Control: tag -1 confirmed moreinfo d-i

Hi,

On Sun, Jun 21, 2026 at 07:54:49PM +0200, Moritz Muehlenhoff wrote:
> Fixes a low impact security issue, debdiff below. All tests in debusine
> are looking good.
> 
> Cheers,
>         Moritz

Seems reasonable to me; d-i ack required for the udeb.

> 
> diff -Nru alsa-lib-1.2.14/debian/changelog alsa-lib-1.2.14/debian/changelog
> --- alsa-lib-1.2.14/debian/changelog  2025-04-14 20:26:22.000000000 +0200
> +++ alsa-lib-1.2.14/debian/changelog  2026-06-19 20:17:25.000000000 +0200
> @@ -1,3 +1,9 @@
> +alsa-lib (1.2.14-1+deb13u1) trixie; urgency=medium
> +
> +  * CVE-2026-25068 (Closes: #1126629)
> +
> + -- Moritz Mühlenhoff <[email protected]>  Fri, 19 Jun 2026 20:17:25 +0200
> +
>  alsa-lib (1.2.14-1) unstable; urgency=medium
>  
>    * New upstream release.
> diff -Nru alsa-lib-1.2.14/debian/patches/CVE-2026-25068.patch 
> alsa-lib-1.2.14/debian/patches/CVE-2026-25068.patch
> --- alsa-lib-1.2.14/debian/patches/CVE-2026-25068.patch       1970-01-01 
> 01:00:00.000000000 +0100
> +++ alsa-lib-1.2.14/debian/patches/CVE-2026-25068.patch       2026-06-19 
> 20:17:25.000000000 +0200
> @@ -0,0 +1,20 @@
> +From 5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 Mon Sep 17 00:00:00 2001
> +From: Jaroslav Kysela <[email protected]>
> +Date: Thu, 29 Jan 2026 16:51:09 +0100
> +Subject: [PATCH] topology: decoder - add boundary check for channel mixer
> + count
> +
> +--- alsa-lib-1.2.14.orig/src/topology/ctl.c
> ++++ alsa-lib-1.2.14/src/topology/ctl.c
> +@@ -1247,6 +1247,11 @@ int tplg_decode_control_mixer1(snd_tplg_
> +     if (mc->num_channels > 0) {
> +             map = tplg_calloc(heap, sizeof(*map));
> +             map->num_channels = mc->num_channels;
> ++            if (map->num_channels > SND_TPLG_MAX_CHAN ||
> ++                map->num_channels > SND_SOC_TPLG_MAX_CHAN) {
> ++                    SNDERR("mixer: unexpected channel count %d", 
> map->num_channels);
> ++                    return -EINVAL;
> ++            }
> +             for (i = 0; i < map->num_channels; i++) {
> +                     map->channel[i].reg = mc->channel[i].reg;
> +                     map->channel[i].shift = mc->channel[i].shift;
> diff -Nru alsa-lib-1.2.14/debian/patches/series 
> alsa-lib-1.2.14/debian/patches/series
> --- alsa-lib-1.2.14/debian/patches/series     2024-02-09 21:18:05.000000000 
> +0100
> +++ alsa-lib-1.2.14/debian/patches/series     2026-06-19 20:17:25.000000000 
> +0200
> @@ -1 +1,2 @@
>  0001-Enabled-extended-namehints-in-alsa.conf.patch
> +CVE-2026-25068.patch

-- 
Jonathan Wiltshire                                      [email protected]
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Reply via email to