Bug#1122291: marked as done (python-apt: CVE-2025-6966)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 15 Dec 2025 12:21:59 +0000
with message-id <E1vV7aR-00F51d-34@fasolo.debian.org>
and subject line Bug#1122291: fixed in python-apt 3.1.0
has caused the Debian Bug report #1122291,
regarding python-apt: CVE-2025-6966
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1122291: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122291
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: python-apt: CVE-2025-6966
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Tue, 09 Dec 2025 22:56:39 +0100
• Message-id: <[🔎] 176531739966.2034126.9728335703175827854.reportbug@eldamar.lan>

Source: python-apt
Version: 3.0.0
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for python-apt.

CVE-2025-6966[0]:
| NULL pointer dereference in TagSection.keys() in python-apt on APT-
| based Linux systems allows a local attacker to cause a denial of
| service (process crash) via a crafted deb822 file with a malformed
| non-UTF-8 key.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-6966
    https://www.cve.org/CVERecord?id=CVE-2025-6966
[1] https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/2091865

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1122291-close@bugs.debian.org
• Subject: Bug#1122291: fixed in python-apt 3.1.0
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Mon, 15 Dec 2025 12:21:59 +0000
• Message-id: <E1vV7aR-00F51d-34@fasolo.debian.org>
• Reply-to: Julian Andres Klode <jak@debian.org>

Source: python-apt
Source-Version: 3.1.0
Done: Julian Andres Klode <jak@debian.org>

We believe that the bug you reported is fixed in the latest version of
python-apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1122291@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated python-apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Dec 2025 12:37:52 +0100
Source: python-apt
Architecture: source
Version: 3.1.0
Distribution: unstable
Urgency: medium
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Julian Andres Klode <jak@debian.org>
Closes: 1122291
Changes:
 python-apt (3.1.0) unstable; urgency=medium
 .
   * test_all: Add handling for new library build dir name
   * Refresh mirror lists
   * Fix invalid nullptr dereference in TagSection.keys() [CVE-2025-6966]
     (LP: #2091865) (Closes: #1122291)
Checksums-Sha1:
 4aa1a277242cde6d22af3357e8ce999935f51330 2358 python-apt_3.1.0.dsc
 158a8a87044df452159d0f42cb00686f19dfdbcf 348532 python-apt_3.1.0.tar.xz
 5647477ac586d31143c69c86b533d30111b3b4df 9671 python-apt_3.1.0_source.buildinfo
Checksums-Sha256:
 612324fd02fe2e0774a0dee1b454f673fe5b040800374c9dc52154e9f9d9378a 2358 python-apt_3.1.0.dsc
 daf46b0ed85061ccee64c3aa3004c695b33047f9f62f0de7863966c287731d5a 348532 python-apt_3.1.0.tar.xz
 274e70dcf7f9c5b60c206869e9a69dab2fc3449f23e7277ec87686d7c08ea7cc 9671 python-apt_3.1.0_source.buildinfo
Files:
 4c03e8eca9c12e1097a60f0921540e4b 2358 python optional python-apt_3.1.0.dsc
 489a67b6df1c251cc89649ebc2d6e428 348532 python optional python-apt_3.1.0.tar.xz
 0531920d058ec7cbf985dcbb341276a5 9671 python optional python-apt_3.1.0_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmk/9PgPHGpha0BkZWJp
YW4ub3JnAAoJEG+kWN0dsD9xOd4P/05Ncg5lDJ6sb1kr+baGeFw9E9k4pqe/tSt7
fPDbCcZWPm+MI0yke4I21kG9vMV6bXC5fDksyVeHW+aMOkRqf/K42m0bMsQGLwZ8
vQHMvlFDBwuiLx+04FTEsig4d5LZx2H16LCGrK6hYg9hhN7iysa6DnsSuigOxy1v
guiWIKJZLIGHzdppIvGbuF64vCJUooGxK5Kqq5+nRQsuxN1EzJyKQoDC8WxK9Bm0
+GSqx5GPOAAQkoTsw5DcI17HIRrOgzBnfPOUTjAS6XN+szA7FV5AmidBBf9R1XdC
o9l5H/aIZZp17po8MbYHO968vxwlOa1mdhUmLVFTjO5ot0UvWNNuVcWBPGzp2uj3
eaI9AH1TXNwuQ8vASGw1z7543p9LCgv/CW22Bf6mMzQJy0HbiqCQNXMk1b2ewX3v
GdFSwNrRnOdIOY5KY/ENrL1U8v/lOi3Q/5pZJsQjPA9OmkbgbyAMbpHnClrlBd+E
DP5grScvpmq6k3LR/LFBn+X5zADgZFanpZWEd57XWk0sJSizl6h9XVmcpnI79CQf
XwO4qBT8GfnZh6RnFzMZioVcivG5mD97uTMc6ezLWeTjBc/MREQxnYUBd/7TDTty
480cWqhZE1CgNFGhVedw6JbtOCxS3HJn/7Usmzu/AYTIP+12ceHiQDHlLKVaV0X3
vZef7IqI
=0VXZ
-----END PGP SIGNATURE-----

Attachment: pgp2pjYA8F9Z4.pgp
Description: PGP signature

--- End Message ---