Bug#1106358: bookworm-pu: package libraw/0.20.2-2.1+deb12u1
Hi
On Fri, May 23, 2025 at 01:48:11PM +0200, Guilhem Moulin wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> X-Debbugs-Cc: libraw@packages.debian.org
> Control: affects -1 + src:libraw
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> [ Reason ]
>
> Fix <no-dsa> security issues CVE-2025-4396[1-4].
>
> [ Impact ]
>
> User will remain vulnerable to the aforementioned issues. Upgrading
> users might regress as the issues are fixed in Bullseye LTS.
>
> [ Tests ]
>
> The package lacks automated tests but bound checks from the debdiff have
> been tested.
>
> [ Risks ]
>
> Low risk: each patch come from upstream and trivially applies to 0.20.2-2.1.
>
> [ Checklist ]
>
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in stable
> [x] the issue is verified as fixed in unstable
>
> [ Changes ]
>
> * Fix CVE-2025-43961: Out-of-bounds read in the Fujifilm 0xf00c tag parser.
> * Fix CVE-2025-43962: Out-of-bounds reads for tag 0x412 processing, related
> to large w0 or w1 values or the frac and mult calculations.
> * Fix CVE-2025-43963: Out-of-buffer access because split_col and split_row
> values are not checked in 0x041f tag processing.
> * Fix CVE-2025-43964: Tag 0x412 processing in phase_one_correct() does not
> enforce minimum w0 and w1 values.
> * Add d/salsa-ci.yml for Salsa CI.
Loks there was overlapping work with Moritz here and Moritz did then
already upload. So I would say to close this bug in favour of
#1106536?
Regards,
Salvatore
Reply to: