Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected], Sébastien Noel 
<[email protected]>
Control: affects -1 + src:pcsx2
User: [email protected]
Usertags: pu

[ Reason ]
pcsx2 in trixie is subject to CVE-2025-49589 (#1107756). Backport patch
from upstream to fix the security issue.

[ Impact ]
Fixes CVE-2025-49589 (#1107756).

[ Tests ]
No regressions when manually running pcsx2.

[ Risks ]
Limited risk - backport of patch from upstream to fix CVE.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Backport security fix for CVE-2025-49589.

[ Other info ]
I am uploading this stable fix on behalf of Sébastien Noel
<[email protected]> (in CC).
diff -Nru pcsx2-1.6.0+dfsg/debian/changelog pcsx2-1.6.0+dfsg/debian/changelog
--- pcsx2-1.6.0+dfsg/debian/changelog   2024-12-23 15:57:26.000000000 +0100
+++ pcsx2-1.6.0+dfsg/debian/changelog   2026-01-19 09:55:23.000000000 +0100
@@ -1,3 +1,9 @@
+pcsx2 (1.6.0+dfsg-3+deb13u1) trixie-security; urgency=medium
+
+  * Backport security fix for CVE-2025-49589.
+
+ -- Sébastien Noel <[email protected]>  Mon, 19 Jan 2026 09:55:23 +0100
+
 pcsx2 (1.6.0+dfsg-3) unstable; urgency=medium
 
   * Team Upload
diff -Nru pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch 
pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch
--- pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch        1970-01-01 
01:00:00.000000000 +0100
+++ pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch        2026-01-19 
09:55:23.000000000 +0100
@@ -0,0 +1,124 @@
+Description: CVE-2025-49589
+ backport the following upstream commit:
+  4c9d2f99b17b1e6f281a264b673f39d95ede6c21
+  6eac0bbcb1d59197a1aa99e41dfae0f87bc23848
+Origin: upstream
+Forwarded: not-needed
+Last-Update: 2026-01-19
+
+--- a/pcsx2/IopBios.cpp
++++ b/pcsx2/IopBios.cpp
+@@ -20,6 +20,7 @@
+ 
+ #include <ctype.h>
+ #include <string.h>
++#include <algorithm>
+ 
+ #ifndef O_BINARY
+ #define O_BINARY 0
+@@ -490,8 +491,12 @@ namespace sysmem {
+ 
+               if (!SysConsole.iopConsole.IsActive()) return 1;
+ 
+-              char tmp[1024], tmp2[1024];
++              // maximum allowed size for our buffer before we truncate
++              const unsigned int max_len = 4096;
++              char tmp[max_len], tmp2[max_len];
+               char *ptmp = tmp;
++              unsigned int printed_bytes = 0;
++              int remaining_buf = max_len - 1;
+               int n=1, i=0, j = 0;
+ 
+               while (fmt[i])
+@@ -502,35 +507,50 @@ namespace sysmem {
+                                       j = 0;
+                                       tmp2[j++] = '%';
+ _start:
+-                                      switch (fmt[++i])
++                                      // let's check whether this is our null 
terminator
++                                      // before allowing the parser to proceed
++                                      if (fmt[i + 1])
+                                       {
+-                                              case '.':
+-                                              case 'l':
+-                                                      tmp2[j++] = fmt[i];
+-                                                      goto _start;
+-                                              default:
+-                                                      if (fmt[i] >= '0' && 
fmt[i] <= '9')
+-                                                      {
++                                              switch (fmt[++i])
++                                              {
++                                                      case '.':
++                                                      case 'l':
++                                                              if (j >= 
max_len)
++                                                                      break;
+                                                               tmp2[j++] = 
fmt[i];
+                                                               goto _start;
+-                                                      }
+-                                                      break;
++                                                      default:
++                                                              if (fmt[i] >= 
'0' && fmt[i] <= '9')
++                                                              {
++                                                                      if (j 
>= max_len)
++                                                                              
break;
++                                                                      
tmp2[j++] = fmt[i];
++                                                                      goto 
_start;
++                                                              }
++                                                              break;
++                                              }
+                                       }
+ 
++                                      if (j >= max_len)
++                                              break;
+                                       tmp2[j++] = fmt[i];
+                                       tmp2[j] = 0;
+ 
+                                       switch (fmt[i])
+                                       {
+                                               case 'f': case 'F':
+-                                                      ptmp+= sprintf(ptmp, 
tmp2, (float)iopMemRead32(sp + n * 4));
++                                                      printed_bytes = 
std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, 
(float)iopMemRead32(sp + n * 4)));
++                                                      remaining_buf -= 
printed_bytes;
++                                                      ptmp += printed_bytes;
+                                                       n++;
+                                                       break;
+ 
+                                               case 'a': case 'A':
+                                               case 'e': case 'E':
+                                               case 'g': case 'G':
+-                                                      ptmp+= sprintf(ptmp, 
tmp2, (double)iopMemRead32(sp + n * 4));
++                                                      printed_bytes = 
std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, 
(double)iopMemRead32(sp + n * 4)));
++                                                      remaining_buf -= 
printed_bytes;
++                                                      ptmp += printed_bytes;
+                                                       n++;
+                                                       break;
+ 
+@@ -539,19 +559,25 @@ _start:
+                                               case 'd': case 'D':
+                                               case 'o': case 'O':
+                                               case 'x': case 'X':
+-                                                      ptmp+= sprintf(ptmp, 
tmp2, (u32)iopMemRead32(sp + n * 4));
++                                                      printed_bytes = 
std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, 
(u32)iopMemRead32(sp + n * 4)));
++                                                      remaining_buf -= 
printed_bytes;
++                                                      ptmp += printed_bytes;
+                                                       n++;
+                                                       break;
+ 
+                                               case 'c':
+-                                                      ptmp+= sprintf(ptmp, 
tmp2, (u8)iopMemRead32(sp + n * 4));
++                                                      printed_bytes = 
std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (u8)iopMemRead32(sp 
+ n * 4)));
++                                                      remaining_buf -= 
printed_bytes;
++                                                      ptmp += printed_bytes;
+                                                       n++;
+                                                       break;
+ 
+                                               case 's':
+                                                       {
+                                                               std::string s = 
iopMemReadString(iopMemRead32(sp + n * 4));
+-                                                              ptmp += 
sprintf(ptmp, tmp2, s.data());
++                                                              printed_bytes = 
std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, s.data()));
++                                                              remaining_buf 
-= printed_bytes;
++                                                              ptmp += 
printed_bytes;
+                                                               n++;
+                                                       }
+                                                       break;
diff -Nru pcsx2-1.6.0+dfsg/debian/patches/series 
pcsx2-1.6.0+dfsg/debian/patches/series
--- pcsx2-1.6.0+dfsg/debian/patches/series      2024-12-23 15:37:39.000000000 
+0100
+++ pcsx2-1.6.0+dfsg/debian/patches/series      2026-01-19 09:55:23.000000000 
+0100
@@ -1,2 +1,3 @@
 wxwidgets3.2.patch
 cpp_error_ftbfs.patch
+CVE-2025-49589.patch

Reply via email to