Your message dated Sat, 16 May 2026 10:23:17 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1134383,
regarding trixie-pu: libcoap3/4.3.4-1.1+deb13u3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134383: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134383
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
User: [email protected]
Usertags: pu
The attached debdiff for libcoap3 fixes CVE-2025-34468 and CVE-2026-29013
in Trixie. One of the CVEs is already marked as no-dsa by the security
team and I think the other will follow.
libcoap3 is a leaf package with no rdeps within Debian so there should be
not much hassle with this fix.
Thorsten
diff -Nru libcoap3-4.3.4/debian/changelog libcoap3-4.3.4/debian/changelog
--- libcoap3-4.3.4/debian/changelog 2025-12-29 18:23:22.000000000 +0100
+++ libcoap3-4.3.4/debian/changelog 2026-04-19 10:23:22.000000000 +0200
@@ -1,3 +1,12 @@
+libcoap3 (4.3.4-1.1+deb13u3) trixie; urgency=medium
+
+ * CVE-2026-29013 (Closes: #1134340)
+ fix out-of-bounds read
+ * CVE-2025-34468 (Closes: #1124407)
+ fix stack-based buffer overflow
+
+ -- Thorsten Alteholz <[email protected]> Sun, 19 Apr 2026 10:23:22 +0200
+
libcoap3 (4.3.4-1.1+deb13u2) trixie; urgency=medium
* CVE-2025-59391 (Closes: #1122290)
diff -Nru libcoap3-4.3.4/debian/patches/CVE-2025-34468.patch
libcoap3-4.3.4/debian/patches/CVE-2025-34468.patch
--- libcoap3-4.3.4/debian/patches/CVE-2025-34468.patch 1970-01-01
01:00:00.000000000 +0100
+++ libcoap3-4.3.4/debian/patches/CVE-2025-34468.patch 2026-04-19
10:23:22.000000000 +0200
@@ -0,0 +1,123 @@
+From cc9aba6e01973b7cc06b7b20d0986411e5f5e2ef Mon Sep 17 00:00:00 2001
+From: Jon Shallow <[email protected]>
+Date: Fri, 12 Sep 2025 10:07:41 +0100
+Subject: [PATCH] coap_address.c: Validate length of provided host name
+
+Host names larger than 255 bytes will cause an internal buffer overflow.
+
+Hostnames provided to coap_resolve_address_info() now have their length
validated.
+
+Discovered by SecMate (https://secmate.dev).
+
+Sanity check host lengths when parsing a CoAP URI when using the
coap_split_uri()
+function.
+---
+ examples/coap-client.c | 11 ++++++-----
+ src/coap_address.c | 9 +++++++--
+ src/coap_uri.c | 20 +++++++++++++++++++-
+ 3 files changed, 32 insertions(+), 8 deletions(-)
+
+Index: libcoap3-4.3.4/examples/coap-client.c
+===================================================================
+--- libcoap3-4.3.4.orig/examples/coap-client.c 2026-04-19 11:56:48.793762781
+0200
++++ libcoap3-4.3.4/examples/coap-client.c 2026-04-19 11:56:48.789762746
+0200
+@@ -822,6 +822,12 @@
+ static int
+ cmdline_uri(char *arg) {
+
++ /* Sanity check the provided (Proxy)Uri */
++ if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) {
++ coap_log_err("invalid CoAP URI '%s'\n", arg);
++ return -1;
++ }
++
+ if (!proxy_scheme_option && proxy.host.length) {
+ /* create Proxy-Uri from argument */
+ size_t len = strlen(arg);
+@@ -836,11 +842,6 @@
+ (unsigned char *)arg));
+
+ } else { /* split arg into Uri-* options */
+- if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) {
+- coap_log_err("invalid CoAP URI\n");
+- return -1;
+- }
+-
+ /* Need to special case use of reliable */
+ if (uri.scheme == COAP_URI_SCHEME_COAPS && reliable) {
+ if (!coap_tls_is_supported()) {
+Index: libcoap3-4.3.4/src/coap_address.c
+===================================================================
+--- libcoap3-4.3.4.orig/src/coap_address.c 2026-04-19 11:56:48.793762781
+0200
++++ libcoap3-4.3.4/src/coap_address.c 2026-04-19 11:56:48.789762746 +0200
+@@ -469,10 +469,15 @@
+ #endif /* COAP_AF_UNIX_SUPPORT */
+
+ memset(addrstr, 0, sizeof(addrstr));
+- if (address && address->length)
++ if (address && address->length) {
++ if (address->length >= sizeof(addrstr)) {
++ coap_log_warn("Host name too long (%zu > 255)\n", address->length);
++ return NULL;
++ }
+ memcpy(addrstr, address->s, address->length);
+- else
++ } else {
+ memcpy(addrstr, "localhost", 9);
++ }
+
+ memset((char *)&hints, 0, sizeof(hints));
+ hints.ai_socktype = 0;
+Index: libcoap3-4.3.4/src/coap_uri.c
+===================================================================
+--- libcoap3-4.3.4.orig/src/coap_uri.c 2026-04-19 11:56:48.793762781 +0200
++++ libcoap3-4.3.4/src/coap_uri.c 2026-04-19 11:56:48.789762746 +0200
+@@ -59,6 +59,15 @@
+ { "coaps+ws", 443, 0, COAP_URI_SCHEME_COAPS_WS }
+ };
+
++/*
++ * Returns 0 All OK
++ * -1 Insufficient / Invalid parameters
++ * -2 No '://'
++ * -3 Ipv6 definition error or no host defined after scheme://
