Forum: >>> Magnum BBS <<<

Bug#1109341: rlottie: CVE-2025-0634 CVE-2025-53074 CVE-2025-53075

From Adrian Bunk@21:1/5 to All on Wed Jul 30 00:50:01 2025

On Tue, Jul 15, 2025 at 02:39:16PM +0200, Moritz Mühlenhoff wrote:

Package: rlottie
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for rlottie.

CVE-2025-0634[0]:
| Use After Free vulnerability in Samsung Open Source rLottie allows
| Remote Code Inclusion.This issue affects rLottie: V0.2.

https://github.com/Samsung/rlottie/pull/571 https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9

CVE-2025-53074[1]:
| Out-of-bounds Read vulnerability in Samsung Open Source rLottie
| allows Overflow Buffers.This issue affects rLottie: V0.2.

https://github.com/Samsung/rlottie/pull/571 https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9

CVE-2025-53075[2]:
| Improper Input Validation vulnerability in Samsung Open Source
| rLottie allows Path Traversal.This issue affects rLottie: V0.2.

https://github.com/Samsung/rlottie/pull/571 https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9
...

I am not 100% sure whether all of these CVEs can be considered
duplicates of old CVEs already fixed in 0.1+dfsg-2 (#988885), but
there's clearly overlap in what got fixed: https://sources.debian.org/src/rlottie/0.1%2Bdfsg-4.2/debian/patches/Fix-crash-on-invalid-data.patch/

Apparently the old CVEs were reported against a fork and the new CVEs
against the original upstream.

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Thlc
  Sat Sep 13 17:11:34 2025
  from Rognac, France via Telnet
- Thlc
  Sat Sep 13 17:04:03 2025
  from Rognac, France via Telnet
- Thlc
  Sat Sep 13 16:32:19 2025
  from Rognac, France via SSH
- Thlc
  Sat Sep 13 15:41:11 2025
  from Rognac, France via SSH
- Thlc
  Sat Sep 13 07:56:03 2025
  from Rognac, France via SSH
- Gretchiie
  Sat Sep 13 07:22:10 2025
  from Derry, Nh via Telnet
- Thlc
  Sat Sep 13 06:57:56 2025
  from Rognac, France via SSH
- Thlc
  Sat Sep 13 06:47:28 2025
  from Rognac, France via SSH

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	546
Nodes:	16 (2 / 14)
Uptime:	145:53:43
Calls:	10,383
Calls today:	8
Files:	14,054
D/L today:	2 files (1,861K bytes)
Messages:	6,417,687

Bug#1109341: rlottie: CVE-2025-0634 CVE-2025-53074 CVE-2025-53075

Who's Online

Recent Visitors

System Info