Forum: >>> Magnum BBS <<<

Bug#1109341: rlottie: CVE-2025-0634 CVE-2025-53074 CVE-2025-53075

From Adrian Bunk@21:1/5 to All on Wed Jul 30 00:50:01 2025

On Tue, Jul 15, 2025 at 02:39:16PM +0200, Moritz Mühlenhoff wrote:

Package: rlottie
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for rlottie.

CVE-2025-0634[0]:
| Use After Free vulnerability in Samsung Open Source rLottie allows
| Remote Code Inclusion.This issue affects rLottie: V0.2.

https://github.com/Samsung/rlottie/pull/571 https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9

CVE-2025-53074[1]:
| Out-of-bounds Read vulnerability in Samsung Open Source rLottie
| allows Overflow Buffers.This issue affects rLottie: V0.2.

https://github.com/Samsung/rlottie/pull/571 https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9

CVE-2025-53075[2]:
| Improper Input Validation vulnerability in Samsung Open Source
| rLottie allows Path Traversal.This issue affects rLottie: V0.2.

https://github.com/Samsung/rlottie/pull/571 https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9
...

I am not 100% sure whether all of these CVEs can be considered
duplicates of old CVEs already fixed in 0.1+dfsg-2 (#988885), but
there's clearly overlap in what got fixed: https://sources.debian.org/src/rlottie/0.1%2Bdfsg-4.2/debian/patches/Fix-crash-on-invalid-data.patch/

Apparently the old CVEs were reported against a fork and the new CVEs
against the original upstream.

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Spearb0y
  Sun Jun 7 07:41:05 2026
  from Massachusetts via SSH
- Krenn
  Sun Jun 7 03:07:26 2026
  from Sydney, Nsw via Telnet
- Krenn
  Sun Jun 7 01:30:12 2026
  from Sydney, Nsw via Telnet
- Centurion
  Sat Jun 6 23:27:30 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Sat Jun 6 15:42:53 2026
  from Sheboygan, Wi via Telnet
- Centurion
  Sat Jun 6 15:32:28 2026
  from Berea, Ohio via Telnet
- Krenn
  Sat Jun 6 11:38:56 2026
  from Sydney, Nsw via Telnet
- Furryboy
  Sat Jun 6 10:56:29 2026
  from Romania, Galati via SSH

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (0 / 16)
Uptime:	164:30:06
Calls:	12,095
Calls today:	3
Files:	15,001
Messages:	6,517,798

Bug#1109341: rlottie: CVE-2025-0634 CVE-2025-53074 CVE-2025-53075

Who's Online

Recent Visitors

System Info