Bug#1135859: marked as done (trixie-pu: package libtext-csv-xs-perl/1.60-1+deb13u1)

Sat, 16 May 2026 03:42:56 -0700 

Your message dated Sat, 16 May 2026 10:23:17 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1135859,
regarding trixie-pu: package libtext-csv-xs-perl/1.60-1+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1135859: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135859
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:libtext-csv-xs-perl
User: [email protected]
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

In coordination with the security team, I've uploaded 
libtext-csv-xs-perl/1.60-1+deb13u1 to trixie in order to fix 
https://security-tracker.debian.org/tracker/CVE-2026-7111
aka #1135232

| Text::CSV_XS versions before 1.62 for Perl have a use-after-free when 
| registered callbacks extend the Perl argument stack, which may enable 
| type confusion or memory corruption. …

The fix is 1 quilt patch, taken from the respective uptream commit 
(also included in the 1.62 upstream release, aka tested in the wild), 
which is also already in unstable.

Find attached the complete debdiff against the version in trixie.


Thanks in advance,
gregor

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmn7ep1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgb4Sw//ckWUm+rojfX9peN3hUjtA5DFqwN4LCBgwAklj5gDkzwbgnQuFuV6SHlL
38kWtqQuxRLAQg6lkcngV6M3J1I0f/fnJgGuRtDF463NKc0xo+iQqEYJc6VYy6U1
dFYRRE/z/WYgFfxS1h9A4Gxc4isIXVtn5omZNCeEHXII4fQk8DmFan/eWwGc7cZh
nmBzBwQ4HTZD7kVJ4OHK9BRU12yj+bpJdtnm2gyP7PCiW03xUpkLDZVJvWZfSO+e
8DOVFlXeS3qX7uvSqdqQTMFJnOZ0by/kKdILDeQD8yHkB1+31CDvOcL+YWPjd184
CTLEhD+TrRK1HpOa954FUEYVlquLfct/YfFDA/PmDyZSz9QfCiMmkQgEnL02Bcpw
LBOvtvFDgl1MTC2pvt7rKMzx2xnGwSy6aYo9C+sEOS1JbT2lj0WlR0hkZE1kWCh1
g/wyBC8AU3QRUQhsEtvkGkr6lbvsYO+j6pCsIOEBr5nBjR+k+FdIGp84Vx01L/v1
Fk+a3gFXOFBsbtILCrFMyT+m41G8epbBr6D+aXoZFnp/jPxX0+RxA7touxsEi8pQ
Odr+8GCHS924RPa/syuUAvwi0w6q27EQltLQNppb59ID2Yztf/bOthskvGLehwqp
HiE8natvdAyTrHYFIAZWb9WD4x2BIbWKFRsx0by0jqNEDavsMhc=
=npYS
-----END PGP SIGNATURE-----

diff -Nru libtext-csv-xs-perl-1.60/debian/changelog 
libtext-csv-xs-perl-1.60/debian/changelog
--- libtext-csv-xs-perl-1.60/debian/changelog   2025-02-02 02:20:05.000000000 
+0100
+++ libtext-csv-xs-perl-1.60/debian/changelog   2026-05-06 17:02:23.000000000 
+0200
@@ -1,3 +1,11 @@
+libtext-csv-xs-perl (1.60-1+deb13u1) trixie; urgency=medium
+
+  * Fix possible stack corruption: CVE-2026-7111.
+    Patch taken from upstream Git commit, as released in 1.62.
+    (Closes: #1135232)
+
+ -- gregor herrmann <[email protected]>  Wed, 06 May 2026 17:02:23 +0200
+
 libtext-csv-xs-perl (1.60-1) unstable; urgency=medium
 
   * Import upstream version 1.60.
diff -Nru 
libtext-csv-xs-perl-1.60/debian/patches/0001-Fix-possible-stack-corruption.patch
 
