Your message dated Mon, 13 Jul 2026 14:41:36 +0100
with message-id <[email protected]>
and subject line Re: Bug#1141987: bullseye-pu: package dhcpcd/7.1.0-2+deb11u1
has caused the Debian Bug report #1141987,
regarding bullseye-pu: package dhcpcd5/7.1.0-2+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141987: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141987
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:dhcpcd5

[ Reason ]
Backporting a fix for a minor CVE reported by the maintainer dashboard.

CVE-2025-70102 was fixed in the following Debian versions:

dhcpcd5 9.4.1-24~deb12u5
dhcpcd  1:10.1.0-11+deb13u3

The issue has been fixed upstream since 10.3.1 (Sid has 10.3.2).

[ Impact ]
Minor issue; NULL deref only via malformed local dhcpcd.conf; not 
network-reachable.

[ Tests ]
None. I don't have any Bullseye host to test with. However, the same one-line 
fix is
verifided to work on Bookworm (9.4.1-24~deb12u5) and Trixie 
(1:10.1.0-11+deb13u3).

[ Risks ]
Minor. Single character fix for a NULL defref.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
dhcpcd5 (7.1.0-2+deb11u1) bullseye; urgency=medium
  * [patches]
    + Cherry-pick upstream fix for CVE-2025-70102 (commit 117742d).
    = Refresh all patches.
  * [control]
    = Putting myself as Maintainer since I maintain current releases.
  * [salsa-ci.yml]
    + Implement basic CI support using the stock Debian pipeline include.
diff -Nru dhcpcd5-7.1.0/debian/changelog dhcpcd5-7.1.0/debian/changelog
--- dhcpcd5-7.1.0/debian/changelog      2019-05-05 16:55:14.000000000 +0300
+++ dhcpcd5-7.1.0/debian/changelog      2026-07-13 12:45:39.000000000 +0300
@@ -1,3 +1,15 @@
+dhcpcd5 (7.1.0-2+deb11u1) bullseye; urgency=medium
+
+  * [patches]
+    + Cherry-pick upstream fix for CVE-2025-70102 (commit 117742d).
+    = Refresh all patches.
+  * [control]
+    = Putting myself as Maintainer since I maintain current releases.
+  * [salsa-ci.yml]
+    + Implement basic CI support using the stock Debian pipeline include.
+
+ -- Martin-Éric Racine <[email protected]>  Mon, 13 Jul 2026 12:45:39 
+0300
+
 dhcpcd5 (7.1.0-2) unstable; urgency=high
 
   * Apply upstream patches to fix potential security vulnerabilities:
diff -Nru dhcpcd5-7.1.0/debian/control dhcpcd5-7.1.0/debian/control
--- dhcpcd5-7.1.0/debian/control        2019-05-03 16:14:43.000000000 +0300
+++ dhcpcd5-7.1.0/debian/control        2026-07-13 12:45:39.000000000 +0300
@@ -1,7 +1,7 @@
 Source: dhcpcd5
 Section: net
 Priority: optional
-Maintainer: Scott Leggett <[email protected]>
+Maintainer: Martin-Éric Racine <[email protected]>
 Build-Depends:
  debhelper (>= 11)
 Standards-Version: 4.3.0
diff -Nru dhcpcd5-7.1.0/debian/patches/0001-Fix-typo-in-manpage.patch 
dhcpcd5-7.1.0/debian/patches/0001-Fix-typo-in-manpage.patch
--- dhcpcd5-7.1.0/debian/patches/0001-Fix-typo-in-manpage.patch 2019-05-05 
16:55:14.000000000 +0300
+++ dhcpcd5-7.1.0/debian/patches/0001-Fix-typo-in-manpage.patch 2026-07-13 
12:45:39.000000000 +0300
@@ -6,11 +6,9 @@
  src/dhcpcd.conf.5.in | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/src/dhcpcd.conf.5.in b/src/dhcpcd.conf.5.in
-index f792b15..b950fa0 100644
 --- a/src/dhcpcd.conf.5.in
 +++ b/src/dhcpcd.conf.5.in
-@@ -83,7 +83,7 @@ is
+@@ -83,7 +83,7 @@
  .Ar token
  then
  .Ar algorithm is
diff -Nru 
dhcpcd5-7.1.0/debian/patches/0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch
 
