[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1122291: python-apt: CVE-2025-6966

On Mon, Dec 15, 2025 at 12:58:30PM +0100, Julian Andres Klode wrote:
> On Tue, Dec 09, 2025 at 10:56:39PM +0100, Salvatore Bonaccorso wrote:
> > Source: python-apt
> > Version: 3.0.0
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> > 
> > Hi,
> > 
> > The following vulnerability was published for python-apt.
> > 
> > CVE-2025-6966[0]:
> > | NULL pointer dereference in TagSection.keys() in python-apt on APT-
> > | based Linux systems allows a local attacker to cause a denial of
> > | service (process crash) via a crafted deb822 file with a malformed
> > | non-UTF-8 key.
> > 
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2025-6966
> >     https://www.cve.org/CVERecord?id=CVE-2025-6966
> > [1] https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/2091865
> > 
> > Please adjust the affected versions in the BTS as needed.
> 
> I have attached an update for trixie-security, individual commits are
> in https://salsa.debian.org/jak/python-apt/-/compare/3.0.0...3.0.y?from_project_id=1584
> 
> Please let me know if you want me to upload this, or if we should stuff
> it into proposed-updates.

I don't think this needs a DSA, let's use proposed-updates instead.

Cheers,
        Moritz
Reply to: