Your message dated Sat, 16 May 2026 11:07:43 +0000
with message-id <[email protected]>
and subject line Released with 12.14
has caused the Debian Bug report #1126167,
regarding bookworm-pu: package zvbi/_0.2.41-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126167: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126167
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
The attached debdiff for zvbi fixes CVE-2025-2173, CVE-2025-2174,
CVE-2025-2175, CVE-2025-2176 and CVE-2025-2177
Though all CVEs are marked as no-dsa from the security team, all but one
got a high CVSS score from one or the other evaluator.
Thorsten
diff -Nru zvbi-0.2.41/debian/changelog zvbi-0.2.41/debian/changelog
--- zvbi-0.2.41/debian/changelog 2023-02-13 14:32:40.000000000 +0100
+++ zvbi-0.2.41/debian/changelog 2026-01-10 10:03:02.000000000 +0100
@@ -1,3 +1,13 @@
+zvbi (0.2.41-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2025-2173
+ fix uninitialized pointer in src/conv.c:: vbi_strndup_iconv_ucs2()
+ * CVE-2025-2174, CVE-2025-2175, CVE-2025-2176, CVE-2025-2177
+ fix integer overflows in several functions
+
+ -- Thorsten Alteholz <[email protected]> Sat, 10 Jan 2026 10:03:02 +0100
+
zvbi (0.2.41-1) unstable; urgency=medium
* New upstream release.
diff -Nru zvbi-0.2.41/debian/patches/CVE-2025-2173.patch
zvbi-0.2.41/debian/patches/CVE-2025-2173.patch
--- zvbi-0.2.41/debian/patches/CVE-2025-2173.patch 1970-01-01
01:00:00.000000000 +0100
+++ zvbi-0.2.41/debian/patches/CVE-2025-2173.patch 2026-01-10
10:03:02.000000000 +0100
@@ -0,0 +1,31 @@
+commit 8def647eea27f7fd7ad33ff79c2d6d3e39948dce
+Author: Ileana Dumitrescu <[email protected]>
+Date: Mon Mar 10 20:36:05 2025 +0200
+
+ src/conv.c: Check src_length to avoid an unitinialized heap read
+
+Index: zvbi-0.2.41/src/conv.c
+===================================================================
+--- zvbi-0.2.41.orig/src/conv.c 2026-01-10 13:44:06.799252632 +0100
++++ zvbi-0.2.41/src/conv.c 2026-01-10 13:44:06.795252605 +0100
+@@ -583,8 +583,8 @@
+ * @returns
+ * A pointer to the allocated buffer. You must free() the buffer
+ * when it is no longer needed. The function returns @c NULL when
+- * the conversion fails, when it runs out of memory or when @a src
+- * is @c NULL.
++ * the conversion fails, when it runs out of memory, src_length is
++ * set to zero, or when @a src is @c NULL.
+ *
+ * @since 0.2.23
+ */
+@@ -598,6 +598,9 @@
+ char *result;
+ unsigned long size;
+
++ if (0 == src_length)
++ return NULL;
++
+ buffer = strndup_iconv_from_ucs2 (&size,
+ dst_codeset,
+ src, src_length,
diff -Nru zvbi-0.2.41/debian/patches/CVE-2025-2177+2176+2175+2174.patch
zvbi-0.2.41/debian/patches/CVE-2025-2177+2176+2175+2174.patch
--- zvbi-0.2.41/debian/patches/CVE-2025-2177+2176+2175+2174.patch
1970-01-01 01:00:00.000000000 +0100
+++ zvbi-0.2.41/debian/patches/CVE-2025-2177+2176+2175+2174.patch
2026-01-10 10:03:02.000000000 +0100
@@ -0,0 +1,110 @@
+commit ca1672134b3e2962cd392212c73f44f8f4cb489f
+Author: Ileana Dumitrescu <[email protected]>
+Date: Mon Mar 10 20:36:32 2025 +0200
+
+ src/conv.c, src/io-sim.c, src/search.c: Avoid integer overflow leading to
heap overflow
+
+Index: zvbi-0.2.41/src/conv.c
+===================================================================
+--- zvbi-0.2.41.orig/src/conv.c 2026-01-10 13:42:21.298548676 +0100
++++ zvbi-0.2.41/src/conv.c 2026-01-10 13:42:21.294548648 +0100
+@@ -333,7 +333,8 @@
+ * @returns
+ * A pointer to the allocated buffer. You must free() the buffer
+ * when it is no longer needed. The function returns @c NULL when
+- * it runs out of memory, or when @a src is @c NULL.
