Bug#1107317: marked as done (qt6-imageformats: CVE-2025-5683)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 06 Jun 2025 17:53:02 +0000
with message-id <E1uNbFW-00Ed3e-DE@fasolo.debian.org>
and subject line Bug#1107317: fixed in qt6-imageformats 6.8.2-4
has caused the Debian Bug report #1107317,
regarding qt6-imageformats: CVE-2025-5683
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1107317: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107317
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: qt6-imageformats: CVE-2025-5683
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Thu, 5 Jun 2025 17:16:56 +0200
• Message-id: <[🔎] aEG06OJyr7RhdwxZ@pisco.westfalen.local>

Source: qt6-imageformats
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qt6-imageformats.

CVE-2025-5683[0]:
| When loading a specifically crafted ICNS format image file in QImage
| then it will trigger a crash. This issue affects Qt from versions
| 6.3.0 through 6.5.9, from 6.6.0 through 6.8.4, 6.9.0. This is fixed
| in 6.5.10, 6.8.5 and 6.9.1.

https://codereview.qt-project.org/c/qt/qtimageformats/+/644548
https://github.com/qt/qtimageformats/commit/efd332516f510144927121fa749ce819b82ec633


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-5683
    https://www.cve.org/CVERecord?id=CVE-2025-5683

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

• To: 1107317-close@bugs.debian.org
• Subject: Bug#1107317: fixed in qt6-imageformats 6.8.2-4
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 06 Jun 2025 17:53:02 +0000
• Message-id: <E1uNbFW-00Ed3e-DE@fasolo.debian.org>
• Reply-to: Patrick Franz <deltaone@debian.org>

Source: qt6-imageformats
Source-Version: 6.8.2-4
Done: Patrick Franz <deltaone@debian.org>

We believe that the bug you reported is fixed in the latest version of
qt6-imageformats, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1107317@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Franz <deltaone@debian.org> (supplier of updated qt6-imageformats package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 06 Jun 2025 19:37:30 +0200
Source: qt6-imageformats
Architecture: source
Version: 6.8.2-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <deltaone@debian.org>
Closes: 1107317
Changes:
 qt6-imageformats (6.8.2-4) unstable; urgency=medium
 .
   [ Patrick Franz ]
   * Backport patch to fix CVE-2025-5683 (Closes: #1107317).
Checksums-Sha1:
 3f829dafda858dd04a777bed0c6be8685f8c9f02 2524 qt6-imageformats_6.8.2-4.dsc
 0edcc545f2894f1b18dd9fa35b439db2a5210e58 6368 qt6-imageformats_6.8.2-4.debian.tar.xz
 557cde2c52abee3e626f98c404a82eaa25bc9715 12738 qt6-imageformats_6.8.2-4_source.buildinfo
Checksums-Sha256:
 d29662bdbe03a671fe609ce44ea209411ee3fcd14dc1fa607536d6be18a73cd7 2524 qt6-imageformats_6.8.2-4.dsc
 56f421e1bb88b2448d30b0aecee38039f87b4ec5860d4e7f942e55efc0d7398a 6368 qt6-imageformats_6.8.2-4.debian.tar.xz
 e31cf0c50da62ed086e92c29f0564e2ca2970674383d966df3ed40f0cac2785d 12738 qt6-imageformats_6.8.2-4_source.buildinfo
Files:
 9ffa0f45f04427419a40a7baee75e921 2524 libs optional qt6-imageformats_6.8.2-4.dsc
 466d587ea0822cf24bab7ab2b5ca64b7 6368 libs optional qt6-imageformats_6.8.2-4.debian.tar.xz
 159f78db207f9fdc5b3649f1df47ab5f 12738 libs optional qt6-imageformats_6.8.2-4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJoQyfOCRCen3pgMHf+VkcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcme98llc7PfpIL7fnq1XFP0lgFxeKHziW3DhBBuzeZT/
GxYhBGKHQVw0evHMWR7typ6femAwd/5WAADdVw//RtfD5MUcjbcrNVwOxLzlKNzC
PxFZX1rMKwYcXzIskbDky2IpF7wuPZlEd4daG8jC3H6zBXo/ico4YCWKvljrx7CC
itFEHz0CNRCOUif1n7osPhgi9PZxJfTq1sKgwX41CLrMOncW4MqA53gDFsbuk8JZ
YHPZ73tWYD0rVocFO5j0hB3ZggmJ2sooLznJy9soAW9CR8prT1I0+bOwfEfHpHAn
AlAmPNs0q3vAELUFLs7T1m+JLiOOEuNfAO/DWy488oVCUKvm/tDl0KdQjzbs0pfA
u6kVynK7dge20DMd36Mpr+Mlhvzig0n5L+NJqJm8eaeDrOVFUqzJz5Cq5/kIZBcy
NFqENbf8lwen78B3ZDSTMSiDselgqs0Gt+6k3rcwatwpM72N11bwmDtgUn5BxqBT
mPtFenlftsuPd+/Ds4iR7SYeqUBrzoQ/aIRyinUuzUcqbQTsaCq0Ipxb0uHfhqxU
RkMrybppnfTNO7zCtnGvg2YdvITUCQ7sWJMuGq+fiJ1X7yAexMc2o2PIkQkYUg+y
qj9quQS08DeMYwIcqYEUFsLxFJ1cvfob/8moROs4z7A/WL36cu1cdM92xniTskZe
W/I8pNvdw5LVSFLaR/Pe66nZltaG2PP1lmTM5rwGRxsbsiTwtq6YlS9v2vHnj2QO
YGPT1kzEDz12WZvPXZk=
=/nEJ
-----END PGP SIGNATURE-----

Attachment: pgpbxKKwu7Fw3.pgp
Description: PGP signature

--- End Message ---