Bug#1105885: Helping to fix CVE-2025-4817{4,5} on bookworm

To: 1105885@bugs.debian.org, 1105883@bugs.debian.org
Cc: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>, Boyuan Yang <byang@debian.org>
Subject: Bug#1105885: Helping to fix CVE-2025-4817{4,5} on bookworm
From: Carlos Henrique Lima Melara <charles@debian.org>
Date: Mon, 26 May 2025 23:42:38 -0300
Message-id: <[🔎] tufckdba2kwzbpzlmvnt4s72d4uz6lbcurg5nc5scry4bvgjlg@6knfxsttmbks>
Reply-to: Carlos Henrique Lima Melara <charles@debian.org>, 1105885@bugs.debian.org
In-reply-to: <[🔎] lujv3rdicpvq6e2cxxdooprc42vku33ewd2c576debh3kovucx@m4xjokdm324f>
References: <[🔎] bi7team2ra4d4osdz2d5cmdci6txctkswzb4656ymcr3qmvepw@n265cwfin2sl> <[🔎] aDKpcLI5MjzD_Y28@eldamar.lan> <[🔎] 174741069979.4054243.125829425625933159.reportbug@eldamar.lan> <[🔎] aDMxXzu960E__N-A@eldamar.lan> <[🔎] aDNklpb-9Ckpk01C@lorien.valinor.li> <[🔎] lujv3rdicpvq6e2cxxdooprc42vku33ewd2c576debh3kovucx@m4xjokdm324f> <[🔎] 174741069979.4054243.125829425625933159.reportbug@eldamar.lan>

Hi Multimedia Maintainers and Boyuan,

On Mon, May 26, 2025 at 10:17:53PM -0300, Carlos Henrique Lima Melara wrote:
> Hi,
> 
> On Sun, May 25, 2025 at 08:42:30PM +0200, Salvatore Bonaccorso wrote:
> > Attached are the patches we aim to use for bookworm.
> > 
> > The first one, is very similar to your backported one, but it uses
> > abort() instead of exit(1), as upstream suggested to be consistent
> > with avifAlloc(). I put an explanation in the patch.
> > 
> > The second was handled after all in public as you asked there as well,
> > so it is identical to what Wan-Teh Chang posted on the issue.
> > 
> > Hope this helps.
> 
> It does help quite a lot, thanks Salvatore! I've tested things in
> bullseye and all is fine [1] (though it had only one rdep in there and
> no rdep autopkgtest, it was quite a new package at the time).

I've uploaded the fix to LTS and sent the DLA. I've also opened a merge
request in libavif's repo to update debian/bullseye branch with the
latest version [1], could you merge please?

A small note, the tag for 0.8.4-2+deb11u2 is available in my fork, could
you grab there and push to multimedia-team/libavif or give me permission
so I can do it myself? The tag for 0.8.4-2+deb11u1 is missing in the
repo too.

Cheers,
Charles

[1] https://salsa.debian.org/multimedia-team/libavif/-/merge_requests/4
[2] https://salsa.debian.org/charles/libavif

Reply to:

Follow-Ups:
- Re: Bug#1105885: Helping to fix CVE-2025-4817{4,5} on bookworm
  - From: Boyuan Yang <byang@debian.org>

References:
- Bug#1105883: Helping to fix CVE-2025-4817{4,5} on bookworm
  - From: Carlos Henrique Lima Melara <charles@debian.org>
- Re: Helping to fix CVE-2025-4817{4,5} on bookworm
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1105885: libavif: CVE-2025-48174
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: Helping to fix CVE-2025-4817{4,5} on bookworm
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: Bug#1105885: Helping to fix CVE-2025-4817{4,5} on bookworm
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1105883: Bug#1105885: Helping to fix CVE-2025-4817{4,5} on bookworm
  - From: Carlos Henrique Lima Melara <charles@debian.org>

Prev by Date: Bug#1105883: Bug#1105885: Helping to fix CVE-2025-4817{4,5} on bookworm
Next by Date: Bug#1106639: lsdvd ftbfs with libxml 2.14.x from experimental
Previous by thread: Bug#1105883: Bug#1105885: Helping to fix CVE-2025-4817{4,5} on bookworm
Next by thread: Re: Bug#1105885: Helping to fix CVE-2025-4817{4,5} on bookworm
Index(es):
- Date
- Thread