Your message dated Sat, 13 Jun 2026 13:53:57 +0000
with message-id <[email protected]>
and subject line Bug#1138575: fixed in jpeg-xl 0.11.2-0.1~deb13u2
has caused the Debian Bug report #1138575,
regarding jpeg-xl: CVE-2025-70103
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138575: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138575
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jpeg-xl
Version: 0.11.2-5
Severity: important
Tags: security upstream
Forwarded: https://github.com/libjxl/libjxl/issues/4337
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for jpeg-xl.
CVE-2025-70103[0]:
| Heap buffer overflow vulnerability in libjxl 0.12.0 via crafted PBM
| images to the jxl::extras::DecodeImagePNM function in file
| lib/extras/dec/pnm.cc.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-70103
https://www.cve.org/CVERecord?id=CVE-2025-70103
[1] https://github.com/libjxl/libjxl/issues/4337
[2] https://www.openwall.com/lists/oss-security/2026/05/30/7
[3] https://github.com/libjxl/libjxl/pull/4380
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jpeg-xl
Source-Version: 0.11.2-0.1~deb13u2
Done: Moritz Mühlenhoff <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jpeg-xl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated jpeg-xl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 11 Jun 2026 20:15:43 +0200
Source: jpeg-xl
Architecture: source
Version: 0.11.2-0.1~deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: Debian PhotoTools Maintainers
<[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Closes: 1138575
Changes:
jpeg-xl (0.11.2-0.1~deb13u2) trixie-security; urgency=medium
.
* CVE-2025-70103 (Closes: #1138575)
Checksums-Sha1:
2bf78fcbfdabbc109272b48f6339972b1f5fa968 3212 jpeg-xl_0.11.2-0.1~deb13u2.dsc
2acaf75909eea67cc7d861a9a918733d5f630db8 1882762 jpeg-xl_0.11.2.orig.tar.gz
46f0eac9c10525dea68fb8f650e9ef216dbc5e11 23848
jpeg-xl_0.11.2-0.1~deb13u2.debian.tar.xz
7892ed6b9fa3e2e9f6eca071ee979e0983db9d7d 18696
jpeg-xl_0.11.2-0.1~deb13u2_amd64.buildinfo
Checksums-Sha256:
b978be4319975d73759f0737ba6935fad4f4330802835d6d9298a455c2581363 3212
jpeg-xl_0.11.2-0.1~deb13u2.dsc
ab38928f7f6248e2a98cc184956021acb927b16a0dee71b4d260dc040a4320ea 1882762
jpeg-xl_0.11.2.orig.tar.gz
54192375c3ff271f395b815a8ea111a5f632f5db8966baeda9dabedbc86ea2d4 23848
jpeg-xl_0.11.2-0.1~deb13u2.debian.tar.xz
059d6b6c1da2042bff58873b776a006c72b2b5dc60aed33cb043d94b06a74705 18696
jpeg-xl_0.11.2-0.1~deb13u2_amd64.buildinfo
Files:
da3a6fc6eb6052c7b45cabbe791917ec 3212 graphics optional
jpeg-xl_0.11.2-0.1~deb13u2.dsc
eda39db6e7a58b73be9124381862b9d1 1882762 graphics optional
jpeg-xl_0.11.2.orig.tar.gz
5f72e49457b31a5ef83eb4dc87a52ec3 23848 graphics optional
jpeg-xl_0.11.2-0.1~deb13u2.debian.tar.xz
d724a9a49d08f5b8298298b3d58a560e 18696 graphics optional
jpeg-xl_0.11.2-0.1~deb13u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmorA24ACgkQEMKTtsN8
TjbzYA/+Npbp9/Fe3ZT9AiugvaZOQxXvRTm5JxX3YgRhU202+LXIYDyQxLTXT7sj
S2vBYezTNM88v3Iku/JzHPndAFUUANvnT8krstaND42cxkIKj5crpGAHr9Yz1u5m
DQSCtvxQ/s+CY/5400iUqeNzP7cMLJERi1IUZ19vD4ej4Gpda6RzKP9kRzj3/7pT
8pm8XmVe0Rkpox6SZjPukoWPXtugvxD23YJSkiaGdKihfv+MstAiXVS/ezhD1RzJ
z2LALgwZauW2+9KJpLB831CNdP7JVIADQV8Q2UzirFM6WW+uodUkUmIgjFNBYpTx
HOvY8jH1LpojV5RrUPL7yBYNTvp+ocHL/CZ/hJm/EYxcREhwMWVMEHw4h/uzzG2u
1s0ewuEpWmacGfmgg53Fly1npwnGVNfC3sxXVJC5tK3JEDjcmWQ40IYcA4z4AGUm
sTBNC3QxEwUDJQW59nIu5y6MCGsJXPHLz2b0rJytkMeolPfab+ilAKocWFbB+2G6
6G4lPFrSYhH1+PjM6AyBnF2daQmhN8DflQHiMnAvY1kLeCINFWyJUnrkM5rSeNrQ
Dv4bISwANpaU2go+sDCqtUkCka3ax3EZo6TmAdN++GirtOZPzuklz7HuTFainhJT
ID92SawSayo7sz5Wd7anAaOcIlS1P6yswkpH2P3IQT/N3hmJ5Bs=
=1Q/G
-----END PGP SIGNATURE-----
pgpkNOsSuxgWN.pgp
Description: PGP signature
--- End Message ---