++ * it runs out of memory, src_size is too large, or when @a src
++ * is @c NULL.
+ *
+ * @since 0.2.23
+ */
+@@ -344,7 +345,11 @@
+ {
+ char *buffer;
+
+- buffer = vbi_malloc (src_size + 4);
++ unsigned long check_buffer_size = (src_size + 4);
++ if (src_size > check_buffer_size)
++ return NULL;
++
++ buffer = vbi_malloc (check_buffer_size);
+ if (NULL == buffer) {
+ if (NULL != out_size)
+ *out_size = 0;
+@@ -376,7 +381,8 @@
+ * @returns
+ * A pointer to the allocated buffer. You must free() the buffer
+ * when it is no longer needed. The function returns @c NULL when
+- * it runs out of memory, or when @a src is @c NULL.
++ * it runs out of memory, src_length is too large, or when @a src
++ * is @c NULL.
+ *
+ * @since 0.2.23
+ */
+@@ -398,7 +404,11 @@
+ if (src_length < 0)
+ src_length = vbi_strlen_ucs2 (src);
+
+- buffer = vbi_malloc (src_length * 3 + 1);
++ unsigned long check_buffer_size = (src_length * 3 + 1);
++ if (src_length > check_buffer_size)
++ return NULL;
++
++ buffer = vbi_malloc (check_buffer_size);
+ if (NULL == buffer)
+ return NULL;
+
+Index: zvbi-0.2.41/src/io-sim.c
+===================================================================
+--- zvbi-0.2.41.orig/src/io-sim.c 2026-01-10 13:42:21.298548676 +0100
++++ zvbi-0.2.41/src/io-sim.c 2026-01-10 13:42:21.294548648 +0100
+@@ -1898,7 +1898,10 @@
+ }
+
+ if (b->size >= b->capacity) {
+- if (!extend_buffer (b, b->capacity + 256))
++ unsigned int check_buffer_size = (b->capacity + 256);
++ if (b->capacity > check_buffer_size)
++ return FALSE;
++ if (!extend_buffer (b, check_buffer_size))
+ return FALSE;
+ }
+
+Index: zvbi-0.2.41/src/search.c
+===================================================================
+--- zvbi-0.2.41.orig/src/search.c 2026-01-10 13:42:21.298548676 +0100
++++ zvbi-0.2.41/src/search.c 2026-01-10 13:42:21.294548648 +0100
+@@ -2,7 +2,7 @@
+ * libzvbi -- Teletext page cache search functions
+ *
+ * Copyright (C) 2000, 2001, 2002 Michael H. Schimek
+- * Copyright (C) 2000, 2001 I�aki G. Etxebarria
++ * Copyright (C) 2000, 2001 I�aki G. Etxebarria
+ *
+ * Originally based on AleVT 1.5.1 by Edgar Toernig
+ *
+@@ -470,7 +470,8 @@
+ * All this has yet to be addressed.
+ *
+ * @return
+- * A vbi_search context or @c NULL on error.
++ * A vbi_search context or @c NULL on error or pattern string length
++ * is too large.
+ */
+ vbi_search *
+ vbi_search_new(vbi_decoder *vbi,
+@@ -490,7 +491,13 @@
+ return NULL;
+
+ if (!regexp) {
+- if (!(esc_pat = malloc(sizeof(ucs2_t) * pat_len * 2))) {
++ unsigned int check_size = (sizeof(ucs2_t) * pat_len * 2);
++ if (pat_len > check_size) {
++ free(s);
++ return NULL;
++ }
++
++ if (!(esc_pat = malloc(check_size))) {
+ free(s);
+ return NULL;
+ }
diff -Nru zvbi-0.2.41/debian/patches/series zvbi-0.2.41/debian/patches/series
--- zvbi-0.2.41/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ zvbi-0.2.41/debian/patches/series 2026-01-10 10:03:02.000000000 +0100
@@ -0,0 +1,2 @@
+CVE-2025-2177+2176+2175+2174.patch
+CVE-2025-2173.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.14
This update has been released as part of Debian 12.14.
--- End Message ---
