an out of bounds read in the JPEG
decoder. While I don't have permissions to view the bug and I am
therefore not able to verify, this seems likely.

Same thing, bc591f8db342ee912fbb92aadde2a088e0ab8470 [4] speaks about
bounds checking for integers, and casting integers to 16-bit integers
(thus more likely to overflow them without detection). Likely this one,
but as with the previous one I am unable to verify the connection to the
CVE.

Same thing here, ef5f213b0436c53fdf59184d9536eb5ee5aa8084 [5]. It adds
bounds checks to lattice-based code so that it properly validates some
assumptions. The patched function notes that it has pointers directly
inside the buffer, making it likely that it can be used to read process
memory without the patch. Again, I am not able to verify this assumption
with official sources.



As such, the CVE-2025-* is probably already addressed upstream and
included in the current version (take my slight uncertainty regarding
bug numbers upstream into account). The other three (CVE-2026-*) seem to
be patched by upstream and will be included in the next upload.

I will see if I manage to get more information from upstream as well. A
more definitive connection between CVEs and bugs would be highly
beneficial and avoid potential guesswork.

I will keep this in mind! Is there a specific format to follow (like
with closes), or is it enough to just mention the CVEs?




[0] https://source.android.com/docs/setup/contribute/report-bugs
[1] https://issuetracker.google.com/issues/390261249
[2]
https://skia.googlesource.com/skia/+/4076192f7458b29054211385b43c06335c46d7df
[3] https://skia-review.googlesource.com/c/skia/+/1181498
[4] https://skia-review.googlesource.com/c/skia/+/1199497
[5] https://skia-review.googlesource.com/c/skia/+/1208956

Hi again,

I heard back from upstream with some updates as per below.
[snip]

CVEs are mentioned in the bugs associated with the change-IDs mentioned
in commits. They are not public immediately (so I can't verify for these
particular CVEs easily). I will ask if I can view this information a bit
earlier on Debian's behalf so that I can confirm which version fixes
particular CVEs without having to wait for them to become public.
[snip]

Verified as included in m146 by upstream. Not a particular commit, however.

It turns out that 2/3 of these CVEs are fixed in the m146 branch. The
last one is fixed for a later release, but I assume it will be
backported to m146 (LTS release) in not too long. I will wait a bit more
to see upstream's status here, and then upload as appropriate.

[snip]

Sadly we don't either. Our only source is the descriptions of the Chrome
advisories, where they mention Skia as the root cause.

Cheers,
        Moritz

Hello,

I just uploaded a new version of libskia (146.20260414). As noted in the
changelog, the new upstream version fixes CVE-2026-6364 and
CVE-2026-6298. CVE-2026-5870 was fixed in the m147 branch (not yet
landed in the m146 branch) and I have included that fix as a patch until
it lands in the m146 branch upstream.

Upstream confirmed that the fix for CVE-2025-32318 "would definitely be
included m146's release at this point" (although they were unable to
find a specific commit since the vulnerability was found in Android). As
such no versions in Debian have been affected by this vulnerability, and
therefore I did not mention this CVE in the changelog.


I opted to not close this bug as the question of a more formal
communication channel with upstream is not solved as of yet. The issue
tracker and associated commits are public. The missing link is which
change-ids (= commit + cherry-picks to stable branches) correspond to
which CVEs. This information seems to become available to the public 12
weeks after bugs are fixed by default (which is a bit late IMO). For
these changes I have just e-mailed the developer who made the changes
and received fairly quick confirmation about which commits fix which
CVEs, so it is workable until we have something better.


I leave it up to you to decide how to adjust the bug (i.e. closing it as
CVEs are fixed/confirmed fixed previously, modifying severity since the
issue of an official channel remains, etc.)

Best regards,
    Filip

As mentioned in a previous message, these CVEs have been patched in
version 146.20260414 (or for the 2025 one, confirmed to have been fixed
by the time of m146's release).

For identifying commits fixing CVEs, I have found a way using
information from upstream to identify the relevant commits before
upstream makes all information in the issues public (14 weeks by
default). This is documented in the wiki in the Salsa repository [0].

As such, I am now closing this bug.


[0]: https://salsa.debian.org/fonts-team/libskia/-/wikis/pages