Bug#1107318: marked as done (qtimageformats-opensource-src: CVE-2025-5683)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 06 Jun 2025 11:21:59 +0000
with message-id <E1uNV95-00DKLD-Qb@fasolo.debian.org>
and subject line Bug#1107318: fixed in qtimageformats-opensource-src 5.15.15-4
has caused the Debian Bug report #1107318,
regarding qtimageformats-opensource-src: CVE-2025-5683
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1107318: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107318
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: qtimageformats-opensource-src: CVE-2025-5683
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Thu, 5 Jun 2025 17:17:19 +0200
• Message-id: <[🔎] aEG0_4bQMcOo_7v8@pisco.westfalen.local>

Source: qtimageformats-opensource-src
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qtimageformats-opensource-src.

CVE-2025-5683[0]:
| When loading a specifically crafted ICNS format image file in QImage
| then it will trigger a crash. This issue affects Qt from versions
| 6.3.0 through 6.5.9, from 6.6.0 through 6.8.4, 6.9.0. This is fixed
| in 6.5.10, 6.8.5 and 6.9.1.

https://codereview.qt-project.org/c/qt/qtimageformats/+/644548
https://github.com/qt/qtimageformats/commit/efd332516f510144927121fa749ce819b82ec633


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-5683
    https://www.cve.org/CVERecord?id=CVE-2025-5683

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

• To: 1107318-close@bugs.debian.org
• Subject: Bug#1107318: fixed in qtimageformats-opensource-src 5.15.15-4
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 06 Jun 2025 11:21:59 +0000
• Message-id: <E1uNV95-00DKLD-Qb@fasolo.debian.org>
• Reply-to: Dmitry Shachnev <mitya57@debian.org>

Source: qtimageformats-opensource-src
Source-Version: 5.15.15-4
Done: Dmitry Shachnev <mitya57@debian.org>

We believe that the bug you reported is fixed in the latest version of
qtimageformats-opensource-src, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1107318@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dmitry Shachnev <mitya57@debian.org> (supplier of updated qtimageformats-opensource-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 06 Jun 2025 10:57:26 +0300
Source: qtimageformats-opensource-src
Architecture: source
Version: 5.15.15-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Dmitry Shachnev <mitya57@debian.org>
Closes: 1107318
Changes:
 qtimageformats-opensource-src (5.15.15-4) unstable; urgency=medium
 .
   * Backport upstream patch to fix validation issue for ICNS image
     (CVE-2025-5683, closes: #1107318).
Checksums-Sha1:
 0a0171e02d61dcd3c845267eef104783d2928d20 2452 qtimageformats-opensource-src_5.15.15-4.dsc
 33399d84fc8e27cb678c35a24c7324e878254edf 8364 qtimageformats-opensource-src_5.15.15-4.debian.tar.xz
 29d1a264bd6f3eb75d5fb2df41a322b3d5699e1d 13235 qtimageformats-opensource-src_5.15.15-4_source.buildinfo
Checksums-Sha256:
 acf549065a28827798f0e8a6ec538504fa68b8a8e6e7e99127be47e8e6367640 2452 qtimageformats-opensource-src_5.15.15-4.dsc
 17e4ff716109cdb1770dc1031de5ee1e0d3ad8481c9d70a928aae9c498202711 8364 qtimageformats-opensource-src_5.15.15-4.debian.tar.xz
 f979511f7756cd88d477293b88e10e813d7c842c2ca22e967b1b55b8cb057bc9 13235 qtimageformats-opensource-src_5.15.15-4_source.buildinfo
Files:
 20b47f707514c70c53883975f496218c 2452 libs optional qtimageformats-opensource-src_5.15.15-4.dsc
 d642aa2c4513aa01214d02ddd27b7b3b 8364 libs optional qtimageformats-opensource-src_5.15.15-4.debian.tar.xz
 a2816e73670cc85b13f75309c17feaa5 13235 libs optional qtimageformats-opensource-src_5.15.15-4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEq2sdvrA0LydXHe1qsmYUtFL0RrYFAmhCn5YTHG1pdHlhNTdA
ZGViaWFuLm9yZwAKCRCyZhS0UvRGth/yEACBOqf61fgnwdfl2s1b9JHxyU3PZAto
hTcfauD6amu5VSSUx7HTsK+JFdFq7J1euJib3Y0rtRB6x0rEp4U2Cv7E9KNuzfiw
FW0JByrnANDj52nPxs2cpPVNhrDGaA2Psu+Gs+Fgjl0yu6enHcr1B3A5O+C09yvW
1OcKRRsW35gqRUqJXAmlyj8sP+yIhR9UW+d+0uRuyWjvNw0SP88gK+tGLySuDEwb
YXrXF6B66DNPvJ61eNJ/dnnuhb3GQNbOiH2GoGo+0zwGmFVxESl93On+K9zkGiuo
wfsf0FbbkpPQt5uN3kXSRkdSrHapgPrkXU92z7wHMenWxNstk0RCJE8TQaM1XYpS
S3+lYmXVgPS86RhHnqmPBArY6FNBb9UX+RErQg/DvjKFkxPUchvG2en16zFTAKjb
5dthJrJFsYirpafWEsEb70nlligZgCYcRvEWNdhPupO0WELIjAKW88HfGd2q0Xn9
WKdF72h+VgkfatxDw/z7J42l1Vcgn9k5++0PjO/kKApCHSvAFvWNp6W3qkvQjYup
ypdbjS4EnWP7QIl/SjpuVwQbiBdF7V06HvwBXqb2Tqwh3cXtlziHJzzj1b+hk9nA
NdN87MWgyuSrGwQK/Q66r4F82wFXAFoaIeyt8HZDyrpr/H6irrsU0y9GL58zlOLs
Dz1GrMuDG66OEw==
=/HZh
-----END PGP SIGNATURE-----

Attachment: pgpLzf13jj8Ky.pgp
Description: PGP signature

--- End Message ---