Version in base suite: 2.42.10+dfsg-1+deb12u2

Base version: gdk-pixbuf_2.42.10+dfsg-1+deb12u2
Target version: gdk-pixbuf_2.42.10+dfsg-1+deb12u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gdk-pixbuf/gdk-pixbuf_2.42.10+dfsg-1+deb12u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gdk-pixbuf/gdk-pixbuf_2.42.10+dfsg-1+deb12u3.dsc

 changelog                   |   20 ++++++++++++++++
 gbp.conf                    |    2 -
 patches/CVE-2025-7345.patch |   55 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 salsa-ci.yml                |   15 ++++++++++++
 tests/installed-tests       |   11 +++++++-
 tests/installed-tests-flaky |   14 +++++++++--
 7 files changed, 113 insertions(+), 5 deletions(-)

gpgv: Signature made Fri Jun 20 14:01:56 2025 UTC
gpgv:                using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: Bad public key
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpkjmqj6e8/gdk-pixbuf_2.42.10+dfsg-1+deb12u2.dsc: no acceptable signature found
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/changelog gdk-pixbuf-2.42.10+dfsg/debian/changelog
--- gdk-pixbuf-2.42.10+dfsg/debian/changelog	2025-06-19 20:52:54.000000000 +0000
+++ gdk-pixbuf-2.42.10+dfsg/debian/changelog	2025-10-23 01:45:57.000000000 +0000
@@ -1,3 +1,23 @@
+gdk-pixbuf (2.42.10+dfsg-1+deb12u3) bookworm; urgency=medium
+
+  * Team upload.
+
+  [ Jeremy Bícha ]
+  * debian/gbp.conf: Branch for bookworm.
+
+  [ Carlos Henrique Lima Melara ]
+  * debian/patches/CVE-2025-7345.patch: import patch from upstream.
+      - CVE-2025-7345: A flaw exists in gdk‑pixbuf within the
+        gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in
+        glib’s g_base64_encode_step (glib/gbase64.c) potentially leading to a
+        buffer overflow. (Closes: #1109262)
+  * debian/salsa-ci.yml: build with nocheck and pass SALSA_CI=true for
+    autopkgtest job.
+  * debian/tests/installed-tests{,flaky}: check SALSA_CI variable to decide
+    what is flaky or not.
+
+ -- Carlos Henrique Lima Melara <charlesmelara@riseup.net>  Wed, 22 Oct 2025 22:45:57 -0300
+
 gdk-pixbuf (2.42.10+dfsg-1+deb12u2) bookworm-security; urgency=medium
 
   * CVE-2025-6199 (Closes: #1107994)
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/gbp.conf gdk-pixbuf-2.42.10+dfsg/debian/gbp.conf
--- gdk-pixbuf-2.42.10+dfsg/debian/gbp.conf	2024-06-13 20:58:55.000000000 +0000
+++ gdk-pixbuf-2.42.10+dfsg/debian/gbp.conf	2025-10-23 01:45:57.000000000 +0000
@@ -1,6 +1,6 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/bookworm
 upstream-branch = upstream/latest
 
 [buildpackage]
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/patches/CVE-2025-7345.patch gdk-pixbuf-2.42.10+dfsg/debian/patches/CVE-2025-7345.patch
--- gdk-pixbuf-2.42.10+dfsg/debian/patches/CVE-2025-7345.patch	1970-01-01 00:00:00.000000000 +0000
+++ gdk-pixbuf-2.42.10+dfsg/debian/patches/CVE-2025-7345.patch	2025-10-23 01:45:57.000000000 +0000
@@ -0,0 +1,55 @@
+From 4af78023ce7d3b5e3cec422a59bb4f48fa4f5886 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Fri, 11 Jul 2025 11:02:05 -0400
+Subject: [PATCH] jpeg: Be more careful with chunked icc data
+
+We we inadvertendly trusting the sequence numbers not to lie.
+If they do we would report a larger data size than we actually
+allocated, leading to out of bounds memory access in base64
+encoding later on.
+
+This has been assigned CVE-2025-7345.
+
+Fixes: #249
+
+Origin: upstream, https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/4af78023ce7d3b5e3cec422a59bb4f48fa4f5886
+Bug: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/249
+Bug-Debian: https://bugs.debian.org/1109262
+Last-Update: 2025-09-30
+---
+ gdk-pixbuf/io-jpeg.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
+index 9cfd29718..103820c5a 100644
+--- a/gdk-pixbuf/io-jpeg.c
++++ b/gdk-pixbuf/io-jpeg.c
+@@ -359,6 +359,7 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
+ 		context->icc_profile = g_new (gchar, chunk_size);
+ 		/* copy the segment data to the profile space */
+ 		memcpy (context->icc_profile, marker->data + 14, chunk_size);
++                ret = TRUE;
+ 		goto out;
+ 	}
+ 
+@@ -380,12 +381,15 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
+ 	/* copy the segment data to the profile space */
+ 	memcpy (context->icc_profile + offset, marker->data + 14, chunk_size);
+ 
+-	/* it's now this big plus the new data we've just copied */
+-	context->icc_profile_size += chunk_size;
++        context->icc_profile_size = MAX (context->icc_profile_size, offset + chunk_size);
+ 
+ 	/* success */
+ 	ret = TRUE;
+ out:
++        if (!ret) {
++                g_free (context->icc_profile);
++                context->icc_profile = NULL;
++        }
+ 	return ret;
+ }
+ 
+-- 
+GitLab
+
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/patches/series gdk-pixbuf-2.42.10+dfsg/debian/patches/series
--- gdk-pixbuf-2.42.10+dfsg/debian/patches/series	2025-06-19 20:52:54.000000000 +0000
+++ gdk-pixbuf-2.42.10+dfsg/debian/patches/series	2025-10-23 01:45:57.000000000 +0000
@@ -6,3 +6,4 @@
 ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch
 ANI-Validate-anih-chunk-size.patch
 CVE-2025-6199.patch
+CVE-2025-7345.patch
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/salsa-ci.yml gdk-pixbuf-2.42.10+dfsg/debian/salsa-ci.yml
--- gdk-pixbuf-2.42.10+dfsg/debian/salsa-ci.yml	1970-01-01 00:00:00.000000000 +0000
+++ gdk-pixbuf-2.42.10+dfsg/debian/salsa-ci.yml	2025-10-23 01:45:57.000000000 +0000
@@ -0,0 +1,15 @@
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'bookworm'
+  # crossbuild is only supported for unstable
+  SALSA_CI_DISABLE_CROSSBUILD_ARM64: 1
+  # the udeb intentionally has this, but udebs can't have overrides
+  SALSA_CI_LINTIAN_SUPPRESS_TAGS: 'package-contains-mime-cache-file'
+  # pixbuf-fail test only fail in salsa-ci, so skip testing when building
+  DEB_BUILD_OPTIONS: nocheck
+  # And tell autopkgtest we are building in salsa-ci so it is marked as flaky
+  SALSA_CI_AUTOPKGTEST_ARGS: "--env SALSA_CI=true"
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests
--- gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests	2024-06-13 20:58:55.000000000 +0000
+++ gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests	2025-10-23 01:45:57.000000000 +0000
@@ -1,6 +1,13 @@
 #!/bin/sh
 
-set -eu
+set -e
+
+if [ -n "$SALSA_CI" ]; then
+    # pixbuf-fail triggers oom-killer in salsa-ci
+    flaky_tests_regex='^gdk-pixbuf/pixbuf-\(randomly-modified\|fail\)\.test$'
+else
+    flaky_tests_regex='^gdk-pixbuf/pixbuf-randomly-modified\.test$'
+fi
 
 namespace=gdk-pixbuf/
 
@@ -9,7 +16,7 @@
 set -- $(
     gnome-desktop-testing-runner -l "$namespace" |
     cut -f1 -d' ' |
-    grep -v '^gdk-pixbuf/pixbuf-randomly-modified\.test$'
+    grep -v "$flaky_tests_regex"
 )
 
 if [ -z "$*" ]; then
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests-flaky gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests-flaky
--- gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests-flaky	2024-06-13 20:58:55.000000000 +0000
+++ gdk-pixbuf-2.42.10+dfsg/debian/tests/installed-tests-flaky	2025-10-23 01:45:57.000000000 +0000
@@ -1,9 +1,19 @@
 #!/bin/sh
 
-set -eu
+set -e
 
+if [ -n "$SALSA_CI" ]; then
+    # pixbuf-fail triggers oom-killer in salsa-ci
+    flaky_tests="gdk-pixbuf/pixbuf-randomly-modified.test \
+            gdk-pixbuf/pixbuf-fail.test"
+else
+    flaky_tests="gdk-pixbuf/pixbuf-randomly-modified.test"
+fi
+
+# Deliberately word-splitting:
+# shellcheck disable=SC2086
 exec gnome-desktop-testing-runner \
 --report-directory="$AUTOPKGTEST_ARTIFACTS" \
 --tap \
-gdk-pixbuf/pixbuf-randomly-modified.test \
+$flaky_tests \
 ${NULL+}