On Sat, 26 Jul 2025 at 14:58:32 +0200, Cyril Brulebois wrote:
Are you planning to request an unblock for gdk-pixbuf 2.42.12+dfsg-4? I'm happpy either way regarding the upcoming RC 3 (and 13.0). Just thought I'd drop you a note with the full freeze coming up.
Thanks for the reminder, but the change is not in any upstream release yet and I did get one report of a regression, although I couldn't reproduce it and now the reporter can't either (see #1109199). This makes me cautious about destabilizing the release, so at this point my inclination is to skip that change for 13.0 and either fix it via trixie-security or in 13.1, depending on what the security team think. Is that OK from the -boot point of view?
Upstream no longer recommends gdk-pixbuf as a loader for untrusted content (it's fine for trusted app resources, but something memory-safe and with integrated sandboxing like glycin is their new recommendation for untrusted image viewing), and for libgnome-desktop's thumbnailer, any exploit risks in gdk-pixbuf are mitigated by libgnome-desktop sandboxing the decoder with bubblewrap.
Let's take any further discussion regarding CVE-2025-7345 to its tracking bug, #1109262.
smcv