1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1105883: Bug#1105885: Helping to fix CVE-2025-4817{4,5} on bookworm

    From Carlos Henrique Lima Melara@21:1/5 to Salvatore Bonaccorso on Tue May 27 03:20:02 2025
    Hi,

    On Sun, May 25, 2025 at 08:42:30PM +0200, Salvatore Bonaccorso wrote:
    On Sun, May 25, 2025 at 05:03:59PM +0200, Salvatore Bonaccorso wrote:
    On Sun, May 25, 2025 at 07:24:00AM +0200, Salvatore Bonaccorso wrote:
    Charles, thanks for the offer. I'm indeed on it and I'm in contact
    with upstream to see if we can get vetted/blessed patches for the
    older version in bookworm. We should try hard to avoid breakage.

    We have now wetted/blessed upstream changes, and I'm going to pick
    those. They are referenced as well in the upstream issues as repsonse
    to your questions as well so we should be ready to go (unless we spot
    some problems while testing).

    Attached are the patches we aim to use for bookworm.

    The first one, is very similar to your backported one, but it uses
    abort() instead of exit(1), as upstream suggested to be consistent
    with avifAlloc(). I put an explanation in the patch.

    The second was handled after all in public as you asked there as well,
    so it is identical to what Wan-Teh Chang posted on the issue.

    Hope this helps.

    It does help quite a lot, thanks Salvatore! I've tested things in
    bullseye and all is fine [1] (though it had only one rdep in there and
    no rdep autopkgtest, it was quite a new package at the time).

    Trying to help a bit more (please let me know if I have made your lives
    more difficult instead of easier along the way and I will try to avoid
    in the future), I've added your patches and uploaded to debusine to get
    rdeps autopkgtest [2]. Only 2 rdeps had tests, jpeg-xl and libgd2.
    jpeg-xl did succeed [3] and libgd2 failed [4]. Inspecting debci runs for
    libgd2 in stable [5], it has NEVER succeeded. The number of
    passed/failed tests are the same for tests with libavif update and
    without (regular stable/bookworm), so I think the changes are pretty
    safe.

    Cheers,
    Charles

    [1] https://debusine.debian.net/debian/developers/work-request/96770/
    [2] https://debusine.debian.net/debian/developers/work-request/96996/
    [3] https://debusine.debian.net/debian/developers/work-request/97011/
    [4] https://debusine.debian.net/debian/developers/work-request/97014/
    [5] https://ci.debian.net/user/britney/jobs?package=libgd2&suite[]=stable&arch[]=amd64

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)