Control: tag -1 confirmed moreinfo d-i Hi,
On Sun, Jun 21, 2026 at 07:54:49PM +0200, Moritz Muehlenhoff wrote: > Fixes a low impact security issue, debdiff below. All tests in debusine > are looking good. > > Cheers, > Moritz Seems reasonable to me; d-i ack required for the udeb. > > diff -Nru alsa-lib-1.2.14/debian/changelog alsa-lib-1.2.14/debian/changelog > --- alsa-lib-1.2.14/debian/changelog 2025-04-14 20:26:22.000000000 +0200 > +++ alsa-lib-1.2.14/debian/changelog 2026-06-19 20:17:25.000000000 +0200 > @@ -1,3 +1,9 @@ > +alsa-lib (1.2.14-1+deb13u1) trixie; urgency=medium > + > + * CVE-2026-25068 (Closes: #1126629) > + > + -- Moritz Mühlenhoff <[email protected]> Fri, 19 Jun 2026 20:17:25 +0200 > + > alsa-lib (1.2.14-1) unstable; urgency=medium > > * New upstream release. > diff -Nru alsa-lib-1.2.14/debian/patches/CVE-2026-25068.patch > alsa-lib-1.2.14/debian/patches/CVE-2026-25068.patch > --- alsa-lib-1.2.14/debian/patches/CVE-2026-25068.patch 1970-01-01 > 01:00:00.000000000 +0100 > +++ alsa-lib-1.2.14/debian/patches/CVE-2026-25068.patch 2026-06-19 > 20:17:25.000000000 +0200 > @@ -0,0 +1,20 @@ > +From 5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 Mon Sep 17 00:00:00 2001 > +From: Jaroslav Kysela <[email protected]> > +Date: Thu, 29 Jan 2026 16:51:09 +0100 > +Subject: [PATCH] topology: decoder - add boundary check for channel mixer > + count > + > +--- alsa-lib-1.2.14.orig/src/topology/ctl.c > ++++ alsa-lib-1.2.14/src/topology/ctl.c > +@@ -1247,6 +1247,11 @@ int tplg_decode_control_mixer1(snd_tplg_ > + if (mc->num_channels > 0) { > + map = tplg_calloc(heap, sizeof(*map)); > + map->num_channels = mc->num_channels; > ++ if (map->num_channels > SND_TPLG_MAX_CHAN || > ++ map->num_channels > SND_SOC_TPLG_MAX_CHAN) { > ++ SNDERR("mixer: unexpected channel count %d", > map->num_channels); > ++ return -EINVAL; > ++ } > + for (i = 0; i < map->num_channels; i++) { > + map->channel[i].reg = mc->channel[i].reg; > + map->channel[i].shift = mc->channel[i].shift; > diff -Nru alsa-lib-1.2.14/debian/patches/series > alsa-lib-1.2.14/debian/patches/series > --- alsa-lib-1.2.14/debian/patches/series 2024-02-09 21:18:05.000000000 > +0100 > +++ alsa-lib-1.2.14/debian/patches/series 2026-06-19 20:17:25.000000000 > +0200 > @@ -1 +1,2 @@ > 0001-Enabled-extended-namehints-in-alsa.conf.patch > +CVE-2026-25068.patch -- Jonathan Wiltshire [email protected] Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

