Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected], Sébastien Noel <[email protected]> Control: affects -1 + src:pcsx2 User: [email protected] Usertags: pu
[ Reason ] pcsx2 in trixie is subject to CVE-2025-49589 (#1107756). Backport patch from upstream to fix the security issue. [ Impact ] Fixes CVE-2025-49589 (#1107756). [ Tests ] No regressions when manually running pcsx2. [ Risks ] Limited risk - backport of patch from upstream to fix CVE. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Backport security fix for CVE-2025-49589. [ Other info ] I am uploading this stable fix on behalf of Sébastien Noel <[email protected]> (in CC).
diff -Nru pcsx2-1.6.0+dfsg/debian/changelog pcsx2-1.6.0+dfsg/debian/changelog --- pcsx2-1.6.0+dfsg/debian/changelog 2024-12-23 15:57:26.000000000 +0100 +++ pcsx2-1.6.0+dfsg/debian/changelog 2026-01-19 09:55:23.000000000 +0100 @@ -1,3 +1,9 @@ +pcsx2 (1.6.0+dfsg-3+deb13u1) trixie-security; urgency=medium + + * Backport security fix for CVE-2025-49589. + + -- Sébastien Noel <[email protected]> Mon, 19 Jan 2026 09:55:23 +0100 + pcsx2 (1.6.0+dfsg-3) unstable; urgency=medium * Team Upload diff -Nru pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch --- pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch 2026-01-19 09:55:23.000000000 +0100 @@ -0,0 +1,124 @@ +Description: CVE-2025-49589 + backport the following upstream commit: + 4c9d2f99b17b1e6f281a264b673f39d95ede6c21 + 6eac0bbcb1d59197a1aa99e41dfae0f87bc23848 +Origin: upstream +Forwarded: not-needed +Last-Update: 2026-01-19 + +--- a/pcsx2/IopBios.cpp ++++ b/pcsx2/IopBios.cpp +@@ -20,6 +20,7 @@ + + #include <ctype.h> + #include <string.h> ++#include <algorithm> + + #ifndef O_BINARY + #define O_BINARY 0 +@@ -490,8 +491,12 @@ namespace sysmem { + + if (!SysConsole.iopConsole.IsActive()) return 1; + +- char tmp[1024], tmp2[1024]; ++ // maximum allowed size for our buffer before we truncate ++ const unsigned int max_len = 4096; ++ char tmp[max_len], tmp2[max_len]; + char *ptmp = tmp; ++ unsigned int printed_bytes = 0; ++ int remaining_buf = max_len - 1; + int n=1, i=0, j = 0; + + while (fmt[i]) +@@ -502,35 +507,50 @@ namespace sysmem { + j = 0; + tmp2[j++] = '%'; + _start: +- switch (fmt[++i]) ++ // let's check whether this is our null terminator ++ // before allowing the parser to proceed ++ if (fmt[i + 1]) + { +- case '.': +- case 'l': +- tmp2[j++] = fmt[i]; +- goto _start; +- default: +- if (fmt[i] >= '0' && fmt[i] <= '9') +- { ++ switch (fmt[++i]) ++ { ++ case '.': ++ case 'l': ++ if (j >= max_len) ++ break; + tmp2[j++] = fmt[i]; + goto _start; +- } +- break; ++ default: ++ if (fmt[i] >= '0' && fmt[i] <= '9') ++ { ++ if (j >= max_len) ++ break; ++ tmp2[j++] = fmt[i]; ++ goto _start; ++ } ++ break; ++ } + } + ++ if (j >= max_len) ++ break; + tmp2[j++] = fmt[i]; + tmp2[j] = 0; + + switch (fmt[i]) + { + case 'f': case 'F': +- ptmp+= sprintf(ptmp, tmp2, (float)iopMemRead32(sp + n * 4)); ++ printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (float)iopMemRead32(sp + n * 4))); ++ remaining_buf -= printed_bytes; ++ ptmp += printed_bytes; + n++; + break; + + case 'a': case 'A': + case 'e': case 'E': + case 'g': case 'G': +- ptmp+= sprintf(ptmp, tmp2, (double)iopMemRead32(sp + n * 4)); ++ printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (double)iopMemRead32(sp + n * 4))); ++ remaining_buf -= printed_bytes; ++ ptmp += printed_bytes; + n++; + break; + +@@ -539,19 +559,25 @@ _start: + case 'd': case 'D': + case 'o': case 'O': + case 'x': case 'X': +- ptmp+= sprintf(ptmp, tmp2, (u32)iopMemRead32(sp + n * 4)); ++ printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (u32)iopMemRead32(sp + n * 4))); ++ remaining_buf -= printed_bytes; ++ ptmp += printed_bytes; + n++; + break; + + case 'c': +- ptmp+= sprintf(ptmp, tmp2, (u8)iopMemRead32(sp + n * 4)); ++ printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (u8)iopMemRead32(sp + n * 4))); ++ remaining_buf -= printed_bytes; ++ ptmp += printed_bytes; + n++; + break; + + case 's': + { + std::string s = iopMemReadString(iopMemRead32(sp + n * 4)); +- ptmp += sprintf(ptmp, tmp2, s.data()); ++ printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, s.data())); ++ remaining_buf -= printed_bytes; ++ ptmp += printed_bytes; + n++; + } + break; diff -Nru pcsx2-1.6.0+dfsg/debian/patches/series pcsx2-1.6.0+dfsg/debian/patches/series --- pcsx2-1.6.0+dfsg/debian/patches/series 2024-12-23 15:37:39.000000000 +0100 +++ pcsx2-1.6.0+dfsg/debian/patches/series 2026-01-19 09:55:23.000000000 +0100 @@ -1,2 +1,3 @@ wxwidgets3.2.patch cpp_error_ftbfs.patch +CVE-2025-49589.patch
