From: "Yoann Congal" <yoann.congal@smile.fr>
To: <careers.myinfo@gmail.com>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][scarthgap][PATCH] gdk-pixbuf: Fix CVE-2025-6199
Date: Sat, 21 Feb 2026 22:24:34 +0100 [thread overview]
Message-ID: <DGKYG8RFAYEQ.N3XNBPSXB9PK@smile.fr> (raw)
In-Reply-To: <20260211083556.102891-1-moins@kpit.com>
Hello,
On Wed Feb 11, 2026 at 9:35 AM CET, Shaik Moin via lists.openembedded.org wrote:
> CVE: CVE-2025-6199
> Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32.patch]
>
> Backport the fix for CVE-2025-6199
> Add below patch to fix
> 0001-gdk-pixbuf-Add-support-patch-to-fix-CVE-2025-6199.patch
Thank you for the patch but it needs improvements:
* The commit message body should not have "CVE:" and "Upstream-Status:"
those are for patches.
* The commit message should justify why you import this particular
patch. Is it the patch cited by the NVD report? another source?
> Signed-off-by: Shaik Moin <moins@kpit.com>
> ---
> ...d-support-patch-to-fix-CVE-2025-6199.patch | 36 +++++++++++++++++++
> .../gdk-pixbuf/gdk-pixbuf_2.42.12.bb | 1 +
> 2 files changed, 37 insertions(+)
> create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-gdk-pixbuf-Add-support-patch-to-fix-CVE-2025-6199.patch
>
> diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-gdk-pixbuf-Add-support-patch-to-fix-CVE-2025-6199.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-gdk-pixbuf-Add-support-patch-to-fix-CVE-2025-6199.patch
> new file mode 100644
> index 0000000000..aa8bfec8f4
> --- /dev/null
> +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-gdk-pixbuf-Add-support-patch-to-fix-CVE-2025-6199.patch
> @@ -0,0 +1,36 @@
> +From 140200be0b4d5355aab76a6fd474e17d117045ca Mon Sep 17 00:00:00 2001
> +From: lumi <lumi@suwi.moe>
> +Date: Sat, 7 Jun 2025 22:27:06 +0200
> +Subject: [PATCH] lzw: Fix reporting of bytes written in decoder
> +
> +When the LZW decoder encounters an invalid code, it stops
> +processing the image and returns the whole buffer size.
> +It should return the amount of bytes written, instead.
> +
> +Fixes #257
> +
> +CVE: CVE-2025-6199
> +
> +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32.patch]
I'd rather have the simpler link
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32
(without the .patch extension): it makes checking if the patch is in a
branch really easy.
> +
> +Signed-off-by: Shaik Moin <moins@kpit.com>
> +---
> + gdk-pixbuf/lzw.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
> +index 15293560b..4f3dd8beb 100644
> +--- a/gdk-pixbuf/lzw.c
> ++++ b/gdk-pixbuf/lzw.c
> +@@ -208,7 +208,7 @@ lzw_decoder_feed (LZWDecoder *self,
> + /* Invalid code received - just stop here */
> + if (self->code >= self->code_table_size) {
> + self->last_code = self->eoi_code;
> +- return output_length;
> ++ return n_written;
> + }
> +
> + /* Convert codeword into indexes */
> +--
> +2.34.1
> +
> diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
> index ff1c7a1fb2..8579614bb1 100644
> --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
> +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
> @@ -21,6 +21,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
> file://fatal-loader.patch \
> file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \
> file://CVE-2025-7345.patch \
> + file://0001-gdk-pixbuf-Add-support-patch-to-fix-CVE-2025-6199.patch \
Can you please name this patch "CVE-2025-6199.patch" to follow
conventions?
Also, this CVE impacts whinlatter, please send a patch for whinlatter.
Thanks!
> "
>
> SRC_URI[sha256sum] = "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7"
--
Yoann Congal
Smile ECS
next prev parent reply other threads:[~2026-02-21 21:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-11 8:35 [OE-core][scarthgap][PATCH] gdk-pixbuf: Fix CVE-2025-6199 Shaik Moin
2026-02-21 21:24 ` Yoann Congal [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-02-26 3:47 Shaik Moin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DGKYG8RFAYEQ.N3XNBPSXB9PK@smile.fr \
--to=yoann.congal@smile.fr \
--cc=careers.myinfo@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox