Version in base suite: 5.2.9+dfsg-1 Base version: krita_5.2.9+dfsg-1 Target version: krita_5.2.9+dfsg-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/k/krita/krita_5.2.9+dfsg-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/k/krita/krita_5.2.9+dfsg-1+deb13u1.dsc changelog | 6 ++++++ patches/CVE-2025-59820.patch | 28 ++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 35 insertions(+) Unrecognised file line in .dsc: -----BEGIN PGP SIGNATURE----- gpgv: Signature made Mon Feb 3 19:55:31 2025 UTC gpgv: using RSA key 5F2A9FB82FA6C1E1077007072D191C8843B13F4D gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: Can't check signature: Bad public key dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp1p97geit/krita_5.2.9+dfsg-1.dsc: no acceptable signature found gpgv: Signature made Tue Nov 25 21:42:39 2025 UTC gpgv: using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36 gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: Can't check signature: Bad public key dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp1p97geit/krita_5.2.9+dfsg-1+deb13u1.dsc: no acceptable signature found diff: /srv/release.debian.org/tmp/f_zhBBpTxI/krita-5.2.9+dfsg/snapcraft.yaml: No such file or directory diff: /srv/release.debian.org/tmp/yYNkd7uPUj/krita-5.2.9+dfsg/snapcraft.yaml: No such file or directory diff -Nru krita-5.2.9+dfsg/debian/changelog krita-5.2.9+dfsg/debian/changelog --- krita-5.2.9+dfsg/debian/changelog 2025-02-03 19:54:24.000000000 +0000 +++ krita-5.2.9+dfsg/debian/changelog 2025-11-25 09:10:13.000000000 +0000 @@ -1,3 +1,9 @@ +krita (1:5.2.9+dfsg-1+deb13u1) trixie-security; urgency=medium + + * CVE-2025-59820 + + -- Moritz Mühlenhoff Tue, 25 Nov 2025 19:56:23 +0100 + krita (1:5.2.9+dfsg-1) unstable; urgency=medium * New upstream release. diff -Nru krita-5.2.9+dfsg/debian/patches/CVE-2025-59820.patch krita-5.2.9+dfsg/debian/patches/CVE-2025-59820.patch --- krita-5.2.9+dfsg/debian/patches/CVE-2025-59820.patch 1970-01-01 00:00:00.000000000 +0000 +++ krita-5.2.9+dfsg/debian/patches/CVE-2025-59820.patch 2025-11-25 09:06:01.000000000 +0000 @@ -0,0 +1,28 @@ +From 6d3651ac4df88efb68e013d21061de9846e83fe8 Mon Sep 17 00:00:00 2001 +From: Dmitry Kazakov +Date: Mon, 8 Sep 2025 15:35:51 +0200 +Subject: [PATCH] Fix a crash in KisTgaImport + +--- + plugins/impex/tga/kis_tga_import.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/plugins/impex/tga/kis_tga_import.cpp b/plugins/impex/tga/kis_tga_import.cpp +index 8bb838a8470..b3e1058c859 100644 +--- a/plugins/impex/tga/kis_tga_import.cpp ++++ b/plugins/impex/tga/kis_tga_import.cpp +@@ -153,6 +153,11 @@ static bool loadTGA(QDataStream & s, const TgaHeader & tga, QImage &img) + uint count = (c & 0x7f) + 1; + num -= count * pixel_size; + ++ if (num < 0) { ++ dbgFile << "This TGA file is broken: the number of pixels left to read and the number of RLE pixels do not agree" << ppVar(num) << ppVar(count) << ppVar(pixel_size); ++ return false; ++ } ++ + if (c & 0x80) { + // RLE pixels. + Q_ASSERT(pixel_size <= 8); +-- +GitLab + diff -Nru krita-5.2.9+dfsg/debian/patches/series krita-5.2.9+dfsg/debian/patches/series --- krita-5.2.9+dfsg/debian/patches/series 2025-02-03 19:50:04.000000000 +0000 +++ krita-5.2.9+dfsg/debian/patches/series 2025-11-25 09:06:12.000000000 +0000 @@ -1,2 +1,3 @@ upstream_Bump-SIP-ABI-version-to-12.8.patch xsimd-require-xtl.diff +CVE-2025-59820.patch