Your message dated Sun, 10 May 2026 16:33:18 +0000
with message-id <[email protected]>
and subject line Bug#1133372: fixed in musl 1.2.5-3.1~deb13u1
has caused the Debian Bug report #1133372,
regarding musl: CVE-2026-6042 CVE-2026-40200
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133372
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: musl
Version: 1.2.5-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for musl.
CVE-2026-6042[0]:
| A security flaw has been discovered in musl libc up to 1.2.6.
| Affected is the function iconv of the file src/locale/iconv.c of the
| component GB18030 4-byte Decoder. Performing a manipulation results
| in inefficient algorithmic complexity. The attack must be initiated
| from a local position. To fix this issue, it is recommended to
| deploy a patch.
CVE-2026-40200[1]:
| An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-
| based memory corruption can occur during qsort of very large arrays,
| due to incorrectly implemented double-word primitives. The number of
| elements must exceed about seven million, i.e., the 32nd Leonardo
| number on 32-bit platforms (or the 64th Leonardo number on 64-bit
| platforms, which is not practical).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-6042
https://www.cve.org/CVERecord?id=CVE-2026-6042
https://git.musl-libc.org/cgit/musl/commit/?id=67219f0130ec7c876ac0b299046460fad31caabf
[1] https://security-tracker.debian.org/tracker/CVE-2026-40200
https://www.cve.org/CVERecord?id=CVE-2026-40200
https://git.musl-libc.org/cgit/musl/commit/?id=228da39e38c1cae13cbe637e771412c1984dba5d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: musl
Source-Version: 1.2.5-3.1~deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
musl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated musl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 09 May 2026 17:56:07 +0300
Source: musl
Architecture: source
Version: 1.2.5-3.1~deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Reiner Herrmann <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1133372
Changes:
musl (1.2.5-3.1~deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* Rebuild for trixie.
.
musl (1.2.5-3.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2026-6042: Algorithmic complexity DoS in iconv GB18030 decoder
* CVE-2026-40200: Stack corruption in qsort
* (Closes: #1133372)
Checksums-Sha1:
bb2dc69e520d5a06b67969cbcf2b434ed576bb92 3683 musl_1.2.5-3.1~deb13u1.dsc
36210d3423172a40ddcf83c762207c5f760b60a6 1080786 musl_1.2.5.orig.tar.gz
fec06dab23edbbc33612205bc80e537f8e937b49 490 musl_1.2.5.orig.tar.gz.asc
bbd444e005188fe6c44e5a72f7ad26afe1ba36de 29056
musl_1.2.5-3.1~deb13u1.debian.tar.xz
Checksums-Sha256:
972970614ed9159b04343b7f85bdf16f565b4a903f05d97e57dc730c7b0b8066 3683
musl_1.2.5-3.1~deb13u1.dsc
a9a118bbe84d8764da0ea0d28b3ab3fae8477fc7e4085d90102b8596fc7c75e4 1080786
musl_1.2.5.orig.tar.gz
d9030116fd03e4acfa0b665a13a5de46110296b4e30bb8e67be1f08af29f6306 490
musl_1.2.5.orig.tar.gz.asc
46fdfb271edc2f035d8d4063ff2e299734409693e781e69e4b77e0a9a495072e 29056
musl_1.2.5-3.1~deb13u1.debian.tar.xz
Files:
2ab8354e8d9ee4c08c56013aadffed14 3683 libs optional musl_1.2.5-3.1~deb13u1.dsc
ac5cfde7718d0547e224247ccfe59f18 1080786 libs optional musl_1.2.5.orig.tar.gz
52945accececaefa1fb269f95eb152b2 490 libs optional musl_1.2.5.orig.tar.gz.asc
778daa9b6ea8b1beb482e79477729e45 29056 libs optional
musl_1.2.5-3.1~deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmn/dNUACgkQiNJCh6LY
mLE2KA/+KbKqDkOqk2xU1IL7JTC6KF2u8TTFdRjQ/Q4JQdFhiryvLKuCc7Wuv5PC
q29rwSJL0S98sr1NrpgiOzGnDtnrsdiB9dJfZgSf2imdLhffdV/DYIrkSf/Oz1c4
GUAdArjPlZIzUDYVvC90W+au27Tq/RQwXDPTs42spgq1n1F85DJWiWn/dZT+N26m
MhMZfnCWNMuFqOgxlyTksR0lU2RZKBzv7D9LwDJsRihRD3SQVrxKhu5q+mHvT4FK
GRRhqhrZrxujbNyy7vF9IhzhH3b4LgdOaevhIj5+oUbT4/XaEr+g3U2cT9yeMgpr
d4NSMRtCHPs63FP6j+Ad0haWdcO7QS+AfROoDfctFv5VHVpo2GfwfTdM807FjbfW
Kn/Uc+E1eltOeKsdfc6YqWB9WeDjDSFXiqz8n4WTsMmsSVZ5wt4o0wraXPNjawo1
kCANIOPOKnU0PfNf5klx7H43iHt0aHTKqVl20oqXNTfJTz/FR8IhfucKkiCfFeyu
KDC9u87cZ7QhiwKw0chwZ6atyinVvq+NV/QgzXeVRMPv1pIOHxdCysV3yV9F40sH
qt6Gx7yssBoo8FvDJoynGMl72zG2s0Nq+bDDOfAX29Aw5crkojDT+UdWFQztVObh
u8ZsCKyJYpBsIwDRcoPme4ANMdqHn5XSwXq4BKh1S0G5Fkx9cA4=
=0HMH
-----END PGP SIGNATURE-----
pgpio3X_ZXz_i.pgp
Description: PGP signature
--- End Message ---
