Bug#1112335: trixie-pu: libcoap3/4.3.4-1.1+deb13u1

Thu, 28 Aug 2025 08:31:33 -0700 

Package: release.debian.org
Severity: normal
Tags: trixie
User: [email protected]
Usertags: pu


The attached debdiff for libcoap3 fixes CVE-2024-0962 and CVE-2024-31031 in 
Trixie.
Though the CVEs are marked as ignored by the security team, they are still bugs, that I would like to get fixed.
libcoap3 is a leaf package with no rdeps within Debian and the fix was already done by upstream some time ago. There should be not much hassle with this fix. 

  Thorsten
diff -Nru libcoap3-4.3.4/debian/changelog libcoap3-4.3.4/debian/changelog
--- libcoap3-4.3.4/debian/changelog     2024-02-29 19:39:26.000000000 +0100
+++ libcoap3-4.3.4/debian/changelog     2025-08-27 08:03:02.000000000 +0200
@@ -1,3 +1,13 @@
+libcoap3 (4.3.4-1.1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2024-0962 (Closes: #1061704)
+    fix stacked-based buffer overflow
+  * CVE-2024-31031 (Closes: #1070362)
+    fix unsigned integer overflow
+
+ -- Thorsten Alteholz <[email protected]>  Wed, 27 Aug 2025 08:03:02 +0200
+
 libcoap3 (4.3.4-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libcoap3-4.3.4/debian/patches/CVE-2024-0962.patch 
libcoap3-4.3.4/debian/patches/CVE-2024-0962.patch
--- libcoap3-4.3.4/debian/patches/CVE-2024-0962.patch   1970-01-01 
01:00:00.000000000 +0100
+++ libcoap3-4.3.4/debian/patches/CVE-2024-0962.patch   2025-08-27 
08:03:02.000000000 +0200
@@ -0,0 +1,33 @@
+commit 2b28d8b0e9607e71a145345b4fe49517e052b7d9
+Author: Jon Shallow <[email protected]>
+Date:   Thu Jan 25 18:03:17 2024 +0000
+
+    coap_oscore.c: Fix parsing OSCORE configuration information
+
+Index: libcoap3-4.3.4/src/coap_oscore.c
+===================================================================
+--- libcoap3-4.3.4.orig/src/coap_oscore.c      2025-08-27 10:05:54.081520985 
+0200
++++ libcoap3-4.3.4/src/coap_oscore.c   2025-08-27 10:05:54.081520985 +0200
+@@ -1672,11 +1672,12 @@
+                 oscore_value_t *value) {
+   const char *begin = *start;
+   const char *end;
++  const char *kend;
+   const char *split;
+   size_t i;
+ 
+ retry:
+-  end = memchr(begin, '\n', size);
++  kend = end = memchr(begin, '\n', size);
+   if (end == NULL)
+     return 0;
+ 
+@@ -1687,7 +1688,7 @@
+ 
+   if (begin[0] == '#' || (end - begin) == 0) {
+     /* Skip comment / blank line */
+-    size -= end - begin + 1;
++    size -= kend - begin + 1;
+     begin = *start;
+     goto retry;
+   }
diff -Nru libcoap3-4.3.4/debian/patches/CVE-2024-31031.patch 
libcoap3-4.3.4/debian/patches/CVE-2024-31031.patch
--- libcoap3-4.3.4/debian/patches/CVE-2024-31031.patch  1970-01-01 
01:00:00.000000000 +0100
+++ libcoap3-4.3.4/debian/patches/CVE-2024-31031.patch  2025-08-27 
08:03:02.000000000 +0200
@@ -0,0 +1,75 @@
+commit 214665ac4b44b1b6a7e38d4d6907ee835a174928
+Author: Jon Shallow <[email protected]>
+Date:   Mon Mar 25 20:44:48 2024 +0000
+
+    coap_pdu.c: Fix UndefinedBehaviorSanitizer: undefined-behavior
+    
+    This fixes a reported error in coap_update_token() where a size_t
+    calculation is overflowed (but all ends up with the correct value).
+    
+    Instead of adding an overflowed size_t, now subtract the reversed
+    size_t calculation as appropriate.
+    
+    coap_update_option() and coap_insert_option() similarly updated.
+
+Index: libcoap3-4.3.4/src/coap_pdu.c
+===================================================================
+--- libcoap3-4.3.4.orig/src/coap_pdu.c 2025-08-28 15:37:34.889583463 +0200
++++ libcoap3-4.3.4/src/coap_pdu.c      2025-08-28 15:37:34.885583460 +0200
+@@ -389,12 +389,15 @@
+     memmove(&pdu->token[(len + bias) - pdu->e_token_length],
+             pdu->token, pdu->used_size);
+     pdu->used_size += len + bias - pdu->e_token_length;
++    if (pdu->data) {
++      pdu->data += (len + bias) - pdu->e_token_length;
++    }
+   } else {
+     pdu->used_size -= pdu->e_token_length - (len + bias);
+     memmove(pdu->token, &pdu->token[pdu->e_token_length - (len + bias)], 
pdu->used_size);
+-  }
+-  if (pdu->data) {
+-    pdu->data += (len + bias) - pdu->e_token_length;
++    if (pdu->data) {
++      pdu->data -= pdu->e_token_length - (len + bias);
++    }
+   }
+ 
+   pdu->actual_token.length = len;
+@@ -641,9 +644,15 @@
+                        number - prev_number, data, len))
+     return 0;
+ 
+-  pdu->used_size += shift - shrink;
+-  if (pdu->data)
+-    pdu->data += shift - shrink;
++  if (shift >= shrink) {
++    pdu->used_size += shift - shrink;
++    if (pdu->data)
++      pdu->data += shift - shrink;
++  } else {
++    pdu->used_size -= shrink - shift;
++    if (pdu->data)
++      pdu->data -= shrink - shift;
++  }
+   return shift;
+ }
+ 
+@@ -681,9 +690,15 @@
+                        decode.delta, data, len))
+     return 0;
+ 
+-  pdu->used_size += new_length - old_length;
+-  if (pdu->data)
+-    pdu->data += new_length - old_length;
++  if (new_length >= old_length) {
++    pdu->used_size += new_length - old_length;
++    if (pdu->data)
++      pdu->data += new_length - old_length;
++  } else {
++    pdu->used_size -= old_length - new_length;
++    if (pdu->data)
++      pdu->data -= old_length - new_length;
++  }
+   return 1;
+ }
+ 
diff -Nru libcoap3-4.3.4/debian/patches/series 
libcoap3-4.3.4/debian/patches/series
--- libcoap3-4.3.4/debian/patches/series        1970-01-01 01:00:00.000000000 
+0100
+++ libcoap3-4.3.4/debian/patches/series        2025-08-27 08:03:02.000000000 
+0200
@@ -0,0 +1,2 @@
+CVE-2024-0962.patch
+CVE-2024-31031.patch

Reply via email to