Version in base suite: 1.40.0-2

Base version: libuv1_1.40.0-2
Target version: libuv1_1.40.0-2+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libu/libuv1/libuv1_1.40.0-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libu/libuv1/libuv1_1.40.0-2+deb11u1.dsc

 changelog                  |    6 ++++
 patches/fix-cve-2024-24806 |   67 +++++++++++++++++++++++++++++++++++++++++++++
 patches/series             |    1 
 3 files changed, 74 insertions(+)

diff -Nru libuv1-1.40.0/debian/changelog libuv1-1.40.0/debian/changelog
--- libuv1-1.40.0/debian/changelog	2021-07-04 07:43:38.000000000 +0000
+++ libuv1-1.40.0/debian/changelog	2024-03-06 17:40:12.000000000 +0000
@@ -1,3 +1,9 @@
+libuv1 (1.40.0-2+deb11u1) bullseye-security; urgency=medium
+
+  * add patch to fix CVE-2024-24806 (Closes: 1063484)
+
+ -- Dominique Dumont <dod@debian.org>  Wed, 06 Mar 2024 18:40:12 +0100
+
 libuv1 (1.40.0-2) unstable; urgency=medium
 
   * add patch for CVE-2021-22918 (Closes: #990561)
diff -Nru libuv1-1.40.0/debian/patches/fix-cve-2024-24806 libuv1-1.40.0/debian/patches/fix-cve-2024-24806
--- libuv1-1.40.0/debian/patches/fix-cve-2024-24806	1970-01-01 00:00:00.000000000 +0000
+++ libuv1-1.40.0/debian/patches/fix-cve-2024-24806	2024-03-06 17:40:12.000000000 +0000
@@ -0,0 +1,67 @@
+Description: Fix CVE-2024-24806
+ From upstream change log:
+    Merge pull request from GHSA-f74f-cvh7-c6q6
+     * fix: always zero-terminate idna output
+     * fix: reject zero-length idna inputs
+     * test: empty strings are not valid IDNA
+ .
+ See also https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
+Bug: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
+Bug-Debian: https://bugs.debian.org/1063484
+Origin: https://github.com/libuv/libuv
+ git diff v1.48.0~5..v1.48.0~2
+--- a/src/idna.c
++++ b/src/idna.c
+@@ -273,6 +273,9 @@
+   char* ds;
+   int rc;
+ 
++  if (s == se)
++    return UV_EINVAL;
++
+   ds = d;
+ 
+   si = s;
+@@ -307,8 +310,9 @@
+       return rc;
+   }
+ 
+-  if (d < de)
+-    *d++ = '\0';
++  if (d >= de)
++    return UV_EINVAL;
+ 
++  *d++ = '\0';
+   return d - ds;  /* Number of bytes written. */
+ }
+--- a/test/test-idna.c
++++ b/test/test-idna.c
+@@ -99,6 +99,7 @@
+ TEST_IMPL(utf8_decode1_overrun) {
+   const char* p;
+   char b[1];
++  char c[1];
+ 
+   /* Single byte. */
+   p = b;
+@@ -112,6 +113,10 @@
+   ASSERT_EQ((unsigned) -1, uv__utf8_decode1(&p, b + 1));
+   ASSERT_EQ(p, b + 1);
+ 
++  b[0] = 0x7F;
++  ASSERT_EQ(UV_EINVAL, uv__idna_toascii(b, b + 0, c, c + 1));
++  ASSERT_EQ(UV_EINVAL, uv__idna_toascii(b, b + 1, c, c + 1));
++
+   return 0;
+ }
+ 
+@@ -145,8 +150,8 @@
+   /* Illegal inputs. */
+   F("\xC0\x80\xC1\x80", UV_EINVAL);  /* Overlong UTF-8 sequence. */
+   F("\xC0\x80\xC1\x80.com", UV_EINVAL);  /* Overlong UTF-8 sequence. */
++  F("", UV_EINVAL);
+   /* No conversion. */
+-  T("", "");
+   T(".", ".");
+   T(".com", ".com");
+   T("example", "example");
diff -Nru libuv1-1.40.0/debian/patches/series libuv1-1.40.0/debian/patches/series
--- libuv1-1.40.0/debian/patches/series	2021-07-04 07:43:38.000000000 +0000
+++ libuv1-1.40.0/debian/patches/series	2024-03-06 17:40:12.000000000 +0000
@@ -4,3 +4,4 @@
 path_max_zero_st_size
 skip-multicast-test
 fix-cve-2021-22918
+fix-cve-2024-24806