CVE-2025-6199

NameCVE-2025-6199
DescriptionA flaw was found in the GIF parser of GdkPixbuf’s LZW decoder. When an invalid symbol is encountered during decompression, the decoder sets the reported output size to the full buffer length rather than the actual number of written bytes. This logic error results in uninitialized sections of the buffer being included in the output, potentially leaking arbitrary memory contents in the processed image.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1107994

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gdk-pixbuf (PTS)bullseye2.42.2+dfsg-1+deb11u2vulnerable
bullseye (security)2.42.2+dfsg-1+deb11u1vulnerable
bookworm2.42.10+dfsg-1+deb12u1vulnerable
sid, trixie2.42.12+dfsg-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gdk-pixbufsource(unstable)(unfixed)1107994

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=2373147
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/257
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/191
Fixed by: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32 (2.43.2)
Search for package or bug name: Reporting problems