Source: docopt.cpp Version: 0.6.2-2.3 Severity: important Tags: security upstream Forwarded: https://github.com/docopt/docopt.cpp/issues/167 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for docopt.cpp. CVE-2025-67125[0]: | A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match | in docopt_private.h) when merging occurrence counters (e.g., default | LONG_MAX + first user "-v/--verbose") can cause counter wrap | (negative/unbounded semantics) and lead to logic/policy bypass in | applications that rely on occurrence-based limits, rate-gating, or | safety toggles. In hardened builds (e.g., UBSan or -ftrapv), the | overflow may also result in process abort (DoS). It is not clear what impact this has, and if it was reported upstream, so I filled [1] to gather some information. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-67125 https://www.cve.org/CVERecord?id=CVE-2025-67125 [1] https://github.com/docopt/docopt.cpp/issues/167 Regards, Salvatore
