Bug#1121041: bookworm-pu: package gdk-pixbuf/2.42.10+dfsg-1+deb12u3
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: gdk-pixbuf@packages.debian.org
Control: affects -1 + src:gdk-pixbuf
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
[ Reason ]
The reason for the bookworm-pu bug is CVE-2025-7345 [1][2] which is a
potential buffer overflow. The fix was applied already in sid, trixie,
bullseye and other ELTS releases with no reports of regressions but one
in testing [3] before the release of trixie. After further communication
with the reporter, it was dismissed as probably an inconsistent
environment on their side. The reported regression was unreproducible in
trixie, bullseye and also bookworm (tested in a clean VM with multiple
gnome software).
[ Impact ]
We have a pending CVE and a potential buffer overflow in bookworm.
[ Tests ]
I have manually reproduced the reported ASAN overflow in bookworm and
also verified the patch fixed it. The package's autopkgtest was run and
passes without regressions. I have also uploaded it to debusine.d.n [4]
to check rdep autopkgtests using the fixed version and no new failures
showed up when comparing to the version currently in bookworm [5].
[ Risks ]
The patch is pretty trivial, it makes sure there is enough space
allocated without bindly trusting what the image headers say and bails
out if there isn't enough space. For a correctly defined jpeg image,
there shouldn't be any impact since the headers wouldn't lie.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Cherry pick of the patch fixing the CVE, the explanation for it is in
Risks section. Aside from that, there are some changes to add
salsa-ci and enable the full coverage of it, which includes marking a
second test as flaky when running salsa-ci. Also, switch to
debian/bookworm in gbp.conf.
[ Other info ]
Although the last two changes mentioned in Changes section don't impact
the archive, they do provide more comfort and assurance before uploading
so I think it's worth to keep them. If Stable Release Managers prefer to
not have them, please let me know.
Cheers,
Charles
[1] https://security-tracker.debian.org/tracker/CVE-2025-7345
[2] https://bugs.debian.org/1109262
[3] https://bugs.debian.org/1109199
[4] https://debusine.debian.net/debian/developers/work-request/197302/
[5] https://debusine.debian.net/debian/developers/work-request/197416/
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/changelog gdk-pixbuf-2.42.10+dfsg/debian/changelog
--- gdk-pixbuf-2.42.10+dfsg/debian/changelog 2025-06-19 17:52:54.000000000 -0300
+++ gdk-pixbuf-2.42.10+dfsg/debian/changelog 2025-10-22 22:45:57.000000000 -0300
@@ -1,3 +1,23 @@
+gdk-pixbuf (2.42.10+dfsg-1+deb12u3) bookworm; urgency=medium
+
+ * Team upload.
+
+ [ Jeremy Bícha ]
+ * debian/gbp.conf: Branch for bookworm.
+
+ [ Carlos Henrique Lima Melara ]
+ * debian/patches/CVE-2025-7345.patch: import patch from upstream.
+ - CVE-2025-7345: A flaw exists in gdk‑pixbuf within the
+ gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in
+ glib’s g_base64_encode_step (glib/gbase64.c) potentially leading to a
+ buffer overflow. (Closes: #1109262)
+ * debian/salsa-ci.yml: build with nocheck and pass SALSA_CI=true for
+ autopkgtest job.
+ * debian/tests/installed-tests{,flaky}: check SALSA_CI variable to decide
+ what is flaky or not.
+
+ -- Carlos Henrique Lima Melara <charlesmelara@riseup.net> Wed, 22 Oct 2025 22:45:57 -0300
+
gdk-pixbuf (2.42.10+dfsg-1+deb12u2) bookworm-security; urgency=medium
* CVE-2025-6199 (Closes: #1107994)
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/gbp.conf gdk-pixbuf-2.42.10+dfsg/debian/gbp.conf
--- gdk-pixbuf-2.42.10+dfsg/debian/gbp.conf 2025-06-19 17:52:54.000000000 -0300
+++ gdk-pixbuf-2.42.10+dfsg/debian/gbp.conf 2025-10-22 22:45:57.000000000 -0300
@@ -1,6 +1,6 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/bookworm
upstream-branch = upstream/latest
[buildpackage]
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/patches/CVE-2025-7345.patch gdk-pixbuf-2.42.10+dfsg/debian/patches/CVE-2025-7345.patch
--- gdk-pixbuf-2.42.10+dfsg/debian/patches/CVE-2025-7345.patch 1969-12-31 21:00:00.000000000 -0300
+++ gdk-pixbuf-2.42.10+dfsg/debian/patches/CVE-2025-7345.patch 2025-10-22 22:45:57.000000000 -0300
@@ -0,0 +1,55 @@
+From 4af78023ce7d3b5e3cec422a59bb4f48fa4f5886 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Fri, 11 Jul 2025 11:02:05 -0400
+Subject: [PATCH] jpeg: Be more careful with chunked icc data
+
+We we inadvertendly trusting the sequence numbers not to lie.
+If they do we would report a larger data size than we actually
+allocated, leading to out of bounds memory access in base64
+encoding later on.
