Bug#1104154: bookworm-pu: package fig2dev/1:3.2.8b-3+deb12u2
Hi,
On Sat, Apr 26, 2025 at 09:03:44AM +0200, Roland Rosenfeld wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: fig2dev@packages.debian.org
> Control: affects -1 + src:fig2dev
>
> [ Reason ]
> This fixes CVE-2025-46397, CVE-2025-46398, CVE-2025-46399,
> CVE-2025-46400, some seg-faults/stack-overflows in different fig2dev
> drivers.
>
> [ Impact ]
> Segmentation faults with some special cases and a minor security
> issue.
>
> [ Tests ]
> salsa-ci passed except reprotest (this seems to build the package with
> sid instead of bookworm, with uses a newer different ghostscript
> version, resulting in a slightly different gray rastering with two
> more dots in an example, so one test in the testsuite fails):
> https://salsa.debian.org/debian/fig2dev/-/pipelines/856098
>
> The patch for CVE-2025-46397 adds a new test case.
>
> [ Risks ]
> Hopefully none...
>
> [ Checklist ]
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in (old)stable
> [x] the issue is verified as fixed in unstable
>
> [ Changes ]
> - fix for CVE-2025-46397
> - fix for CVE-2025-46398
> - fix for CVE-2025-46399
> - fix for CVE-2025-46400
>
> [ Other info ]
> I agreed with the security-team (Moritz Mühlenhoff), that these are
> minor security issues, that from my point of view should not need a
> DSA but it's better to go via a point release.
FWIW, the CVEs have been rejected in meanwhile as there is no real
security impact. I think still it is worth you might upload your
package for the upcoming point release, but please drop the CVE id
mentionings.
Regards,
Salvatore
Reply to: