--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: trixie-pu: libcoap3/4.3.4-1.1+deb13u1
- From: Thorsten Alteholz <debian@alteholz.de>
- Date: Thu, 28 Aug 2025 14:33:13 +0000 (UTC)
- Message-id: <5c1d8d8c-b7ec-c865-3171-dd3ea0eeceb0@alteholz.de>
Package: release.debian.org
Severity: normal
Tags: trixie
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for libcoap3 fixes CVE-2024-0962 and CVE-2024-31031 in Trixie.
Though the CVEs are marked as ignored by the security team, they are still
bugs, that I would like to get fixed.
libcoap3 is a leaf package with no rdeps within Debian and the fix was
already done by upstream some time ago. There should be not much hassle
with this fix.
Thorsten
diff -Nru libcoap3-4.3.4/debian/changelog libcoap3-4.3.4/debian/changelog
--- libcoap3-4.3.4/debian/changelog 2024-02-29 19:39:26.000000000 +0100
+++ libcoap3-4.3.4/debian/changelog 2025-08-27 08:03:02.000000000 +0200
@@ -1,3 +1,13 @@
+libcoap3 (4.3.4-1.1+deb13u1) trixie; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2024-0962 (Closes: #1061704)
+ fix stacked-based buffer overflow
+ * CVE-2024-31031 (Closes: #1070362)
+ fix unsigned integer overflow
+
+ -- Thorsten Alteholz <debian@alteholz.de> Wed, 27 Aug 2025 08:03:02 +0200
+
libcoap3 (4.3.4-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru libcoap3-4.3.4/debian/patches/CVE-2024-0962.patch libcoap3-4.3.4/debian/patches/CVE-2024-0962.patch
--- libcoap3-4.3.4/debian/patches/CVE-2024-0962.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcoap3-4.3.4/debian/patches/CVE-2024-0962.patch 2025-08-27 08:03:02.000000000 +0200
@@ -0,0 +1,33 @@
+commit 2b28d8b0e9607e71a145345b4fe49517e052b7d9
+Author: Jon Shallow <supjps-libcoap@jpshallow.com>
+Date: Thu Jan 25 18:03:17 2024 +0000
+
+ coap_oscore.c: Fix parsing OSCORE configuration information
+
+Index: libcoap3-4.3.4/src/coap_oscore.c
+===================================================================
+--- libcoap3-4.3.4.orig/src/coap_oscore.c 2025-08-27 10:05:54.081520985 +0200
++++ libcoap3-4.3.4/src/coap_oscore.c 2025-08-27 10:05:54.081520985 +0200
+@@ -1672,11 +1672,12 @@
+ oscore_value_t *value) {
+ const char *begin = *start;
+ const char *end;
++ const char *kend;
+ const char *split;
+ size_t i;
+
+ retry:
+- end = memchr(begin, '\n', size);
++ kend = end = memchr(begin, '\n', size);
+ if (end == NULL)
+ return 0;
+
+@@ -1687,7 +1688,7 @@
+
+ if (begin[0] == '#' || (end - begin) == 0) {
+ /* Skip comment / blank line */
+- size -= end - begin + 1;
++ size -= kend - begin + 1;
+ begin = *start;
+ goto retry;
+ }
diff -Nru libcoap3-4.3.4/debian/patches/CVE-2024-31031.patch libcoap3-4.3.4/debian/patches/CVE-2024-31031.patch
--- libcoap3-4.3.4/debian/patches/CVE-2024-31031.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcoap3-4.3.4/debian/patches/CVE-2024-31031.patch 2025-08-27 08:03:02.000000000 +0200
@@ -0,0 +1,75 @@
+commit 214665ac4b44b1b6a7e38d4d6907ee835a174928
+Author: Jon Shallow <supjps-libcoap@jpshallow.com>
+Date: Mon Mar 25 20:44:48 2024 +0000
+
+ coap_pdu.c: Fix UndefinedBehaviorSanitizer: undefined-behavior
+
+ This fixes a reported error in coap_update_token() where a size_t
+ calculation is overflowed (but all ends up with the correct value).
+
+ Instead of adding an overflowed size_t, now subtract the reversed
+ size_t calculation as appropriate.
+
+ coap_update_option() and coap_insert_option() similarly updated.
+
+Index: libcoap3-4.3.4/src/coap_pdu.c
+===================================================================
+--- libcoap3-4.3.4.orig/src/coap_pdu.c 2025-08-28 15:37:34.889583463 +0200
++++ libcoap3-4.3.4/src/coap_pdu.c 2025-08-28 15:37:34.885583460 +0200
+@@ -389,12 +389,15 @@
+ memmove(&pdu->token[(len + bias) - pdu->e_token_length],
+ pdu->token, pdu->used_size);
+ pdu->used_size += len + bias - pdu->e_token_length;
++ if (pdu->data) {
++ pdu->data += (len + bias) - pdu->e_token_length;
++ }
+ } else {
+ pdu->used_size -= pdu->e_token_length - (len + bias);
+ memmove(pdu->token, &pdu->token[pdu->e_token_length - (len + bias)], pdu->used_size);
+- }
+- if (pdu->data) {
+- pdu->data += (len + bias) - pdu->e_token_length;
++ if (pdu->data) {
++ pdu->data -= pdu->e_token_length - (len + bias);
++ }
+ }
+
+ pdu->actual_token.length = len;
+@@ -641,9 +644,15 @@
+ number - prev_number, data, len))
+ return 0;
+
+- pdu->used_size += shift - shrink;
+- if (pdu->data)
+- pdu->data += shift - shrink;
++ if (shift >= shrink) {
++ pdu->used_size += shift - shrink;
++ if (pdu->data)
++ pdu->data += shift - shrink;
++ } else {
++ pdu->used_size -= shrink - shift;
++ if (pdu->data)
++ pdu->data -= shrink - shift;
++ }
+ return shift;
+ }
+
+@@ -681,9 +690,15 @@
+ decode.delta, data, len))
+ return 0;
+
+- pdu->used_size += new_length - old_length;
+- if (pdu->data)
+- pdu->data += new_length - old_length;
++ if (new_length >= old_length) {
++ pdu->used_size += new_length - old_length;
++ if (pdu->data)
++ pdu->data += new_length - old_length;
++ } else {
++ pdu->used_size -= old_length - new_length;
++ if (pdu->data)
++ pdu->data -= old_length - new_length;
++ }
+ return 1;
+ }
+
diff -Nru libcoap3-4.3.4/debian/patches/series libcoap3-4.3.4/debian/patches/series
--- libcoap3-4.3.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libcoap3-4.3.4/debian/patches/series 2025-08-27 08:03:02.000000000 +0200
@@ -0,0 +1,2 @@
+CVE-2024-0962.patch
+CVE-2024-31031.patch
--- End Message ---