Hi,

The following vulnerability was published for rlottie.

CVE-2026-47318[0]:
| Stack-based buffer overflow vulnerability in Samsung Open Source
| rlottie allows Overflow Buffers.  This issue affects rlottie: before
| ce72b35a7ad0dded03051d3aa0ef75321c3bd035.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-47318
https://www.cve.org/CVERecord?id=CVE-2026-47318
[1] https://github.com/Samsung/rlottie/pull/582
[2] https://github.com/Samsung/rlottie/commit/9e4f354f6ebdf294738ef7abf1728f40889c2c51

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Hello!

Some newly registered CVEs were fixed earlier in the rlottie package.

Specially,

* CVE-2026-8916 by Avoid-assertion-failures.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/Avoid-assertion-failures.patch#L42

* CVE-2026-47306 by No-cyclic-structures.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/No-cyclic-structures.patch

* CVE-2026-47318 by Fortify-FreeType-raster.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/Fortify-FreeType-raster.patch#L59

* CVE-2026-49510 by Fix-crash-on-invalid-data.patch
https://salsa.debian.org/debian/rlottie/-/blob/3567c57f61192f92c1c535d474137f0d13925552/debian/patches/Fix-crash-on-invalid-data.patch#L32

The latter one is caused by an improper fix to another vulnerability known as
CVE-2025-53075 which in turn duplicates CVE-2021-31319 and was addressed in the
package almost six years ago.

However, other bugs you filed recently have not yet been fixed or fixed
partially and do affect rLottie in Debian.