Hi,

The following vulnerability was published for rlottie.

CVE-2026-10305[0]:
| Out-of-bounds read vulnerability in Samsung Open Source rlottie
| allows Overread Buffers.  This issue affects rlottie: before
| 223a2a41ba4f462e4abe767bebba49a366c9b9fd.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-10305
https://www.cve.org/CVERecord?id=CVE-2026-10305
[1] https://github.com/Samsung/rlottie/pull/587
[2] https://github.com/Samsung/rlottie/commit/b4f5101a4d1a8da60cc14cfd05608551b3448c77

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Hello,

Bug #1139179 in rlottie reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/rlottie/-/commit/2ec660ad9005173209e206d39995d4b9aa8aaf07
------------------------------------------------------------------------
New Fixed-signed-shift-issue.patch probably fixes CVE-2026-10305

Closes: #1139179
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1139179

We believe that the bug you reported is fixed in the latest version of
rlottie, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1139179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicholas Guriev <guriev-ns@ya.ru> (supplier of updated rlottie package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 12 Jun 2026 10:20:51 +0300
Source: rlottie
Architecture: source
Version: 0.1+dfsg-5
Distribution: unstable
Urgency: medium
Maintainer: Nicholas Guriev <guriev-ns@ya.ru>
Changed-By: Nicholas Guriev <guriev-ns@ya.ru>
Closes: 1133621 1138919 1138920 1139179
Changes:
 rlottie (0.1+dfsg-5) unstable; urgency=medium
 .
   * Add Fix-uninitialized-arena-allocator.patch and remove -Os build flag.
   * Add Remove-unused-variables.patch to fix build with GCC 16.
     (Closes: #1133621)
   * Fix off-by-one error in Fortify-FreeType-raster.patch.
   * Add Fixed-vpath-potential-issue.patch to fix CVE-2026-47319.
     (Closes: #1138919)
   * Add Limit-recursion-in-LOTLayerItem.patch to fix CVE-2026-47320.
     (Closes: #1138920)
   * New Fixed-signed-shift-issue.patch probably fixes CVE-2026-10305.
     (Closes: #1139179)
   * Update standards version to 4.7.4.
     - Remove no longer needed Priority and Rules-Requires-Root fields.
   * Remove broken debian/watch file.
   * Emit ignore regexp in build log to silence blhc.
Checksums-Sha1:
 fc4732f4fe6749b6c7bfbdc5e554f7927eb57160 1440 rlottie_0.1+dfsg-5.dsc
 ee6573f05bf472a4ed7522b39ca1176af0ae773c 24448 rlottie_0.1+dfsg-5.debian.tar.xz
Checksums-Sha256:
 7a8fba104823aac71b9bb9fd1456a17dffd3db698e09a9101b69d624d5c7039f 1440 rlottie_0.1+dfsg-5.dsc
 79d4f1948e1de1e14ed11691a3ea80294b06e19e5fe27df97beaa1ad7adbafd6 24448 rlottie_0.1+dfsg-5.debian.tar.xz
Files:
 1f77da555d02fd4f1e32d144b6da0889 1440 libs - rlottie_0.1+dfsg-5.dsc
 796f1d036f9d04e4a6636b6c6ca5d4d1 24448 libs - rlottie_0.1+dfsg-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iIYEARYIAC4WIQQRm7llN8yxifaG60cF2qh9JI3wlQUCaiu0eBAcZ3VyaWV2LW5z
QHlhLnJ1AAoJEAXaqH0kjfCVZMYA+wZApeHAVT0eFd4LPd0vIj77Y4scviDF9b1f
EENjZpnGAP4uYygyYfvl5mIx8cK10mvhSLtuNP+tHf9rClDbQuXfDQ==
=NN5h
-----END PGP SIGNATURE-----