dhcpcd5-7.1.0/debian/patches/0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch
--- 
dhcpcd5-7.1.0/debian/patches/0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch
        2019-05-05 16:55:14.000000000 +0300
+++ 
dhcpcd5-7.1.0/debian/patches/0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch
        2026-07-13 12:45:39.000000000 +0300
@@ -12,11 +12,9 @@
  src/dhcp6.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
-diff --git a/src/dhcp6.c b/src/dhcp6.c
-index 6fef989..26db219 100644
 --- a/src/dhcp6.c
 +++ b/src/dhcp6.c
-@@ -2016,12 +2016,12 @@ dhcp6_findna(struct interface *ifp, uint16_t ot, const 
uint8_t *iaid,
+@@ -2016,12 +2016,12 @@
                nd = o + ol;
                l -= (size_t)(nd - d);
                d = nd;
diff -Nru 
dhcpcd5-7.1.0/debian/patches/0003-DHCP-Fix-a-potential-1-byte-read-overflow-with-DHO_O.patch
 
dhcpcd5-7.1.0/debian/patches/0003-DHCP-Fix-a-potential-1-byte-read-overflow-with-DHO_O.patch
--- 
dhcpcd5-7.1.0/debian/patches/0003-DHCP-Fix-a-potential-1-byte-read-overflow-with-DHO_O.patch
        2019-05-05 16:55:14.000000000 +0300
+++ 
dhcpcd5-7.1.0/debian/patches/0003-DHCP-Fix-a-potential-1-byte-read-overflow-with-DHO_O.patch
        2026-07-13 12:45:39.000000000 +0300
@@ -12,11 +12,9 @@
  src/dhcp.c | 10 ++++++----
  1 file changed, 6 insertions(+), 4 deletions(-)
 
-diff --git a/src/dhcp.c b/src/dhcp.c
-index 1816034..502c592 100644
 --- a/src/dhcp.c
 +++ b/src/dhcp.c
-@@ -212,6 +212,12 @@ get_option(struct dhcpcd_ctx *ctx,
+@@ -212,6 +212,12 @@
                }
                l = *p++;
  
@@ -29,7 +27,7 @@
                if (o == DHO_OPTSOVERLOADED) {
                        /* Ensure we only get this option once by setting
                         * the last bit as well as the value.
-@@ -246,10 +252,6 @@ get_option(struct dhcpcd_ctx *ctx,
+@@ -246,10 +252,6 @@
                                bp += ol;
                        }
                        ol = l;
diff -Nru 
dhcpcd5-7.1.0/debian/patches/0004-auth-Use-consttime_memequal-3-to-compare-hashes.patch
 
dhcpcd5-7.1.0/debian/patches/0004-auth-Use-consttime_memequal-3-to-compare-hashes.patch
--- 
dhcpcd5-7.1.0/debian/patches/0004-auth-Use-consttime_memequal-3-to-compare-hashes.patch
     2019-05-05 16:55:14.000000000 +0300
+++ 
dhcpcd5-7.1.0/debian/patches/0004-auth-Use-consttime_memequal-3-to-compare-hashes.patch
     2026-07-13 12:45:39.000000000 +0300
@@ -24,9 +24,6 @@
  3 files changed, 51 insertions(+), 1 deletion(-)
  create mode 100644 compat/consttime_memequal.h
 
-diff --git a/compat/consttime_memequal.h b/compat/consttime_memequal.h
-new file mode 100644
-index 0000000..9830648
 --- /dev/null
 +++ b/compat/consttime_memequal.h
 @@ -0,0 +1,28 @@
@@ -58,11 +55,9 @@
 +      return (1 & ((res - 1) >> 8));
 +}
 +#endif /* CONSTTIME_MEMEQUAL_H */
-diff --git a/configure b/configure
-index d0a80ba..0dce3bd 100755
 --- a/configure
 +++ b/configure
-@@ -13,6 +13,7 @@ IPV4LL=
+@@ -13,6 +13,7 @@
  INET6=
  ARC4RANDOM=
  CLOSEFROM=
@@ -70,7 +65,7 @@
  STRLCPY=
  UDEV=
  OS=
-@@ -846,6 +847,27 @@ if [ "$STRTOI" = no ]; then
+@@ -846,6 +847,27 @@
        echo "#include                  \"compat/strtoi.h\"" >>$CONFIG_H
  fi
  
