XPost: linux.debian.devel.release
This is a multi-part MIME message sent by reportbug.
Package: release.debian.org
Severity: normal
X-Debbugs-Cc:
[email protected],
[email protected], Dmitry Shachnev <
[email protected]>,
[email protected]
Control: affects -1 + src:qtimageformats-opensource-src
User:
[email protected]
Usertags: unblock
Hi
qtimageformats-opensource-src in trixie is vulnerable to
CVE-2025-5683, cf. #1107318.
The package cannot migrate automatically as it does not contain
autopkgtests.
Dmitry what is your take on it?
Attached is the debdiff for the package fixing the issue.
Regards,
Salvatore
diff -Nru qtimageformats-opensource-src-5.15.15/debian/changelog qtimageformats-opensource-src-5.15.15/debian/changelog
--- qtimageformats-opensource-src-5.15.15/debian/changelog 2024-10-28 22:08:53.000000000 +0100
+++ qtimageformats-opensource-src-5.15.15/debian/changelog 2025-06-06 09:57:26.000000000 +0200
@@ -1,3 +1,10 @@
+qtimageformats-opensource-src (5.15.15-4) unstable; urgency=medium
+
+ * Backport upstream patch to fix validation issue for ICNS image
+ (CVE-2025-5683, closes: #1107318).
+
+ -- Dmitry Shachnev <
[email protected]> Fri, 06 Jun 2025 10:57:26 +0300
+
qtimageformats-opensource-src (5.15.15-3) unstable; urgency=medium
* Add a patch to reject broken MNG images, backported from qtbase 6.0
diff -Nru qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch
--- qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch 1970-01-01 01:00:00.000000000 +0100
+++ qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch 2025-06-06 09:57:26.000000000 +0200
@@ -0,0 +1,31 @@
+D