Your message dated Sun, 09 Nov 2025 18:44:12 +0000
with message-id <[email protected]>
and subject line Bug#1117049: fixed in vips 8.17.3-1
has caused the Debian Bug report #1117049,
regarding vips: CVE-2025-59933
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1117049: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117049
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: vips
Version: 8.16.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for vips.
CVE-2025-59933[0]:
| libvips is a demand-driven, horizontally threaded image processing
| library. For versions 8.17.1 and below, when libvips is compiled
| with support for PDF input via poppler, the pdfload operation is
| affected by a buffer read overflow when parsing the header of a
| crafted PDF with a page that defines a width but not a height. Those
| using libvips compiled without support for PDF input are unaffected
| as well as thosewith support for PDF input via PDFium. This issue is
| fixed in version 8.17.2. A workaround for those affected is to block
| the VipsForeignLoadPdf operation via vips_operation_block_set, which
| is available in most language bindings, or to set
| VIPS_BLOCK_UNTRUSTED environment variable at runtime, which will
| block all untrusted loaders including PDF input via poppler.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-59933
https://www.cve.org/CVERecord?id=CVE-2025-59933
[1] https://github.com/libvips/libvips/security/advisories/GHSA-q8px-4w5q-c2r4
[2]
https://github.com/libvips/libvips/commit/a58bfae9223a5466cc81ba9fe6dfb08233cf17d1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: vips
Source-Version: 8.17.3-1
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
vips, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated vips package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 09 Nov 2025 09:26:58 +0100
Source: vips
Architecture: source
Version: 8.17.3-1
Distribution: unstable
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1094627 1114678 1117049 1118931
Changes:
vips (8.17.3-1) unstable; urgency=medium
.
* New upstream release (closes: #1114678):
- fixes CVE-2025-59933: buffer over-read in poppler-based pdfload()
(closes: #1117049).
* Update build dependency to gobject-introspection (closes: #1118931).
* Remove gobject-introspection-bin build dependency (closes: #1094627).
* Update watch file.
Checksums-Sha1:
64a937692867ea9a3fccabc2c6f560d9e696af97 2531 vips_8.17.3-1.dsc
d28f4fcece337363aa51279fc36a4d5177ba187d 33521376 vips_8.17.3.orig.tar.gz
dd98917379a89ea97ec380045b9422c9ca201277 10976 vips_8.17.3-1.debian.tar.xz
Checksums-Sha256:
d207a8781546c6a53e20060f5317fbd8bdb48ee214c97442d9be360ac57f5dfe 2531
vips_8.17.3-1.dsc
c1180d13f33742685c513ac42c0556dd1ce9e2b79cdb248a807576e2d8b63b32 33521376
vips_8.17.3.orig.tar.gz
c0a92135d9ae324a4d91fbaf9f72f68d952d84409790593fe1eb74addafde62c 10976
vips_8.17.3-1.debian.tar.xz
Files:
45a59575143e2125dca58f4b71bd0714 2531 libs optional vips_8.17.3-1.dsc
a0345e020d41cd7e454deb14e8d8d47c 33521376 libs optional vips_8.17.3.orig.tar.gz
a5d13eaf325c83ab4b9ac0c5583cc453 10976 libs optional
vips_8.17.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmkQ2vMACgkQ3OMQ54ZM
yL8/0A/+MvcF6Uh3l2V1eHSjZFPM1ixd6e1Y3e++2wdCYQ9RxnoQEJ0Aw3CyM052
wRbAJh7i94OgvEtXVb2cKlspbCB0WMen04v+OovlgFJjb09CJLrqx8D9uNPgM97m
3+zy0rs0ZiIn1kV01d+3A6XAZTpM0FniUsi5R5Fpxxc0zZql/GVlcKyckh5vrrYC
x28+x/3LAqGrW+UVC8qp0x6ftG9Z6l8lg0hjkcknD23ZNuCM2bMxOq7AHQ1yqZSf
jdGtcj8HQJvjlTC1CkNfGHH9fzsr1vvaWK1FBHBeugiLZPH/6vLmoK7BHiIBQJnY
7ZEj9MtE32tyuX49V4MZIB2O8M2SAfZVqs08vjPgPXlbxoVsSiWqqJVWtIBZEDA1
jL94BvD6wYEX5aeAgIElkWYhhM2ZQ6revAl3uUTNLfb7Vt/P4r/1//yv9y3+v3A8
AiT1o2TVhxICunJx4fdyifXEpFyzQg2LuzlxLZLPYcPMNdw91FmhVoREPp51m0NC
44zgLGlbwRtIS00w4Dx/MAp5AqlOS/eMppWSJHFB6tJ38YDZUnB7JI9RNJFxQkah
uqNVg0dY+vNEQcsM2BlOI8cNT9WZvV+HsvzKfaOaTbgUszNA0vfL+6vcwUDWc3sM
IPZrasYA3Uw8cfm8wEvNJ+9syJnEeL6Ykcz1kqySFuPuyf73owA=
=xl1v
-----END PGP SIGNATURE-----
pgpmPkf1nAOMr.pgp
Description: PGP signature
--- End Message ---
