Bug#1108157: poco: CVE-2025-6375

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1108157: poco: CVE-2025-6375
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 21 Jun 2025 21:14:50 +0200
Message-id: <[🔎] 175053329005.3138994.216960142972674798.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1108157@bugs.debian.org

Source: poco
Version: 1.13.0-6
Severity: important
Tags: security upstream
Forwarded: https://github.com/pocoproject/poco/issues/4915
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for poco.

CVE-2025-6375[0]:
| A vulnerability was found in poco up to 1.14.1. It has been rated as
| problematic. Affected by this issue is the function
| MultipartInputStream of the file Net/src/MultipartReader.cpp. The
| manipulation leads to null pointer dereference. The attack needs to
| be approached locally. The exploit has been disclosed to the public
| and may be used. Upgrading to version 1.14.2 is able to address this
| issue. The patch is identified as
| 6f2f85913c191ab9ddfb8fae781f5d66afccf3bf. It is recommended to
| upgrade the affected component.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-6375
    https://www.cve.org/CVERecord?id=CVE-2025-6375
[1] https://github.com/pocoproject/poco/issues/4915
[2] https://github.com/pocoproject/poco/commit/6f2f85913c191ab9ddfb8fae781f5d66afccf3bf

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Prev by Date: Processed: Mark that the bug has been fixed
Next by Date: Processed: Tagging as pending
Previous by thread: Processed: Mark that the bug has been fixed
Next by thread: Processed: Tagging as pending
Index(es):
- Date
- Thread