Your message dated Mon, 11 May 2026 19:32:56 +0200
with message-id <[email protected]>
and subject line CVEs in libskia
has caused the Debian Bug report #1134991,
regarding libskia: CVE-2025-32318 CVE-2026-5870 CVE-2026-6364 CVE-2026-6298
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134991: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134991
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libskia
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for Google Chrome, but
are apparently in Skia.
With Skia now packaged we need some upstream commitment for transparent
security handling, specifically we need to know which commits fix
which CVE.
Are you in touch with upstream, is there some channel where they could
keep you notified?
CVE-2025-32318[0]:
| In Skia, there is a possible out of bounds write due to a heap
| buffer overflow. This could lead to remote escalation of privilege
| with no additional execution privileges needed. User interaction is
| not needed for exploitation.
CVE-2026-5870[1]:
| Integer overflow in Skia in Google Chrome prior to 147.0.7727.55
| allowed a remote attacker to execute arbitrary code inside a sandbox
| via a crafted HTML page. (Chromium security severity: High)
CVE-2026-6364[2]:
| Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101
| allowed a remote attacker to obtain potentially sensitive
| information from process memory via a crafted file. (Chromium
| security severity: Medium)
CVE-2026-6298[3]:
| Heap buffer overflow in Skia in Google Chrome prior to
| 147.0.7727.101 allowed a remote attacker to obtain potentially
| sensitive information from process memory via a crafted HTML page.
| (Chromium security severity: Critical)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-32318
https://www.cve.org/CVERecord?id=CVE-2025-32318
[1] https://security-tracker.debian.org/tracker/CVE-2026-5870
https://www.cve.org/CVERecord?id=CVE-2026-5870
[2] https://security-tracker.debian.org/tracker/CVE-2026-6364
https://www.cve.org/CVERecord?id=CVE-2026-6364
[3] https://security-tracker.debian.org/tracker/CVE-2026-6298
https://www.cve.org/CVERecord?id=CVE-2026-6298
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Version: 146.20260414~git.ef5f213+dfsg-1
As mentioned in a previous message, these CVEs have been patched in
version 146.20260414 (or for the 2025 one, confirmed to have been fixed
by the time of m146's release).
For identifying commits fixing CVEs, I have found a way using
information from upstream to identify the relevant commits before
upstream makes all information in the issues public (14 weeks by
default). This is documented in the wiki in the Salsa repository [0].
As such, I am now closing this bug.
[0]: https://salsa.debian.org/fonts-team/libskia/-/wikis/pages
--- End Message ---