+
+This has been assigned CVE-2025-7345.
+
+Fixes: #249
+
+Origin: upstream, https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/4af78023ce7d3b5e3cec422a59bb4f48fa4f5886
+Bug: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/249
+Bug-Debian: https://bugs.debian.org/1109262
+Last-Update: 2025-09-30
+---
+ gdk-pixbuf/io-jpeg.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
+index 9cfd29718..103820c5a 100644
+--- a/gdk-pixbuf/io-jpeg.c
++++ b/gdk-pixbuf/io-jpeg.c
+@@ -359,6 +359,7 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
+ context->icc_profile = g_new (gchar, chunk_size);
+ /* copy the segment data to the profile space */
+ memcpy (context->icc_profile, marker->data + 14, chunk_size);
++ ret = TRUE;
+ goto out;
+ }
+
+@@ -380,12 +381,15 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
+ /* copy the segment data to the profile space */
+ memcpy (context->icc_profile + offset, marker->data + 14, chunk_size);
+
+- /* it's now this big plus the new data we've just copied */
+- context->icc_profile_size += chunk_size;
++ context->icc_profile_size = MAX (context->icc_profile_size, offset + chunk_size);
+
+ /* success */
+ ret = TRUE;
+ out:
++ if (!ret) {
++ g_free (context->icc_profile);
++ context->icc_profile = NULL;
++ }
+ return ret;
+ }
+
+--
+GitLab
+
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/patches/series gdk-pixbuf-2.42.10+dfsg/debian/patches/series
--- gdk-pixbuf-2.42.10+dfsg/debian/patches/series 2025-06-19 17:52:54.000000000 -0300
+++ gdk-pixbuf-2.42.10+dfsg/debian/patches/series 2025-10-22 22:45:57.000000000 -0300
@@ -6,3 +6,4 @@
ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch
ANI-Validate-anih-chunk-size.patch
CVE-2025-6199.patch
+CVE-2025-7345.patch
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/salsa-ci.yml gdk-pixbuf-2.42.10+dfsg/debian/salsa-ci.yml
--- gdk-pixbuf-2.42.10+dfsg/debian/salsa-ci.yml 1969-12-31 21:00:00.000000000 -0300
+++ gdk-pixbuf-2.42.10+dfsg/debian/salsa-ci.yml 2025-10-22 22:45:57.000000000 -0300
@@ -0,0 +1,15 @@
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'bookworm'
+ # crossbuild is only supported for unstable
+ SALSA_CI_DISABLE_CROSSBUILD_ARM64: 1
+ # the udeb intentionally has this, but udebs can't have overrides
+ SALSA_CI_LINTIAN_SUPPRESS_TAGS: 'package-contains-mime-cache-file'
+ # pixbuf-fail test only fail in salsa-ci, so skip testing when building
+ DEB_BUILD_OPTIONS: nocheck
+ # And tell autopkgtest we are building in salsa-ci so it is marked as flaky
+ SALSA_CI_AUTOPKGTEST_ARGS: "--env SALSA_CI=true"
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests
--- gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests 2025-06-19 17:52:54.000000000 -0300
+++ gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests 2025-10-22 22:45:57.000000000 -0300
@@ -1,6 +1,13 @@
#!/bin/sh
-set -eu
+set -e
+
+if [ -n "$SALSA_CI" ]; then
+ # pixbuf-fail triggers oom-killer in salsa-ci
+ flaky_tests_regex='^gdk-pixbuf/pixbuf-\(randomly-modified\|fail\)\.test$'
+else
+ flaky_tests_regex='^gdk-pixbuf/pixbuf-randomly-modified\.test$'
+fi
namespace=gdk-pixbuf/
@@ -9,7 +16,7 @@
set -- $(
gnome-desktop-testing-runner -l "$namespace" |
cut -f1 -d' ' |
- grep -v '^gdk-pixbuf/pixbuf-randomly-modified\.test$'
+ grep -v "$flaky_tests_regex"
)
if [ -z "$*" ]; then
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests-flaky gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests-flaky
--- gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests-flaky 2025-06-19 17:52:54.000000000 -0300
+++ gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests-flaky 2025-10-22 22:45:57.000000000 -0300
@@ -1,9 +1,19 @@
#!/bin/sh
-set -eu
+set -e
+if [ -n "$SALSA_CI" ]; then
+ # pixbuf-fail triggers oom-killer in salsa-ci
+ flaky_tests="gdk-pixbuf/pixbuf-randomly-modified.test \
+ gdk-pixbuf/pixbuf-fail.test"
+else
+ flaky_tests="gdk-pixbuf/pixbuf-randomly-modified.test"
+fi
+
+# Deliberately word-splitting:
+# shellcheck disable=SC2086
exec gnome-desktop-testing-runner \
--report-directory="$AUTOPKGTEST_ARTIFACTS" \
--tap \
-gdk-pixbuf/pixbuf-randomly-modified.test \
+$flaky_tests \
${NULL+}
Reply to: