Bug#1121433: marked as done (trixie-pu: package rlottie/0.1+dfsg-4.2+deb13u1)

To: Jonathan Wiltshire <jmw@coccia.debian.org>
Subject: Bug#1121433: marked as done (trixie-pu: package rlottie/0.1+dfsg-4.2+deb13u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 10 Jan 2026 11:56:19 +0000
Message-id: <[🔎] handler.1121433.D1121433.17680459603459320.ackdone@bugs.debian.org>
Reply-to: 1121433@bugs.debian.org
References: <E1veXWE-00000004Rh5-3dbB@coccia.debian.org> <2ec4bde9-7334-9585-67ac-2ecf05a63f7@alteholz.de>

Your message dated Sat, 10 Jan 2026 11:52:34 +0000
with message-id <E1veXWE-00000004Rh5-3dbB@coccia.debian.org>
and subject line Released with 13.3
has caused the Debian Bug report #1121433,
regarding trixie-pu: package rlottie/0.1+dfsg-4.2+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1121433: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121433
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: trixie-pu: package rlottie/0.1+dfsg-4.2+deb13u1
From: Thorsten Alteholz <debian@alteholz.de>
Date: Wed, 26 Nov 2025 13:07:15 +0000 (UTC)
Message-id: <2ec4bde9-7334-9585-67ac-2ecf05a63f7@alteholz.de>

Package: release.debian.org
Severity: normal
Tags: trixie
User: release.debian.org@packages.debian.org
Usertags: pu

The attached debdiff for rlottie fixes CVE-2025-0634, CVE-2025-53074 andCVE-2025-53075 in Trixie. All CVEs are marked as no-dsa from the securityteam.


The same patch has been uploaded to unstable and nobody complained yet.

Actually those CVEs have been already fixed partially byFix-crash-on-invalid-data.patch. Only one boundary check was left forthis upload.


   Thorsten

diff -Nru rlottie-0.1+dfsg/debian/changelog rlottie-0.1+dfsg/debian/changelog
--- rlottie-0.1+dfsg/debian/changelog	2024-08-29 10:05:10.000000000 +0200
+++ rlottie-0.1+dfsg/debian/changelog	2025-11-25 12:05:10.000000000 +0100
@@ -1,3 +1,19 @@
+rlottie (0.1+dfsg-4.2+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2025-0634 (Closes: #1109341)
+    CVE-2025-53074
+    CVE-2025-53075
+    Most patches to fix these issues are already part of:
+      Fix-crash-on-invalid-data.patch
+    The remaining boundary check is left in:
+      CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch
+    For the sake of completeness, the whole upstream patch
+    for these CVEs is added in:
+      CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch.org
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Tue, 25 Nov 2025 12:05:10 +0100
+
 rlottie (0.1+dfsg-4.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch
--- rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch	1970-01-01 01:00:00.000000000 +0100
+++ rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch	2025-11-18 19:02:16.000000000 +0100
@@ -0,0 +1,30 @@
+From 507ea027e47d3e1dc7ddbd9994621215eae7ebb9 Mon Sep 17 00:00:00 2001
+From: Michal Maciola <m.maciola@samsung.com>
+Date: Thu, 15 May 2025 20:51:09 +0200
+Subject: [PATCH] Fix security vulnerabilities in Lottie file handling Add
+ validation checks to address potential vulnerabilities in case of a malicious
+ Lottie file
+
+Adds:
+- Type check for CompLayer() before casting to model::Layer
+- Bounds checking for Gradient::populate()
+- Frames vector empty check
+- Rejection of outliers
+---
+ src/vector/freetype/v_ft_raster.cpp |  5 +++++
+
+Index: rlottie-0.1+dfsg/src/vector/freetype/v_ft_raster.cpp
+===================================================================
+--- rlottie-0.1+dfsg.orig/src/vector/freetype/v_ft_raster.cpp	2025-11-07 12:19:43.655591929 +0100
++++ rlottie-0.1+dfsg/src/vector/freetype/v_ft_raster.cpp	2025-11-07 12:19:43.651591895 +0100
+@@ -550,6 +550,10 @@
+     dx = to_x - ras.x;
+     dy = to_y - ras.y;
+ 
++    if (SW_FT_ABS(dx) > 10000000 || SW_FT_ABS(dy) > 10000000) {
++         goto End;
++    }
++
+     fx1 = ras.x - SUBPIXELS(ex1);
+     fy1 = ras.y - SUBPIXELS(ey1);
+ 
diff -Nru rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch.org rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch.org
--- rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch.org	1970-01-01 01:00:00.000000000 +0100
+++ rlottie-0.1+dfsg/debian/patches/CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch.org	2025-11-18 19:02:16.000000000 +0100
@@ -0,0 +1,134 @@
+From 507ea027e47d3e1dc7ddbd9994621215eae7ebb9 Mon Sep 17 00:00:00 2001
+From: Michal Maciola <m.maciola@samsung.com>
+Date: Thu, 15 May 2025 20:51:09 +0200
+Subject: [PATCH] Fix security vulnerabilities in Lottie file handling Add
+ validation checks to address potential vulnerabilities in case of a malicious
+ Lottie file
+
+Adds:
+- Type check for CompLayer() before casting to model::Layer
+- Bounds checking for Gradient::populate()
+- Frames vector empty check
+- Rejection of outliers
+---
+ src/lottie/lottieitem.cpp           |  1 +
+ src/lottie/lottiemodel.cpp          | 15 ++++++++++++---
+ src/lottie/lottiemodel.h            | 21 +++++++++++++--------
+ src/vector/freetype/v_ft_raster.cpp |  5 +++++
+ 4 files changed, 31 insertions(+), 11 deletions(-)
+
+diff --git a/src/lottie/lottieitem.cpp b/src/lottie/lottieitem.cpp
+index c5540f3f..c70f3273 100644
+--- a/src/lottie/lottieitem.cpp
++++ b/src/lottie/lottieitem.cpp
+@@ -479,6 +479,7 @@ renderer::CompLayer::CompLayer(model::Layer *layerModel, VArenaAlloc *allocator)
+     // as lottie model keeps the data in front-toback-order.
+     for (auto it = mLayerData->mChildren.crbegin();
+          it != mLayerData->mChildren.rend(); ++it) {
++        if ((*it)->type() != model::Object::Type::Layer) continue;
+         auto model = static_cast<model::Layer *>(*it);
+         auto item = createLayerItem(model, allocator);
+         if (item) mLayers.push_back(item);
+diff --git a/src/lottie/lottiemodel.cpp b/src/lottie/lottiemodel.cpp
+index 1bca99d2..0f816f6f 100644
+--- a/src/lottie/lottiemodel.cpp
++++ b/src/lottie/lottiemodel.cpp
+@@ -250,11 +250,16 @@ void model::Gradient::populate(VGradientStops &stops, int frameNo)
+     auto                  size = gradData.mGradient.size();
+     float *               ptr = gradData.mGradient.data();
+     int                   colorPoints = mColorPoints;
+-    if (colorPoints == -1) {  // for legacy bodymovin (ref: lottie-android)
