Bug#1117447: marked as done (qt6-svg: CVE-2025-10728)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 07 Oct 2025 21:07:34 +0000
with message-id <E1v6EuE-00891I-0l@fasolo.debian.org>
and subject line Bug#1117447: fixed in qt6-svg 6.9.2-3
has caused the Debian Bug report #1117447,
regarding qt6-svg: CVE-2025-10728
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1117447: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117447
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: qt6-svg: CVE-2025-10728
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sun, 05 Oct 2025 21:08:57 +0200
• Message-id: <[🔎] 175969133734.463273.8838797485936212056.reportbug@eldamar.lan>

Source: qt6-svg
Version: 6.9.2-2
Severity: important
Tags: security upstream
Forwarded: https://bugreports.qt.io/browse/QTBUG-137553
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for qt6-svg.

CVE-2025-10728[0]:
| When the module renders a Svg file that contains a <pattern>
| element, it might end up rendering it recursively leading to stack
| overflow DoS


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-10728
    https://www.cve.org/CVERecord?id=CVE-2025-10728
[1] https://bugreports.qt.io/browse/QTBUG-137553

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1117447-close@bugs.debian.org
• Subject: Bug#1117447: fixed in qt6-svg 6.9.2-3
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Tue, 07 Oct 2025 21:07:34 +0000
• Message-id: <E1v6EuE-00891I-0l@fasolo.debian.org>
• Reply-to: Patrick Franz <deltaone@debian.org>

Source: qt6-svg
Source-Version: 6.9.2-3
Done: Patrick Franz <deltaone@debian.org>

We believe that the bug you reported is fixed in the latest version of
qt6-svg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1117447@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Franz <deltaone@debian.org> (supplier of updated qt6-svg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Oct 2025 22:56:49 +0200
Source: qt6-svg
Architecture: source
Version: 6.9.2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <deltaone@debian.org>
Closes: 1117445 1117447
Changes:
 qt6-svg (6.9.2-3) unstable; urgency=medium
 .
   [ Patrick Franz ]
   * Backport patch to fix CVE-2025-10728 (Closes: #1117447).
   * Backport patch to fix CVE-2025-10729 (Closes: #1117445).
Checksums-Sha1:
 37503f8f0848eec264a19e9f659a978b410e9b35 2771 qt6-svg_6.9.2-3.dsc
 1481e4fdd2620c063a0332392097cae2e35d1503 11608 qt6-svg_6.9.2-3.debian.tar.xz
 ea9037cccc9c4ef5214d25ef74ab9ecea0ef7acb 7508 qt6-svg_6.9.2-3_source.buildinfo
Checksums-Sha256:
 62594d44d9d327cfbf433cdf5601055e81c8685473e96612c801424feb7c967d 2771 qt6-svg_6.9.2-3.dsc
 30c399f15c083907b3fa48d0665de51aaecd42e827b11ac55b744d9eb8e3573c 11608 qt6-svg_6.9.2-3.debian.tar.xz
 502f5cdebd405e3c6573d275bfa86090b18801db56ee31155f75a2efc649e183 7508 qt6-svg_6.9.2-3_source.buildinfo
Files:
 a6bc353b6aa286764a05f4bb4d1a9621 2771 libs optional qt6-svg_6.9.2-3.dsc
 c5d0d05fa3a656e67e63aa73f8f9c4b6 11608 libs optional qt6-svg_6.9.2-3.debian.tar.xz
 fcefc8838d232b0603d9bae854ec4a4b 7508 libs optional qt6-svg_6.9.2-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJo5X8qCRCen3pgMHf+VkcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmeii/PFoQyd2gBYXUFtuecJQj+Qi6T8LBOi5zFGDt6U
NxYhBGKHQVw0evHMWR7typ6femAwd/5WAADacA//TYggqdie+MjN7GAsbvBq28wP
9EfX96ZEU+0XWZ68R0ne8F0+UbAgLqPUp7vNhQdPa4XrT2HctJ3iXs4PTy1beEVO
X4Hr7Y/hs9RucCaAHd/H9zUcRJD66i1CDFA9sywQLmEETbLO78Mheow9MJr9MM8P
0wKycwhb+RttSoS/2QTiRB893c58s8HMgTSjtMKxp5q9Z8vaf7bxOLrCRsFltB7U
zfq01yp/bH2v4jWTWh9EXzBkYFp7QRXLvMESVjtZ2Uf9vZx+r78ggk9K8vjTiNvC
4h02wf7FrzjPdPXywPK9dMgItx2mpjpci6Edgi17atqNoiDx5EOoKtfmEkPM8aZe
1w9YHm2T/uKFoMrnBkE7fJmbavLkRd0eCTbEJgQf+dPSmqJ0/XYSpzu1Sdp0UzJu
mcEisyweRjipWeOTKQ+D8ESAGdwAANLVNH02Izmxj4z482tCJLxrvmAde1buKtld
gEGn/3FTJCeDC1qjkqPJCaV2XzLSzEAa6UFwZ67a0oZSAuF8kHGR/gm5qk2hAz0K
VOIDJ+FxjvMCaoWTmzDr8tVxzBeN4U9lTbqKyAT26RFeDecO/jzZUxXOxsBD7Xj/
q61mNJj58kG6Kq1xC2lgvtMHl90mNieh9BXI35/dcOAE04lemjdY6ESRtWSx7n8O
e8U3BCDPbnQbRisqP00=
=eRVt
-----END PGP SIGNATURE-----

Attachment: pgp9LTOiSrzrp.pgp
Description: PGP signature

--- End Message ---