Hi,

The following vulnerability was published for thorvg.

CVE-2026-45729[0]:
| Thor Vector Graphics (ThorVG) is a production-ready vector graphics
| engine. Prior to version 1.0.5, a null pointer dereference in
| SvgLoader::run() allows any caller that passes untrusted SVG data to
| Picture::load() to crash the process with a 6-byte payload. This
| issue has been patched in version 1.0.5.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-45729
https://www.cve.org/CVERecord?id=CVE-2026-45729
[1] https://github.com/thorvg/thorvg/pull/4387
[2] https://github.com/thorvg/thorvg/security/advisories/GHSA-f863-8ghq-7h64
[3] https://github.com/thorvg/thorvg/commit/599db59600aefab904fc8465bd86ac29e1de168c

Regards,
Salvatore

We believe that the bug you reported is fixed in the latest version of
thorvg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138779@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jongmin Kim <jmkim@debian.org> (supplier of updated thorvg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 05 Jun 2026 01:46:38 +0900
Source: thorvg
Architecture: source
Version: 1.0.6+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Jongmin Kim <jmkim@debian.org>
Changed-By: Jongmin Kim <jmkim@debian.org>
Closes: 1138779
Changes:
 thorvg (1.0.6+dfsg-1) unstable; urgency=high
 .
   * New upstream release 1.0.6, fixing CVE-2026-45729 (Closes: #1138779)
   * Update symbols to 1.0.6
   * Revise renamed path in copyright
   * Revise to new backend engines: 'cpu,gl'
   * Revise the list of non-free files
   * Remove applied patch: replace-path-max
   * Refresh patch for updated upstream release
Checksums-Sha1:
 4d790e5f21167481e2a864a3b08bd2a3e5515908 2028 thorvg_1.0.6+dfsg-1.dsc
 f91fe3d02ae4d09066842d7b670cfe55bd622723 2815548 thorvg_1.0.6+dfsg.orig.tar.xz
 976c45839d8718771850f5ad2c45d9f702ac7096 56012 thorvg_1.0.6+dfsg-1.debian.tar.xz
 5cb2c8fe34e45c4755bbd55957768bbab0c8319e 7184 thorvg_1.0.6+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 1d0cbf8459740f75d292754a7460a641e8731a8dd7fa241de8b4c53ef9d0ca25 2028 thorvg_1.0.6+dfsg-1.dsc
 4d38701597545c087f97e86059d2578cb4c6ea7e4e136a83a4fa2507a57fb8cf 2815548 thorvg_1.0.6+dfsg.orig.tar.xz
 a133ef391c8befc47bb8e5803747e1605d99fe1a81f50824994cc93c2a37a6a3 56012 thorvg_1.0.6+dfsg-1.debian.tar.xz
 b5fce09b76a1933929843500a67be997f30f59d7c88d71d29c977b85742f07fe 7184 thorvg_1.0.6+dfsg-1_amd64.buildinfo
Files:
 27e4b63ad9518e8cadba040ff1ddf61d 2028 libs optional thorvg_1.0.6+dfsg-1.dsc
 cba89ad0825115a5a03606f331ffe589 2815548 libs optional thorvg_1.0.6+dfsg.orig.tar.xz
 5509bba4f381503621e1da41ec58d4f3 56012 libs optional thorvg_1.0.6+dfsg-1.debian.tar.xz
 184519a97eb6fe753d1cdaeb1423f628 7184 libs optional thorvg_1.0.6+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE/y/olA10eBDwRZb+NFDpXZ0DR6gFAmohsywACgkQNFDpXZ0D
R6gw8A//fF7AYqMo/Is94b/0YF5dgW+WqX/L2TGkknyGZ10j2UYn1rolw0eDWadn
WNIeQyArGl+kwTqwiCR0iktUL/Fj32kkUSMV690P+vGh5pOlO4pM/VyBKnmdt0LH
dLJjybuDXsU2WE5hZkBbqsnenFng8t9IOjTKpUzIoR85GESWKjpQ1bnFx7+Nf4ql
rIZQn3UlW02uvp769HkGdOdNLD6g05syGIR54wBcgeIKlpVS+NQDsI8FPH9MHNAI
HFP+ooQnVztbVskRqTxBbKYqgO4wZnOHm+d3n88mzqnFtUgZc6PDLal2mHlMrYcq
vEL9tPdSjYqhxGihoQa8IPlAfALw2hA4ZkRianqkNcZVzAh79wmb71q5TBXrAlOf
CD0z49M2Jey6AOankYxQdbrlcnpPHaEnN+nITJ5XcUVDCfVba2dXytlnDgnPu7mM
u5M4+s9IyWltnHGNQGSF0Yhpgr7yqGEgrASuASY+ux88EPy2PiCNJUuYvkr5N5dY
MNTQahPwrMVVYXeFcd8rHQxZDZTz8pb5BbJzOT6zTZN/aFTQvd6pdzrpkpkp0oEt
swPN8+0/CTCblhho/gYJ6qoeRu7Hl62Qm5tEjDLDTFGBYvvcOZTV3ABhDdGqN271
+kWbihIycRHSk3AbJvVw6leUOA9lefZE6pMoi4q+/kcJXQ938tg=
=Nsu3
-----END PGP SIGNATURE-----