Your message dated Sat, 16 May 2026 10:23:18 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1135638,
regarding trixie-pu: package swupdate/2024.12.1+dfsg-3+deb13u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135638: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135638
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:swupdate
User: [email protected]
Usertags: pu
[ Reason ]
CVE-2026-28525
[ Impact ]
Vulnerable for integer underflow in a webserver component
[ Tests ]
Compilation succeeds.
[ Risks ]
code is trivial (integer change from 8 to 6 and whitespace changes)
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Apply the upstream fix for CVE-2026-28525
diff -Nru swupdate-2024.12.1+dfsg/debian/changelog
swupdate-2024.12.1+dfsg/debian/changelog
--- swupdate-2024.12.1+dfsg/debian/changelog 2025-11-18 07:52:59.000000000
+0000
+++ swupdate-2024.12.1+dfsg/debian/changelog 2026-05-03 19:20:46.000000000
+0000
@@ -1,3 +1,9 @@
+swupdate (2024.12.1+dfsg-3+deb13u2) trixie; urgency=medium
+
+ * Apply ustream CVE-2026-28525 patch
+
+ -- Bastian Germann <[email protected]> Sun, 03 May 2026 19:20:46 +0000
+
swupdate (2024.12.1+dfsg-3+deb13u1) trixie; urgency=medium
* Backport: suricatta/wfx: Fix rebooting (Closes: #1118485)
diff -Nru swupdate-2024.12.1+dfsg/debian/patches/CVE-2026-28525.diff
swupdate-2024.12.1+dfsg/debian/patches/CVE-2026-28525.diff
--- swupdate-2024.12.1+dfsg/debian/patches/CVE-2026-28525.diff 1970-01-01
00:00:00.000000000 +0000
+++ swupdate-2024.12.1+dfsg/debian/patches/CVE-2026-28525.diff 2026-05-03
19:20:15.000000000 +0000
@@ -0,0 +1,48 @@
+Origin: upstream, beee2dc0feef1cfe84f1aa6fc980e104b2e47a74
+From: Stefano Babic <[email protected]>
+Date: Thu, 19 Mar 2026 10:50:13 +0100
+Subject: mongoose: Integer Underflow in Multipart Upload Parser
+
+The function mg_http_multipart_continue_wait_for_chunk() has
+a discrepancy between its guard condition and a subsequent
+subtraction in the else branch. The guard at line 250 checks
+`(int) io->len < mp_stream->boundary.len + 6`, allowing execution
+to continue when io->len >= boundary.len + 6.
+However, when mg_strstr() finds the boundary string in the
+buffer (else branch at line 264), data_len is computed as
+`io->len - (mp_stream->boundary.len + 8)`. The +6 vs +8
+mismatch means that when io->len is in the range [boundary.len + 6,
+boundary.len + 7], the subtraction underflows the size_t
+variable to SIZE_MAX or SIZE_MAX - 1.
+
+This will fix CVE-2026-28525.
+
+Description of issue copied from vulnerability report - many thanks to
+Kazuma for his analyses.
+
+Signed-off-by: Stefano Babic <[email protected]>
+Reported by: Kazuma Matsumoto, a security researcher at GMO Cybersecurity by
IERAE, Inc."
+---
+ mongoose/mongoose_multipart.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/mongoose/mongoose_multipart.c b/mongoose/mongoose_multipart.c
+index 12ea5434..7fdc1863 100644
+--- a/mongoose/mongoose_multipart.c
++++ b/mongoose/mongoose_multipart.c
+@@ -261,12 +261,12 @@ static int
mg_http_multipart_continue_wait_for_chunk(struct mg_connection *c) {
+ }
+ return 0;
+ } else {
+- size_t data_len = io->len - (mp_stream->boundary.len + 8);
++ size_t data_len = io->len - (mp_stream->boundary.len + 6);
+ size_t consumed = mg_http_multipart_call_handler(c,
MG_EV_HTTP_PART_DATA,
+-
(char *) io->buf, data_len);
++ (char *) io->buf, data_len);
+ mg_iobuf_del(io, 0, consumed);
+ if (consumed == data_len) {
+- mg_iobuf_del(io, 0, mp_stream->boundary.len + 8);
++ mg_iobuf_del(io, 0, mp_stream->boundary.len + 6);
+ mp_stream->state = MPS_FINALIZE;
+ return 1;
+ } else {
diff -Nru swupdate-2024.12.1+dfsg/debian/patches/series
swupdate-2024.12.1+dfsg/debian/patches/series
--- swupdate-2024.12.1+dfsg/debian/patches/series 2025-11-18
07:52:59.000000000 +0000
+++ swupdate-2024.12.1+dfsg/debian/patches/series 2026-05-03
19:20:35.000000000 +0000
@@ -1,3 +1,4 @@
+CVE-2026-28525.diff
Link-config-to-swupdate-www-path.diff
Replace-Font-Awesome-5-with-Fork-Awesome.diff
use-gcc-compiler.diff
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.5
This update has been released as part of Debian 13.5.
--- End Message ---