libtext-csv-xs-perl-1.60/debian/patches/0001-Fix-possible-stack-corruption.patch
--- 
libtext-csv-xs-perl-1.60/debian/patches/0001-Fix-possible-stack-corruption.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
libtext-csv-xs-perl-1.60/debian/patches/0001-Fix-possible-stack-corruption.patch
    2026-05-06 17:02:23.000000000 +0200
@@ -0,0 +1,114 @@
+From c17f31a5f2bf36674748eb4b6e25672f0571a224 Mon Sep 17 00:00:00 2001
+From: "H.Merijn Brand - Tux" <[email protected]>
+Date: Sat, 25 Apr 2026 16:18:57 +0200
+Subject: [PATCH] Fix possible stack corruption (thanks leont) (issue 65)
+
+SPAGAIN required if callbacks can extend the stack
+
+
+Bug: https://github.com/cpan-authors/Text-CSV_XS/issues/65
+Bug-Debian: https://bugs.debian.org/1135232
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-7111
+
+
+---
+ CSV_XS.xs           | 36 ++++++++++++++++++------------------
+ ChangeLog           |  1 +
+ cpanfile            |  2 +-
+ sandbox/issue-65.pl | 41 ++++++++++++++++++++++++++++++++++++++---
+ 4 files changed, 58 insertions(+), 22 deletions(-)
+
+diff --git a/CSV_XS.xs b/CSV_XS.xs
+index f89859e..c348f83 100644
+--- a/CSV_XS.xs
++++ b/CSV_XS.xs
+@@ -122,6 +122,12 @@ static unsigned char ec, ebcdic2ascii[256] = {
+       croak ("self is not a hash ref");               \
+     hv = (HV *)SvRV (self)
+ 
++#define undef &PL_sv_undef
++#define PUT_RETURN(x) \
++    SPAGAIN;          \
++    ST (0) = x;               \
++    XSRETURN (1)
++
+ /* Keep in sync with .pm! */
+ #define CACHE_ID_quote_char           0
+ #define CACHE_ID_escape_char          1
+@@ -2603,7 +2609,7 @@ BOOT:
+     Perl_load_module (aTHX_ PERL_LOADMOD_NOIMPORT, newSVpvs ("IO::Handle"), 
NULL, NULL, NULL);
+ 
+ void
+-SetDiag (SV *self, int xse, ...)
++SetDiag (SV *self, int xse, SV *line = undef)
+ 
+   PPCODE:
+     HV                *hv;
+@@ -2619,8 +2625,8 @@ SetDiag (SV *self, int xse, ...)
+       ST (0) = sv_2mortal (SvDiag (xse));
+       }
+ 
+-    if (xse && items > 2 && SvPOK (ST (2))) {
+-      sv_setpvn (ST (0),  SvPVX (ST (2)), SvCUR (ST (2)));
++    if (xse && SvPOK (line)) {
++      sv_setpvn (ST (0),  SvPVX (line), SvCUR (line));
+       SvIOK_on  (ST (0));
+       }
+ 
+@@ -2670,8 +2676,8 @@ Parse (SV *self, SV *src, SV *fields, SV *fflags)
+     av  = (AV *)SvRV (fields);
+     avf = (AV *)SvRV (fflags);
+ 
+-    ST (0) = xsParse (self, hv, av, avf, src, 0) ? &PL_sv_yes : &PL_sv_no;
+-    XSRETURN (1);
++    int x = xsParse (self, hv, av, avf, src, 0);
++    PUT_RETURN (x ? &PL_sv_yes : &PL_sv_no);
+     /* XS Parse */
+ 
+ void
+@@ -2691,8 +2697,8 @@ print (SV *self, SV *io, SV *fields)
+       av = (AV *)SvRV (fields);
+       }
+ 
+-    ST (0) = xsCombine (self, hv, av, io, 1) ? &PL_sv_yes : &PL_sv_no;
+-    XSRETURN (1);
++    int x = xsCombine (self, hv, av, io, 1);
++    PUT_RETURN (x ? &PL_sv_yes : &PL_sv_no);
+     /* XS print */
+ 
+ void
+@@ -2706,26 +2712,20 @@ getline (SV *self, SV *io)
+     CSV_XS_SELF;
+     av  = newAV ();
+     avf = newAV ();
+-    ST (0) = xsParse (self, hv, av, avf, io, 1)
+-      ? sv_2mortal (newRV_noinc ((SV *)av))
+-      : &PL_sv_undef;
+-    XSRETURN (1);
++    int x = xsParse (self, hv, av, avf, io, 1);
++    PUT_RETURN (x ? sv_2mortal (newRV_noinc ((SV *)av)) : undef);
+     /* XS getline */
+ 
+ void
+-getline_all (SV *self, SV *io, ...)
++getline_all (SV *self, SV *io, SV *offset = undef, SV *length = undef)
+ 
+   PPCODE:
+     HV        *hv;
+-    SV  *offset, *length;
+ 
+     CSV_XS_SELF;
+ 
+-    offset = items > 2 ? ST (2) : &PL_sv_undef;
+-    length = items > 3 ? ST (3) : &PL_sv_undef;
+-
+-    ST (0) = xsParse_all (self, hv, io, offset, length);
+-    XSRETURN (1);
++    SV *x  = xsParse_all (self, hv, io, offset, length);
++    PUT_RETURN (x);
+     /* XS getline_all */
+ 
+ void
+-- 
+2.53.0
+
diff -Nru libtext-csv-xs-perl-1.60/debian/patches/series 
libtext-csv-xs-perl-1.60/debian/patches/series
--- libtext-csv-xs-perl-1.60/debian/patches/series      1970-01-01 
01:00:00.000000000 +0100
+++ libtext-csv-xs-perl-1.60/debian/patches/series      2026-05-06 
17:02:23.000000000 +0200
@@ -0,0 +1 @@
+0001-Fix-possible-stack-corruption.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 13.5

This update has been released as part of Debian 13.5.

--- End Message ---

Reply via email to