Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:poco
User: [email protected]
Usertags: pu
* CVE-2025-6375: Segmentation fault in MultipartStreamBuf
(Closes: #1108157)
diffstat for poco-1.13.0 poco-1.13.0
changelog | 8
++
patches/0001-fix-Net-A-SEGV-at-Net-src-MultipartReader.cpp-164-1-.patch | 34
++++++++++
patches/series | 1
3 files changed, 43 insertions(+)
diff -Nru poco-1.13.0/debian/changelog poco-1.13.0/debian/changelog
--- poco-1.13.0/debian/changelog 2024-03-17 21:41:11.000000000 +0200
+++ poco-1.13.0/debian/changelog 2026-06-20 21:15:03.000000000 +0300
@@ -1,3 +1,11 @@
+poco (1.13.0-6+deb13u1) trixie; urgency=medium
+
+ * QA upload.
+ * CVE-2025-6375: Segmentation fault in MultipartStreamBuf
+ (Closes: #1108157)
+
+ -- Adrian Bunk <[email protected]> Sat, 20 Jun 2026 21:15:03 +0300
+
poco (1.13.0-6) unstable; urgency=medium
* QA upload
diff -Nru
poco-1.13.0/debian/patches/0001-fix-Net-A-SEGV-at-Net-src-MultipartReader.cpp-164-1-.patch
poco-1.13.0/debian/patches/0001-fix-Net-A-SEGV-at-Net-src-MultipartReader.cpp-164-1-.patch
---
poco-1.13.0/debian/patches/0001-fix-Net-A-SEGV-at-Net-src-MultipartReader.cpp-164-1-.patch
1970-01-01 02:00:00.000000000 +0200
+++
poco-1.13.0/debian/patches/0001-fix-Net-A-SEGV-at-Net-src-MultipartReader.cpp-164-1-.patch
2026-06-20 21:14:17.000000000 +0300
@@ -0,0 +1,34 @@
+From 9c10313986291de42c68ea63a5701748682c51e8 Mon Sep 17 00:00:00 2001
+From: Günter Obiltschnig <[email protected]>
+Date: Wed, 16 Apr 2025 09:15:33 +0200
+Subject: fix(Net): A SEGV at Net/src/MultipartReader.cpp:164:1 #4915 (move
+ assertion out of ctor)
+
+---
+ Net/src/MultipartReader.cpp | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/Net/src/MultipartReader.cpp b/Net/src/MultipartReader.cpp
+index 24f42c341..df43adacc 100644
+--- a/Net/src/MultipartReader.cpp
++++ b/Net/src/MultipartReader.cpp
+@@ -36,7 +36,6 @@ MultipartStreamBuf::MultipartStreamBuf(std::istream& istr,
const std::string& bo
+ _boundary(boundary),
+ _lastPart(false)
+ {
+- poco_assert (!boundary.empty() && boundary.length() <
STREAM_BUFFER_SIZE - 6);
+ }
+
+
+@@ -47,7 +46,7 @@ MultipartStreamBuf::~MultipartStreamBuf()
+
+ int MultipartStreamBuf::readFromDevice(char* buffer, std::streamsize length)
+ {
+- poco_assert_dbg (length >= _boundary.length() + 6);
++ poco_assert (!_boundary.empty() && _boundary.length() < length - 6);
+
+ static const int eof = std::char_traits<char>::eof();
+ std::streambuf& buf = *_istr.rdbuf();
+--
+2.47.3
+
diff -Nru poco-1.13.0/debian/patches/series poco-1.13.0/debian/patches/series
--- poco-1.13.0/debian/patches/series 2024-03-17 21:36:37.000000000 +0200
+++ poco-1.13.0/debian/patches/series 2026-06-20 21:15:01.000000000 +0300
@@ -9,3 +9,4 @@
0010-Disable-SHA2-test-on-platforms-where-it-s-broken.patch
0011-Set-POCO_NO_FPENVIRONMENT-for-armel.patch
0012-Disable-failing-tests.patch
+0001-fix-Net-A-SEGV-at-Net-src-MultipartReader.cpp-164-1-.patch
