Your message dated Fri, 08 May 2026 11:33:42 +0000
with message-id <[email protected]>
and subject line Bug#1133372: fixed in musl 1.2.5-3.1
has caused the Debian Bug report #1133372,
regarding musl: CVE-2026-6042 CVE-2026-40200
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133372
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: musl
Version: 1.2.5-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for musl.
CVE-2026-6042[0]:
| A security flaw has been discovered in musl libc up to 1.2.6.
| Affected is the function iconv of the file src/locale/iconv.c of the
| component GB18030 4-byte Decoder. Performing a manipulation results
| in inefficient algorithmic complexity. The attack must be initiated
| from a local position. To fix this issue, it is recommended to
| deploy a patch.
CVE-2026-40200[1]:
| An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-
| based memory corruption can occur during qsort of very large arrays,
| due to incorrectly implemented double-word primitives. The number of
| elements must exceed about seven million, i.e., the 32nd Leonardo
| number on 32-bit platforms (or the 64th Leonardo number on 64-bit
| platforms, which is not practical).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-6042
https://www.cve.org/CVERecord?id=CVE-2026-6042
https://git.musl-libc.org/cgit/musl/commit/?id=67219f0130ec7c876ac0b299046460fad31caabf
[1] https://security-tracker.debian.org/tracker/CVE-2026-40200
https://www.cve.org/CVERecord?id=CVE-2026-40200
https://git.musl-libc.org/cgit/musl/commit/?id=228da39e38c1cae13cbe637e771412c1984dba5d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: musl
Source-Version: 1.2.5-3.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
musl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated musl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 May 2026 15:58:38 +0300
Source: musl
Architecture: source
Version: 1.2.5-3.1
Distribution: unstable
Urgency: medium
Maintainer: Reiner Herrmann <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1133372
Changes:
musl (1.2.5-3.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2026-6042: Algorithmic complexity DoS in iconv GB18030 decoder
* CVE-2026-40200: Stack corruption in qsort
* (Closes: #1133372)
Checksums-Sha1:
c522b9639a8bd1584715734eae98d996b0b28b0e 3651 musl_1.2.5-3.1.dsc
5b20ba6fff390e60bdad625ecc46721e443beadc 29032 musl_1.2.5-3.1.debian.tar.xz
Checksums-Sha256:
c049c5b401930fb23140906a1572cc80c21b05e7e2c237a22be081b5c80f061f 3651
musl_1.2.5-3.1.dsc
870301dd07920f11567e07f5a800e726b5f55e0e56aefcb815d903a02f9b5ae6 29032
musl_1.2.5-3.1.debian.tar.xz
Files:
5eba17b149b0220fcc4890a5ada155d1 3651 libs optional musl_1.2.5-3.1.dsc
c5572e2c5744bdb089175aacb156fedd 29032 libs optional
musl_1.2.5-3.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmn8jWsACgkQiNJCh6LY
mLHUcQ/+M9+hp2tYBEUR9axishtxEzrDxqJ6/NZJoxH1d33yiOjKAfMzR0Lz3xEO
m2WczkhRRiHCBhA+14mzFPr76goOX3Q0SLIgQGokc6FLAYiknTPe6VPBFvT8BZtM
OhIS37WtDfz1nYNBat9KCWTgsvhQirkIVasHMq9ISPM4tCgzDaOSSLCfsZLUV+kn
QNbzTjbOVKbj8Uqmnc6nFYIyqpcKe9LVF3WSphXNR1MG6YZ+m8cKyaGLbWYFe62q
lloaAwrWXgpCSOxeB/6MQ2S8HY2aJ97pr4G3y24ocvL4ZUuaKt6LtYa9vRxw1Mtx
4GRAfY2GpvRSlh6SFT4JaLmTnuR4NT6/dsMz4hd4M5x+bf8Y1fl1t/bJ2/YkzAr0
LFaX/sWBYTdJ+Fe+yC43NIBO/WpyqEFKN+z/IzBsDnfZE+flG5cLP2yv+xaQGziC
MbS5pEBA92Zvza1EGLzyzbeVDv3Tbq0FSruqaYjZrX9w18pvjUPRuromttFXxqbG
YxRQ9r/IOOLUbJEkSbnsZqFQooVZhZdDpazDIyh+6laiz6lMHUiJ0tma22UpEbnz
9EQ1TKMSWxU/SO6R609ubQgFJqh0gsaqNlUbWWfc88WSAjQfTapM7PYEUXdLyxOx
E7v3WoVh/zLk/8LFDQKVcbSlhyCt2Ffdj9/LthmdSchL5Sfc2zM=
=RxCh
-----END PGP SIGNATURE-----
pgpiZUoZQCQFs.pgp
Description: PGP signature
--- End Message ---
