1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Re: gdk-pixbuf for trixie?

    From Simon McVittie@21:1/5 to Cyril Brulebois on Sat Jul 26 15:50:01 2025
    XPost: linux.debian.maint.boot

    On Sat, 26 Jul 2025 at 14:58:32 +0200, Cyril Brulebois wrote:
    Are you planning to request an unblock for gdk-pixbuf 2.42.12+dfsg-4?
    I'm happpy either way regarding the upcoming RC 3 (and 13.0). Just
    thought I'd drop you a note with the full freeze coming up.

    Thanks for the reminder, but the change is not in any upstream release
    yet and I did get one report of a regression, although I couldn't
    reproduce it and now the reporter can't either (see #1109199). This
    makes me cautious about destabilizing the release, so at this point my inclination is to skip that change for 13.0 and either fix it via trixie-security or in 13.1, depending on what the security team think.
    Is that OK from the -boot point of view?

    Upstream no longer recommends gdk-pixbuf as a loader for untrusted
    content (it's fine for trusted app resources, but something memory-safe
    and with integrated sandboxing like glycin is their new recommendation
    for untrusted image viewing), and for libgnome-desktop's thumbnailer,
    any exploit risks in gdk-pixbuf are mitigated by libgnome-desktop
    sandboxing the decoder with bubblewrap.

    Let's take any further discussion regarding CVE-2025-7345 to its
    tracking bug, #1109262.

    smcv

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Cyril Brulebois@21:1/5 to All on Sat Jul 26 18:40:01 2025
    XPost: linux.debian.maint.boot

    Simon McVittie <[email protected]> (2025-07-26):
    Thanks for the reminder, but the change is not in any upstream release yet and I did get one report of a regression, although I couldn't reproduce it and now the reporter can't either (see #1109199). This makes me cautious about destabilizing the release, so at this point my inclination is to skip that change for 13.0 and either fix it via trixie-security or in 13.1, depending on what the security team think. Is that OK from the -boot point
    of view?

    Absolutely, that makes total sense! No updates, updates via security, and updates via point releases are all fine with me; my goal was only to make
    sure the upcoming d-i release(s) wouldn't interfere with your plans
    regarding this package.

    Thanks for the quick answer.


    Cheers,
    --
    Cyril Brulebois ([email protected]) <https://debamax.com/>
    D-I release manager -- Release team member -- Freelance Consultant

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmiFA6wACgkQ/5FK8MKz VSDLkA//Zs3rKdFOL7e1PgR1xQRRSWmWBSQTvRY6PBPz5eKYtudbXzMhiyC7dfrS MbE5PNbdWAMI9PKy55/MqjkjyfjFchK3wup+HvM+JsPoxNfEc4RS+6Hfylnmck61 Pe2YndqoZzTtSx8fbEhRMO7XmF+Gu1yvpku+yLQx2XjectJGx0DiXYt7Qgm5vWZ8 YeDFDCa0kKljzxuqnRuJ7TCgFJ+L5q5AjAYpOX53D7CoCAbfHzL3Che3VIwkLtOl jc3j7JWI45aSUYctOeF9Gy3Hhblzft0ha8VVbHdR51gb9Hjc4Vhp8mbGxMoMjnZZ zu9VdOcp3a5pFNHcdehbA9+PVrT77g5P/VNZlNiw4CqE9Fz51+8kH+L+0amgz3NM vQi+OzmljMLqVebUCNoEm9kbMdvPXZ8XwqWFxqD5Iv7eNmQKDdB/OlZ2Lx4do3x9 BaQ74nCLApjc2qADjDXkcNj9XO9r47T6Bo+03cnz9UjKuImzVffh0vtF62OL2AcX PY33ejCuyIGZ7PC83YDdDEJw1CO2kmin/pFhNUVQnYVGjFaQcLN1mMJXnE5hhznA uRjBaE0BaWLk7mbuj6YHBShHSJShIt5SR6tjQWxyzjAfXFeXds8u/AA52cG2TM50 LERjViEL2Mg1koNE3U1uOFK/Giddm81N/FHSGhlJUt3wK+5w6aM=
    =h2NX
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    *