++ * -4 Invalid port value
++ * -5 Port defined for Unix domain
++ * -6 Hostname > 255 chars
++ */
+ static int
+ coap_split_uri_sub(const uint8_t *str_var,
+ size_t len,
+@@ -165,8 +174,10 @@
+ if (len && *p == '[') {
+ /* IPv6 address reference */
+ ++p;
++ ++q;
++ --len;
+
+- while (len && *q != ']') {
++ while (len && *q != ']' && (isxdigit(*q) || *q == ':')) {
+ ++q;
+ --len;
+ }
+@@ -197,6 +208,12 @@
+ goto error;
+ }
+
++ if ((int)(q - p) > 255) {
++ coap_log_warn("Host name length too long (%d > 255)\n", (int)(q - p));
++ res = -6;
++ goto error;
++ }
++
+ COAP_SET_STR(&uri->host, q - p, p);
+ }
+
+@@ -222,6 +239,7 @@
+
+ /* check if port number is in allowed range */
+ if (uri_port > UINT16_MAX) {
++ coap_log_warn("Port number too big (%ld > 65535)\n", uri_port);
+ res = -4;
+ goto error;
+ }
diff -Nru libcoap3-4.3.4/debian/patches/CVE-2026-29013.patch
libcoap3-4.3.4/debian/patches/CVE-2026-29013.patch
--- libcoap3-4.3.4/debian/patches/CVE-2026-29013.patch 1970-01-01
01:00:00.000000000 +0100
+++ libcoap3-4.3.4/debian/patches/CVE-2026-29013.patch 2026-04-19
10:23:22.000000000 +0200
@@ -0,0 +1,80 @@
+From b7847c4dbb0dbee7c90b09a673d4cae256f03718 Mon Sep 17 00:00:00 2001
+From: Jon Shallow <[email protected]>
+Date: Tue, 24 Mar 2026 14:15:09 +0000
+Subject: [PATCH] sanitizer: Fix reported issues
+
+coap_new_cache_entry() does not correctly check for no PDU data when called
+with COAP_CACHE_RECORD_PDU. No current libcoap code (examples and library)
+call coap_new_cache_entry() with COAP_CACHE_RECORD_PDU set.
+
+Internal function coap_pdu_resize() can be used to reduce a PDU size,
+creating current options confusion. Fix is not to reduce PDU if new
+size is smaller than the current used size. No current libcoap code calls
+coap_pdu_resize() to reduce the size.
+
+If there is an issue with the PDU options where the maximum used option
+value is larger than the last defined option value, an assert() is triggered.
+
+All of the coap_*_option() functions correctly manage pdu->max_opt, but
+this issue could occur if coap_pdu_resize() was called to reduce the PDU size
+below that of pdu->used_size.
+---
+ src/coap_cache.c | 3 ++-
+ src/coap_pdu.c | 11 +++++++++--
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+Index: libcoap3-4.3.4/src/coap_cache.c
+===================================================================
+--- libcoap3-4.3.4.orig/src/coap_cache.c 2026-04-19 10:48:17.714962770
+0200
++++ libcoap3-4.3.4/src/coap_cache.c 2026-04-19 10:48:17.714962770 +0200
+@@ -173,7 +173,8 @@
+ memcpy(entry->pdu, pdu, offsetof(coap_pdu_t, token));
+ memcpy(entry->pdu->token, pdu->token, pdu->used_size);
+ /* And adjust all the pointers etc. */
+- entry->pdu->data = entry->pdu->token + (pdu->data - pdu->token);
++ if (pdu->data)
++ entry->pdu->data = entry->pdu->token + (pdu->data - pdu->token);
+ }
+ }
+ entry->cache_key = coap_cache_derive_key(session, pdu, session_based);
+Index: libcoap3-4.3.4/src/coap_pdu.c
+===================================================================
+--- libcoap3-4.3.4.orig/src/coap_pdu.c 2026-04-19 10:48:17.714962770 +0200
++++ libcoap3-4.3.4/src/coap_pdu.c 2026-04-19 10:48:17.714962770 +0200
+@@ -244,10 +244,12 @@
+ int
+ coap_pdu_resize(coap_pdu_t *pdu, size_t new_size) {
+ if (new_size > pdu->alloc_size) {
++ /* Expanding the PDU usage */
+ #if !defined(WITH_LWIP)
+ uint8_t *new_hdr;
+ size_t offset;
+ #endif
++
+ if (pdu->max_size && new_size > pdu->max_size) {
+ coap_log_warn("coap_pdu_resize: pdu too big\n");
+ return 0;
+@@ -278,8 +280,8 @@
+ else
+ pdu->actual_token.s = &pdu->token[2];
+ #endif
++ pdu->alloc_size = new_size;
+ }
+- pdu->alloc_size = new_size;
+ return 1;
+ }
+
+@@ -585,7 +587,12 @@
+ }
+ prev_number = opt_iter.number;
+ }
+- assert(option != NULL);
++ if (option == NULL) {
++ /* Code is broken somewhere */
++ coap_log_warn("coap_insert_option: Broken max_opt\n");
++ return 0;
++ }
++
+ /* size of option inc header to insert */
+ shift = coap_opt_encode_size(number - prev_number, len);
+
diff -Nru libcoap3-4.3.4/debian/patches/series
libcoap3-4.3.4/debian/patches/series
--- libcoap3-4.3.4/debian/patches/series 2025-12-21 11:30:53.000000000
+0100
+++ libcoap3-4.3.4/debian/patches/series 2026-04-19 10:23:22.000000000
+0200
@@ -3,3 +3,6 @@
CVE-2025-59391.patch
CVE-2025-65501+65500+65499+65498+65497+65496+65495+65494+65493.patch
+
+CVE-2025-34468.patch
+CVE-2026-29013.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.5
This update has been released as part of Debian 13.5.
--- End Message ---