@@ -98,11 +93,9 @@
  if [ -z "$DPRINTF" ]; then
        printf "Testing for dprintf ... "
        cat <<EOF >_dprintf.c
-diff --git a/src/auth.c b/src/auth.c
-index 9e24998..ce97051 100644
 --- a/src/auth.c
 +++ b/src/auth.c
-@@ -354,7 +354,7 @@ gottoken:
+@@ -354,7 +354,7 @@
        }
  
        free(mm);
diff -Nru 
dhcpcd5-7.1.0/debian/patches/0005-DHCPv6-Fix-a-potential-read-overflow-with-D6_OPTION_.patch
 
dhcpcd5-7.1.0/debian/patches/0005-DHCPv6-Fix-a-potential-read-overflow-with-D6_OPTION_.patch
--- 
dhcpcd5-7.1.0/debian/patches/0005-DHCPv6-Fix-a-potential-read-overflow-with-D6_OPTION_.patch
        2019-05-05 16:55:14.000000000 +0300
+++ 
dhcpcd5-7.1.0/debian/patches/0005-DHCPv6-Fix-a-potential-read-overflow-with-D6_OPTION_.patch
        2026-07-13 12:45:39.000000000 +0300
@@ -21,11 +21,9 @@
  src/dhcp6.c | 42 ++++++++++++++++++++----------------------
  1 file changed, 20 insertions(+), 22 deletions(-)
 
-diff --git a/src/dhcp6.c b/src/dhcp6.c
-index 26db219..92e6c90 100644
 --- a/src/dhcp6.c
 +++ b/src/dhcp6.c
-@@ -2153,40 +2153,38 @@ dhcp6_findpd(struct interface *ifp, const uint8_t 
*iaid,
+@@ -2153,40 +2153,38 @@
                        state->expire = a->prefix_vltime;
                i++;
  
diff -Nru 
dhcpcd5-7.1.0/debian/patches/117742d755b591764036dd4218f314f748a3d2b7.patch 
dhcpcd5-7.1.0/debian/patches/117742d755b591764036dd4218f314f748a3d2b7.patch
--- dhcpcd5-7.1.0/debian/patches/117742d755b591764036dd4218f314f748a3d2b7.patch 
1970-01-01 02:00:00.000000000 +0200
+++ dhcpcd5-7.1.0/debian/patches/117742d755b591764036dd4218f314f748a3d2b7.patch 
2026-07-13 12:45:39.000000000 +0300
@@ -0,0 +1,24 @@
+From 117742d755b591764036dd4218f314f748a3d2b7 Mon Sep 17 00:00:00 2001
+From: Roy Marples <[email protected]>
+Date: Sun, 21 Dec 2025 08:31:52 +0000
+Subject: [PATCH] options: Ensure ldop is not NULL dereferenced (#568)
+
+ldop itself cannot be non NULL as it points to the location.
+but *ldop CAN be NULL.
+
+Fixes #567.
+---
+ src/if-options.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/if-options.c
++++ b/src/if-options.c
+@@ -1586,7 +1586,7 @@
+                       if (*edop) {
+                               dop = &(*edop)->embopts;
+                               dop_len = &(*edop)->embopts_len;
+-                      } else if (ldop) {
++                      } else if (*ldop) {
+                               dop = &(*ldop)->embopts;
+                               dop_len = &(*ldop)->embopts_len;
+                       } else {
diff -Nru dhcpcd5-7.1.0/debian/patches/series 
dhcpcd5-7.1.0/debian/patches/series
--- dhcpcd5-7.1.0/debian/patches/series 2019-05-05 16:55:14.000000000 +0300
+++ dhcpcd5-7.1.0/debian/patches/series 2026-07-13 12:41:06.000000000 +0300
@@ -3,3 +3,5 @@
 0003-DHCP-Fix-a-potential-1-byte-read-overflow-with-DHO_O.patch
 0004-auth-Use-consttime_memequal-3-to-compare-hashes.patch
 0005-DHCPv6-Fix-a-potential-read-overflow-with-D6_OPTION_.patch
+#7.1.0-2+deb11u1
+117742d755b591764036dd4218f314f748a3d2b7.patch
diff -Nru dhcpcd5-7.1.0/debian/salsa-ci.yml dhcpcd5-7.1.0/debian/salsa-ci.yml
--- dhcpcd5-7.1.0/debian/salsa-ci.yml   1970-01-01 02:00:00.000000000 +0200
+++ dhcpcd5-7.1.0/debian/salsa-ci.yml   2026-06-28 12:02:44.000000000 +0300
@@ -0,0 +1,3 @@
+---
+include:
+    - 
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml

--- End Message ---
--- Begin Message ---
Control: tag -1 wontfix

On Mon, Jul 13, 2026 at 01:50:44PM +0300, Martin-Éric Racine wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: [email protected]
> Usertags: pu

bullseye has not been a supported release for nearly two years.


-- 
Jonathan Wiltshire                                      [email protected]
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

--- End Message ---

Reply via email to