34395 – qtimageformats6 new security issue CVE-2025-5683

Bug 34395 - qtimageformats6 new security issue CVE-2025-5683

Summary: qtimageformats6 new security issue CVE-2025-5683

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-06-25 15:53 CEST by Nicolas Salguero
Modified:	2025-07-15 04:50 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	qtimageformats6-6.8.3-1.mga10.src.rpm, qtimageformats6-6.4.1-1.mga9.src.rpm
CVE:	CVE-2025-5683
Status comment:	Fixed upstream in 6.8.5 and patch available from Fedora and upstream

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-06-25 15:53:25 CEST

Fedora has issued an advisory on June 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3F6LZUJWFANK7X5A65ECKBPB2KQ2DCO/

Comment 1 Nicolas Salguero 2025-06-25 15:54:46 CEST

Fix: https://github.com/qt/qtimageformats/commit/efd332516f510144927121fa749ce819b82ec633

Source RPM: (none) => qtimageformats6-6.8.3-1.mga10.src.rpm, qtimageformats6-6.4.1-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-5683
Status comment: (none) => Fixed upstream in 6.8.5 and patch available from Fedora and upstream

Comment 2 Lewis Smith 2025-06-25 20:42:30 CEST

Assigning directly to you, David, as you are the obvious maintainer of this.

Assignee: bugsquad => geiger.david68210

Comment 3 David GEIGER 2025-07-14 08:34:17 CEST

Fixed both mga9 and Cauldron!

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

Comment 4 David GEIGER 2025-07-14 08:35:53 CEST

Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
lib64qt6imageformats-devel-6.4.1-1.1.mga9
libqt6imageformats-devel-6.4.1-1.1.mga9
qtimageformats6-6.4.1-1.1.mga9


From SRPMS
qtimageformats6-6.4.1-1.1.mga9.src.rpm

Assignee: geiger.david68210 => qa-bugs

Comment 5 Herman Viaene 2025-07-14 14:28:29 CEST

MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
No previous issues, no CLI-commands.
# urpmq --whatrequires qtimageformats6
lib64qt6imageformats-devel
lib64qt6imageformats-devel
qt3d6
qtimageformats6
qtquick3d6
This are all libraries.
# urpmq --whatrequires-recursive qtimageformats6
returns a lot, picked focuswriter and used strace
Found:
readlink("/usr/lib64/qt6/plugins/imageformats/libqwbmp.so", 0x7ffdb9f0a6d0, 1023) = -1 EINVAL (Invalid argument)
which is one of the files of qtimageformats6
Should be good enough

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

katnatek 2025-07-14 21:22:18 CEST

Keywords: (none) => advisory

Comment 6 Thomas Andrews 2025-07-15 01:53:54 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2025-07-15 04:50:39 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0208.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.