rlottie (0.1+dfsg-2+deb11u2) bullseye-security; urgency=medium

  * Apply fixes and improve stability.
  * Backported patches:
    - Atomic-render.patch
    - Avoid-assertion-failures.patch (closes: #1138916, fixes: CVE-2026-8916)
    - Check-empty-frames.patch
    - Finite-loop-in-VBezier-tAtLength.patch
    - Fix-heap-buffer-overflow-from-short-truncation.patch
    - Fixed-signed-shift-issue.patch (closes: #1139179, fixes: CVE-2026-10305)
    - Fixed-vpath-potential-issue.patch (closes: #1138919, fixes: CVE-2026-47319)
    - Ignore-unspecified-type.patch
    - Init-keyframe.patch
    - Limit-recursion-in-LOTLayerItem.patch (closes: #1138920, fixes: CVE-2026-47320)
    - No-cyclic-structures.patch (closes: #1138917, fixes: CVE-2026-47306)
    - No-deadlock.patch
    - Positive-points.patch
    - Reject-reversed-frames.patch
    - Stop-VBezier-length-overflow.patch
  * Amended patches:
    - Check-buffer-length.patch
    - Fortify-FreeType-raster.patch (closes: #1138918, fixes: CVE-2026-47318)
  * Replace Zero-corrupt-point.patch with Empty-animation-data.patch based on
    Subhransu Mohanty's commit (closes: #994614).

 -- Nicholas Guriev <guriev-ns@ya.ru>  Tue, 07 Jul 2026 16:48:09 +0300

rlottie (0.1+dfsg-2+deb11u1) bullseye-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * CVE-2025-0634 (Closes: #1109341)
    CVE-2025-53074
    CVE-2025-53075
    Most patches to fix these issues are already part of:
      Fix-crash-on-invalid-data.patch
    The remaining boundary check is left in:
      CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch
    For the sake of completeness, the whole upstream patch
    for these CVEs is added in:
      CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch.org

 -- Thorsten Alteholz <debian@alteholz.de>  Sun, 08 Feb 2026 10:05:10 +0100

rlottie (0.1+dfsg-2) unstable; urgency=medium

  * Update patches.
    - Sync patches with John Preston's fork.
      + New Freetype-raster.patch for fix CVE-2021-31321. (Closes: #988885)
      + New Fortify-lottie-parser.patch for fix crashes on invalid input.
    - New Extend-mDash-array.patch for fix CVE-2021-31317. (Closes: #988885)
    - New Include-limits-header.patch for fix build with the latest GCC.
      (Closes: #984323)
    - New Zero-corrupt-point.patch for fix crash on inappropriate shape.
      (Closes: #974095)
    - New Avoid-nullptr-in-solidColor.patch fixes null pointer dereferencing.
    - Fix error handling of broken JSON that led to crashes.
  * Skip RAPIDJSON_ASSERT as in Telegram or in upstream rLottie.

 -- Nicholas Guriev <guriev-ns@ya.ru>  Wed, 02 Jun 2021 09:23:26 +0300

rlottie (0.1+dfsg-1) unstable; urgency=medium

  * New upstream release.
  * Add upstream metadata.
  * Update debian/watch file for the first release.
  * Apply John Preston's fixes for improve stability.
    - Check-buffer-length.patch
    - Fix-crash-in-malformed-animations.patch
    - Fix-crash-on-invalid-data.patch

 -- Nicholas Guriev <guriev-ns@ya.ru>  Sun, 19 Jul 2020 21:43:03 +0300

rlottie (0~git20200305.a717479+dfsg-1) unstable; urgency=medium

  * Merge the latest upstream commit.
  * Fix some crashes on corrupted input.
  * Activate in-library cache support.
  * Bump Standards Version to 4.5.0, no related changes.

 -- Nicholas Guriev <guriev-ns@ya.ru>  Thu, 05 Mar 2020 22:16:05 +0300

rlottie (0~git20190721.24346d0+dfsg-2) unstable; urgency=medium

  * Copy full text of The FreeType Project License to debian/copyright file.

 -- Nicholas Guriev <guriev-ns@ya.ru>  Sun, 11 Aug 2019 14:19:58 +0300

rlottie (0~git20190721.24346d0+dfsg-1) unstable; urgency=low

  * Initial upload. (Closes: #931832)

 -- Nicholas Guriev <guriev-ns@ya.ru>  Tue, 23 Jul 2019 08:21:50 +0300
