Bug#1109299: marked as done (qt6-base: CVE-2025-5992)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 18 Jul 2025 14:39:42 +0000
with message-id <E1ucmFS-009bQP-2A@fasolo.debian.org>
and subject line Bug#1109299: fixed in qt6-base 6.8.2+dfsg-9
has caused the Debian Bug report #1109299,
regarding qt6-base: CVE-2025-5992
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1109299: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109299
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: qt6-base: CVE-2025-5992
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Mon, 14 Jul 2025 22:07:33 +0200
• Message-id: <[🔎] 175252365368.1879731.17976264268602757707.reportbug@eldamar.lan>

Source: qt6-base
Version: 6.8.2+dfsg-8
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for qt6-base.

CVE-2025-5992[0]:
| When passing values outside of the expected range to
| QColorTransferGenericFunction it can cause a denial of service, for
| example, this can happen when passing a specifically crafted ICC
| profile to QColorSpace::fromICCProfile.This issue affects Qt from
| 6.6.0 through 6.8.3, from 6.9.0 through 6.9.1. This is fixed in
| 6.8.4 and 6.9.2.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-5992
    https://www.cve.org/CVERecord?id=CVE-2025-5992
[1] https://codereview.qt-project.org/c/qt/qtbase/+/647919
[2] https://github.com/qt/qtbase/commit/f12d046383decf8f468de62732c9cff7d4303cbf

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1109299-close@bugs.debian.org
• Subject: Bug#1109299: fixed in qt6-base 6.8.2+dfsg-9
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 18 Jul 2025 14:39:42 +0000
• Message-id: <E1ucmFS-009bQP-2A@fasolo.debian.org>
• Reply-to: Patrick Franz <deltaone@debian.org>

Source: qt6-base
Source-Version: 6.8.2+dfsg-9
Done: Patrick Franz <deltaone@debian.org>

We believe that the bug you reported is fixed in the latest version of
qt6-base, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1109299@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Franz <deltaone@debian.org> (supplier of updated qt6-base package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 18 Jul 2025 15:28:20 +0200
Source: qt6-base
Architecture: source
Version: 6.8.2+dfsg-9
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <deltaone@debian.org>
Closes: 1109299
Changes:
 qt6-base (6.8.2+dfsg-9) unstable; urgency=medium
 .
   [ Patrick Franz ]
   * Backport patch to fix the PQ EOTF formula for BT.2100. This patch is
     needed to make the patch for CVE-2025-5992 applicable.
   * Backport patch to fix CVE-2025-5992 (Closes: #1109299).
Checksums-Sha1:
 0b9b6104e6361dd127184f209d031c29cfa5a919 5470 qt6-base_6.8.2+dfsg-9.dsc
 b292382e64df9d5ab0c97bfbe894d9e8bfab7f37 196672 qt6-base_6.8.2+dfsg-9.debian.tar.xz
 971c045ce9a18cdd6b67bc1021257ecd85c0df66 10558 qt6-base_6.8.2+dfsg-9_source.buildinfo
Checksums-Sha256:
 40634de52d312c0cafdf134a32c23180f82a2482abe1c6457b58ea69c3485415 5470 qt6-base_6.8.2+dfsg-9.dsc
 7521dc3646ae99ffb6e1463344e43d31302c2e9fd78b8fd5b6c340f24c9801ec 196672 qt6-base_6.8.2+dfsg-9.debian.tar.xz
 648fb9c14ddb15bb640eb0ced8e35560a0d6dadc8ec16dcb5d9058d5de76822d 10558 qt6-base_6.8.2+dfsg-9_source.buildinfo
Files:
 78b27ad9e62c9055057dfe5b3047f407 5470 libs optional qt6-base_6.8.2+dfsg-9.dsc
 a1e40413735f13815ff64a79b3e20d8d 196672 libs optional qt6-base_6.8.2+dfsg-9.debian.tar.xz
 0ae460982a725f501cb96cae06a8dfde 10558 libs optional qt6-base_6.8.2+dfsg-9_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJoelS4CRCen3pgMHf+VkcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmfwSTAi9p4dF39W5wMTWGEtdcvHytNda2Dj+MOxA9fD
DhYhBGKHQVw0evHMWR7typ6femAwd/5WAABHRw//c7zlv+UOyji+bd5ebUPXafjP
Gt6xmzSTS8TNRV6rG6LLpv+qJ47FDriICVD2xHEj4LD/t5BZYPdVhUSR7GFBTZcP
cM7rdOy1ozOo4Mof80lP/gL+8xjvL24QzIuIIRMjUeqzJ6KbJydp+aPPn7PLIiqg
G6vaLgD4r3xiq4kRLsdQiSbR4ntfh3zXmKZXCG6cZ1rSCjlt3Vyfx+XzxQXYcY1k
IBduB+ye5Bux8dsd9UVsc1LYVHAykNWbCZ1mIoH+LnTlgKQ4qUGiqY+ZLKkVYk9u
C4AQtYV5IZ/95+yR5n2q7+PbU6yiy1cYbrpgFJOGKV/GFCZLwGb33k+1ndlKdvks
JuXOVMN+RRq1mGVVGKQbRKT2FPnSHIidV0In+3J8yhwlAwlrN1z8IybvVvY8nWFT
KS4TBVq4RXdt1sk3URaYPw5hw0pGawX+KFjNsbOS58udkRkM5F9ZZcsNrmhFlNDO
pRqdivl4hXbIdzN9OXRkbuvNoQjGPln8YCXgKgngIFP3L0YfH5FobQEUbmC4nYVd
XL2+pYKhYsxndyfeeMIPtam0/2iAgL0eN8BpOzQB6Kyp9a32PW5ot4pM7eXOOJjL
3Jj24P7pF1NYtKBBJCQlg4w5ySpEmrugyCIHzuo5pBO1DjvUP9gkpENPTKqUJmKE
f6tma1bJNL8FwXj6+0M=
=2jpZ
-----END PGP SIGNATURE-----

Attachment: pgpC1Z1rxI9Ys.pgp
Description: PGP signature

--- End Message ---