Package: release.debian.org Tags: bullseye X-Debbugs-Cc: gdk-pix...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:gdk-pixbuf User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] gdk-pixbuf is affected by CVE-2022-48622, a memory corruption via crafted .ani files, cf. #1071265. [ Impact ] At least denial of service but potentially as well arbitrary code execution. The Debian Security Team has classified it as no-dsa and requested that we do a stable update for this issue if possible. [ Tests ] This is the same set of patches used in Ubuntu 22.04 LTS "Jammy". [ Risks ] Isolated changes, and the fix landed in Trixie a month ago. Similar fix being applied to Bookworm now also. See https://bugs.debian.org/1073234 [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in oldstable [x] the issue is verified as fixed in unstable [ Changes ] Three commits cherry-picked from upstream: * ANI: Reject files with multiple anih chunks (CVE-2022-48622) (Closes: #1071265) * ANI: Reject files with multiple INAM or IART chunks * ANI: Validate anih chunk size The two other commits are not for CVE-2022-48622 but additional hardening and fixing changes related to the ANI code. Updated debian/gbp.conf to point to the debian/bullseye packaging branch. Thank you, Jeremy Bícha
gdk-pixbuf-bullseye.debdiff
Description: Binary data