Your message dated Sat, 16 May 2026 11:07:43 +0000
with message-id <[email protected]>
and subject line Released with 12.14
has caused the Debian Bug report #1135113,
regarding bookworm-pu: package sed/4.9-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135113
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], Clint Adams <[email protected]>,
[email protected]
Control: affects -1 + src:sed
User: [email protected]
Usertags: pu
Hi SRM
[ Reason ]
sed is affected by CVE-2026-5958, #1134495 a TOCTOU race. The fix in
unstable has matured some days now and migrated to testing, and no
regreessions were reported to date TTBOMK.
The upload was tested as well on debusine at:
https://debusine.debian.net/debian/developers/work-request/621670/
[ Impact ]
Remains vulnerable to CVE-2026-5958.
(What is the impact for the user if the update isn't approved?)
[ Tests ]
autopkgtest and test on revers dependencies as per
https://debusine.debian.net/debian/developers/work-request/621670/ but
unfortunately not specific test for CVE-2026-5958.
[ Risks ]
Targed fix for the issue, would consider it low risk.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Quoting the upstream commit:
> When using -i with --follow-symlinks, sed resolved the symlink via
> readlink() and then opened the original symlink path in a separate
> syscall. An attacker who swapped the symlink between those two
> operations could cause sed to read from an attacker-controlled file
> while writing the result to the originally resolved target, enabling
> arbitrary file overwrite. Fix by opening the already-resolved path
> rather than re-traversing the symlink.
Regards,
Salvatore
diff -Nru sed-4.9/debian/changelog sed-4.9/debian/changelog
--- sed-4.9/debian/changelog 2023-01-05 20:55:25.000000000 +0100
+++ sed-4.9/debian/changelog 2026-04-21 09:50:58.000000000 +0200
@@ -1,3 +1,11 @@
+sed (4.9-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * sed: -i --follow-symlinks: fix TOCTOU race (CVE-2026-5958)
+ (Closes: #1134495)
+
+ -- Salvatore Bonaccorso <[email protected]> Tue, 21 Apr 2026 09:50:58 +0200
+
sed (4.9-1) unstable; urgency=medium
* New upstream version.
diff -Nru
sed-4.9/debian/patches/sed-i-follow-symlinks-fix-TOCTOU-race-CVE-2026-5958.patch
sed-4.9/debian/patches/sed-i-follow-symlinks-fix-TOCTOU-race-CVE-2026-5958.patch
---
sed-4.9/debian/patches/sed-i-follow-symlinks-fix-TOCTOU-race-CVE-2026-5958.patch
1970-01-01 01:00:00.000000000 +0100
+++
sed-4.9/debian/patches/sed-i-follow-symlinks-fix-TOCTOU-race-CVE-2026-5958.patch
2026-04-21 09:50:49.000000000 +0200
@@ -0,0 +1,43 @@
+From: Jim Meyering <[email protected]>
+Date: Fri, 3 Apr 2026 14:59:52 -0700
+Subject: sed: -i --follow-symlinks: fix TOCTOU race (CVE-2026-5958)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin:
https://gitweb.git.savannah.gnu.org/gitweb/?p=sed.git;a=commitdiff;h=6b9b43c55ccd3beadbc0094b983c82bdb389f33b
+Bug-Debian: https://bugs.debian.org/1134495
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-5958
+
+When using -i with --follow-symlinks, sed resolved the symlink via
+readlink() and then opened the original symlink path in a separate
+syscall. An attacker who swapped the symlink between those two
+operations could cause sed to read from an attacker-controlled file
+while writing the result to the originally resolved target, enabling
+arbitrary file overwrite. Fix by opening the already-resolved path
+rather than re-traversing the symlink.
+Reported by MichaĆ Majchrowicz and Marcin Wyczechowski (AFINE Team).
+* sed/execute.c (open_next_file): Use input->in_file_name (the
+resolved path) rather than "name" (the original symlink) in the
+ck_fopen call.
+* NEWS: Mention this.
+---
+ NEWS | 5 +++++
+ sed/execute.c | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/sed/execute.c b/sed/execute.c
+index eee3ff9b63b1..3a98df67a06e 100644
+--- a/sed/execute.c
++++ b/sed/execute.c
+@@ -562,7 +562,7 @@ open_next_file (const char *name, struct input *input)
+ if (follow_symlinks)
+ input->in_file_name = follow_symlink (name);
+
+- if ( ! (input->fp = ck_fopen (name, read_mode, false)) )
++ if ( ! (input->fp = ck_fopen (input->in_file_name, read_mode, false)) )
+ {
+ const char *ptr = strerror (errno);
+ fprintf (stderr, _("%s: can't read %s: %s\n"), program_name,
+--
+2.53.0
+
diff -Nru sed-4.9/debian/patches/series sed-4.9/debian/patches/series
--- sed-4.9/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ sed-4.9/debian/patches/series 2026-04-21 09:50:49.000000000 +0200
@@ -0,0 +1 @@
+sed-i-follow-symlinks-fix-TOCTOU-race-CVE-2026-5958.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.14
This update has been released as part of Debian 12.14.
--- End Message ---