++    size_t                colorPointsSize = colorPoints * 4;
++    if (!ptr) return;
++    if (colorPoints < 0 || colorPointsSize > size) {  // for legacy bodymovin (ref: lottie-android)
+         colorPoints = int(size / 4);
+     }
+-    auto   opacityArraySize = size - colorPoints * 4;
+-    float *opacityPtr = ptr + (colorPoints * 4);
++    auto   opacityArraySize = size - colorPointsSize;
++    if (opacityArraySize % 2 != 0) {
++        opacityArraySize = 0;
++    }
++    float *opacityPtr = ptr + colorPointsSize;
+     stops.clear();
+     for (int i = 0; i < colorPoints; i++) {
+         float        colorStop = ptr[0];
+@@ -267,6 +272,10 @@ void model::Gradient::populate(VGradientStops &stops, int frameNo)
+         }
+         ptr += 4;
+     }
++
++    if (stops.empty()) {
++        stops.push_back(std::make_pair(0.0f, VColor(255, 255, 255, 255)));
++    }
+ }
+ 
+ float model::Gradient::getOpacityAtPosition(float *opacities, size_t opacityArraySize, float position)
+diff --git a/src/lottie/lottiemodel.h b/src/lottie/lottiemodel.h
+index 1e66ff15..c51cc4a2 100644
+--- a/src/lottie/lottiemodel.h
++++ b/src/lottie/lottiemodel.h
+@@ -239,20 +239,23 @@ class KeyFrames {
+ 
+     T value(int frameNo) const
+     {
+-        if (frames_.front().start_ >= frameNo)
+-            return frames_.front().value_.start_;
+-        if (frames_.back().end_ <= frameNo) return frames_.back().value_.end_;
+-
+-        for (const auto &keyFrame : frames_) {
+-            if (frameNo >= keyFrame.start_ && frameNo < keyFrame.end_)
+-                return keyFrame.value(frameNo);
++        if (!frames_.empty()) {
++            if (frames_.front().start_ >= frameNo)
++                return frames_.front().value_.start_;
++            if (frames_.back().end_ <= frameNo) return frames_.back().value_.end_;
++
++            for (const auto &keyFrame : frames_) {
++                if (frameNo >= keyFrame.start_ && frameNo < keyFrame.end_)
++                    return keyFrame.value(frameNo);
++            }
+         }
+         return {};
+     }
+ 
+     float angle(int frameNo) const
+     {
+-        if ((frames_.front().start_ >= frameNo) ||
++        if (frames_.empty() ||
++            (frames_.front().start_ >= frameNo) ||
+             (frames_.back().end_ <= frameNo))
+             return 0;
+ 
+@@ -265,6 +268,8 @@ class KeyFrames {
+ 
+     bool changed(int prevFrame, int curFrame) const
+     {
++        if (frames_.empty()) return false;
++
+         auto first = frames_.front().start_;
+         auto last = frames_.back().end_;
+ 
+diff --git a/src/vector/freetype/v_ft_raster.cpp b/src/vector/freetype/v_ft_raster.cpp
+index e48ad1b1..24b0d427 100644
+--- a/src/vector/freetype/v_ft_raster.cpp
++++ b/src/vector/freetype/v_ft_raster.cpp
+@@ -537,6 +537,10 @@ static void gray_render_line(RAS_ARG_ TPos to_x, TPos to_y)
+     dx = to_x - ras.x;
+     dy = to_y - ras.y;
+ 
++    if (SW_FT_ABS(dx) > 10000000 || SW_FT_ABS(dy) > 10000000) {
++         goto End;
++    }
++
+     fx1 = ras.x - SUBPIXELS(ex1);
+     fy1 = ras.y - SUBPIXELS(ey1);
+ 
+@@ -707,6 +711,7 @@ static void gray_render_conic(RAS_ARG_ const SW_FT_Vector* control,
+             gray_split_conic(arc);
+             arc += 2;
+             top++;
++            if (top >= 32) return; // levels size is 32
+             levels[top] = levels[top - 1] = level - 1;
+             continue;
+         }
diff -Nru rlottie-0.1+dfsg/debian/patches/series rlottie-0.1+dfsg/debian/patches/series
--- rlottie-0.1+dfsg/debian/patches/series	2024-08-29 10:05:10.000000000 +0200
+++ rlottie-0.1+dfsg/debian/patches/series	2025-11-18 19:02:45.000000000 +0100
@@ -25,3 +25,5 @@
 No-deadlock.patch
 Atomic-render.patch
 fix-static-variable-delete.patch
+
+CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch

--- End Message ---

--- Begin Message ---

To: 1121433-done@bugs.debian.org

Subject: Released with 13.3

From: Jonathan Wiltshire <jmw@coccia.debian.org>

Date: Sat, 10 Jan 2026 11:52:34 +0000

Message-id: <E1veXWE-00000004Rh5-3dbB@coccia.debian.org>
Package: release.debian.org\nVersion: 13.3\n\nThis update has been released as part of Debian 13.3.
--- End Message ---

Reply to:

Prev by Date: Bug#1121547: marked as done (trixie-pu: package sbuild/0.89.3+deb13u2)
Next by Date: Bug#1121754: marked as done (trixie-pu: package diffoscope/297+deb13u1)
Previous by thread: Bug#1121547: marked as done (trixie-pu: package sbuild/0.89.3+deb13u2)
Next by thread: Bug#1121754: marked as done (trixie-pu: package diffoscope/297+deb13u1)
Index(es):
- Date
- Thread