Hi Jonathan, On Sat, 2026-02-28 at 15:45 +0000, Jonathan Wiltshire wrote: > Target should be trixie (not -security); with that change please go ahead.
Thanks - I've changed the target to trixie and uploaded the package. I hope the uploaded package is good - the last stable upload I did the target messed up for an unknown reason (see Bug#1101062). I'd appreciate it if you could check this package with that in mind so I can update my process if it's still wrong. I checked the changes file, dsc and debian/changelog in the upload and it seems fine to me but I would appreciate a second pair of eyes. I have also uploaded the debdiff for this revision for tracking. Cheers! Chris
diff -Nru pcsx2-1.6.0+dfsg/debian/changelog pcsx2-1.6.0+dfsg/debian/changelog --- pcsx2-1.6.0+dfsg/debian/changelog 2024-12-23 14:57:26.000000000 +0000 +++ pcsx2-1.6.0+dfsg/debian/changelog 2026-03-01 20:32:47.000000000 +0000 @@ -1,3 +1,10 @@ +pcsx2 (1.6.0+dfsg-3+deb13u1) trixie; urgency=medium + + [ Sébastien Noel ] + * Backport security fix for CVE-2025-49589. + + -- Christopher Obbard <[email protected]> Sun, 01 Mar 2026 20:32:47 +0000 + pcsx2 (1.6.0+dfsg-3) unstable; urgency=medium * Team Upload diff -Nru pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch --- pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch 2026-03-01 20:32:47.000000000 +0000 @@ -0,0 +1,124 @@ +Description: CVE-2025-49589 + backport the following upstream commit: + 4c9d2f99b17b1e6f281a264b673f39d95ede6c21 + 6eac0bbcb1d59197a1aa99e41dfae0f87bc23848 +Origin: upstream +Forwarded: not-needed +Last-Update: 2026-01-19 + +--- a/pcsx2/IopBios.cpp ++++ b/pcsx2/IopBios.cpp +@@ -20,6 +20,7 @@ + + #include <ctype.h> + #include <string.h> ++#include <algorithm> + + #ifndef O_BINARY + #define O_BINARY 0 +@@ -490,8 +491,12 @@ namespace sysmem { + + if (!SysConsole.iopConsole.IsActive()) return 1; + +- char tmp[1024], tmp2[1024]; ++ // maximum allowed size for our buffer before we truncate ++ const unsigned int max_len = 4096; ++ char tmp[max_len], tmp2[max_len]; + char *ptmp = tmp; ++ unsigned int printed_bytes = 0; ++ int remaining_buf = max_len - 1; + int n=1, i=0, j = 0; + + while (fmt[i]) +@@ -502,35 +507,50 @@ namespace sysmem { + j = 0; + tmp2[j++] = '%'; + _start: +- switch (fmt[++i]) ++ // let's check whether this is our null terminator ++ // before allowing the parser to proceed ++ if (fmt[i + 1]) + { +- case '.': +- case 'l': +- tmp2[j++] = fmt[i]; +- goto _start; +- default: +- if (fmt[i] >= '0' && fmt[i] <= '9') +- { ++ switch (fmt[++i]) ++ { ++ case '.': ++ case 'l': ++ if (j >= max_len) ++ break; + tmp2[j++] = fmt[i]; + goto _start; +- } +- break; ++ default: ++ if (fmt[i] >= '0' && fmt[i] <= '9') ++ { ++ if (j >= max_len) ++ break; ++ tmp2[j++] = fmt[i]; ++ goto _start; ++ } ++ break; ++ } + } + ++ if (j >= max_len) ++ break; + tmp2[j++] = fmt[i]; + tmp2[j] = 0; + + switch (fmt[i]) + { + case 'f': case 'F': +- ptmp+= sprintf(ptmp, tmp2, (float)iopMemRead32(sp + n * 4)); ++ printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (float)iopMemRead32(sp + n * 4))); ++ remaining_buf -= printed_bytes; ++ ptmp += printed_bytes; + n++; + break; + + case 'a': case 'A': + case 'e': case 'E': + case 'g': case 'G': +- ptmp+= sprintf(ptmp, tmp2, (double)iopMemRead32(sp + n * 4)); ++ printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (double)iopMemRead32(sp + n * 4))); ++ remaining_buf -= printed_bytes; ++ ptmp += printed_bytes; + n++; + break; + +@@ -539,19 +559,25 @@ _start: + case 'd': case 'D': + case 'o': case 'O': + case 'x': case 'X': +- ptmp+= sprintf(ptmp, tmp2, (u32)iopMemRead32(sp + n * 4)); ++ printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (u32)iopMemRead32(sp + n * 4))); ++ remaining_buf -= printed_bytes; ++ ptmp += printed_bytes; + n++; + break; + + case 'c': +- ptmp+= sprintf(ptmp, tmp2, (u8)iopMemRead32(sp + n * 4)); ++ printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (u8)iopMemRead32(sp + n * 4))); ++ remaining_buf -= printed_bytes; ++ ptmp += printed_bytes; + n++; + break; + + case 's': + { + std::string s = iopMemReadString(iopMemRead32(sp + n * 4)); +- ptmp += sprintf(ptmp, tmp2, s.data()); ++ printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, s.data())); ++ remaining_buf -= printed_bytes; ++ ptmp += printed_bytes; + n++; + } + break; diff -Nru pcsx2-1.6.0+dfsg/debian/patches/series pcsx2-1.6.0+dfsg/debian/patches/series --- pcsx2-1.6.0+dfsg/debian/patches/series 2024-12-23 14:37:39.000000000 +0000 +++ pcsx2-1.6.0+dfsg/debian/patches/series 2026-03-01 20:32:47.000000000 +0000 @@ -1,2 +1,3 @@ wxwidgets3.2.patch cpp_error_ftbfs.patch +CVE-2025-49589.patch
