Bug#1140382: trixie-pu: package mxml/3.3.1-1+deb13u1

Fri, 19 Jun 2026 04:39:15 -0700 

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:mxml
User: [email protected]
Usertags: pu

  * CVE-2026-5037: Out-of-bounds read in index_sort() (Closes: #1132328)

diffstat for mxml-3.3.1 mxml-3.3.1

 changelog                                                     |    7 ++
 patches/0001-Fix-access-issue-in-mxmlIndexNew-Issue-350.patch |   25 ++++++++++
 patches/series                                                |    1 
 3 files changed, 33 insertions(+)

diff -Nru mxml-3.3.1/debian/changelog mxml-3.3.1/debian/changelog
--- mxml-3.3.1/debian/changelog 2022-07-29 11:04:42.000000000 +0300
+++ mxml-3.3.1/debian/changelog 2026-06-19 14:17:53.000000000 +0300
@@ -1,3 +1,10 @@
+mxml (3.3.1-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2026-5037: Out-of-bounds read in index_sort() (Closes: #1132328)
+
+ -- Adrian Bunk <[email protected]>  Fri, 19 Jun 2026 14:17:53 +0300
+
 mxml (3.3.1-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru 
mxml-3.3.1/debian/patches/0001-Fix-access-issue-in-mxmlIndexNew-Issue-350.patch 
mxml-3.3.1/debian/patches/0001-Fix-access-issue-in-mxmlIndexNew-Issue-350.patch
--- 
mxml-3.3.1/debian/patches/0001-Fix-access-issue-in-mxmlIndexNew-Issue-350.patch 
    1970-01-01 02:00:00.000000000 +0200
+++ 
mxml-3.3.1/debian/patches/0001-Fix-access-issue-in-mxmlIndexNew-Issue-350.patch 
    2026-06-19 14:17:18.000000000 +0300
@@ -0,0 +1,25 @@
+From dc646842629275cda0f77f3dd6a5b269ab007fa2 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <[email protected]>
+Date: Thu, 12 Mar 2026 20:28:25 -0400
+Subject: Fix access issue in mxmlIndexNew (Issue #350)
+
+---
+ mxml-index.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mxml-index.c b/mxml-index.c
+index ca1ea7b..72836f9 100644
+--- a/mxml-index.c
++++ b/mxml-index.c
+@@ -644,7 +644,7 @@ index_sort(mxml_index_t *ind,              /* I - Index to 
sort */
+     * Recursively sort the left partition as needed...
+     */
+ 
+-    if (left < (tempr - 1))
++    if (tempr > 0 && left < (tempr - 1))
+       index_sort(ind, left, tempr - 1);
+   }
+   while (right > (left = tempr + 1));
+-- 
+2.47.3
+
diff -Nru mxml-3.3.1/debian/patches/series mxml-3.3.1/debian/patches/series
--- mxml-3.3.1/debian/patches/series    2022-07-29 11:04:42.000000000 +0300
+++ mxml-3.3.1/debian/patches/series    2026-06-19 14:17:46.000000000 +0300
@@ -5,3 +5,4 @@
 06_autoheader-fixes.patch
 07_compile_fixes.patch
 08_cross.patch
+0001-Fix-access-issue-in-mxmlIndexNew-Issue-350.patch

Reply via email to