Version in base suite: 2022.12+dfsg-4+deb12u1 Base version: swupdate_2022.12+dfsg-4+deb12u1 Target version: swupdate_2022.12+dfsg-4+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/swupdate/swupdate_2022.12+dfsg-4+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/swupdate/swupdate_2022.12+dfsg-4+deb12u2.dsc changelog | 6 +++++ patches/CVE-2026-28525.diff | 48 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 55 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp2burnmbx/swupdate_2022.12+dfsg-4+deb12u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp2burnmbx/swupdate_2022.12+dfsg-4+deb12u2.dsc: no acceptable signature found diff -Nru swupdate-2022.12+dfsg/debian/changelog swupdate-2022.12+dfsg/debian/changelog --- swupdate-2022.12+dfsg/debian/changelog 2023-11-27 10:10:38.000000000 +0000 +++ swupdate-2022.12+dfsg/debian/changelog 2026-05-03 19:16:29.000000000 +0000 @@ -1,3 +1,9 @@ +swupdate (2022.12+dfsg-4+deb12u2) bookworm; urgency=medium + + * Apply ustream CVE-2026-28525 patch + + -- Bastian Germann Sun, 03 May 2026 19:16:29 +0000 + swupdate (2022.12+dfsg-4+deb12u1) bookworm; urgency=medium * Add swupdate system user diff -Nru swupdate-2022.12+dfsg/debian/patches/CVE-2026-28525.diff swupdate-2022.12+dfsg/debian/patches/CVE-2026-28525.diff --- swupdate-2022.12+dfsg/debian/patches/CVE-2026-28525.diff 1970-01-01 00:00:00.000000000 +0000 +++ swupdate-2022.12+dfsg/debian/patches/CVE-2026-28525.diff 2026-05-03 19:16:29.000000000 +0000 @@ -0,0 +1,48 @@ +Origin: upstream, beee2dc0feef1cfe84f1aa6fc980e104b2e47a74 +From: Stefano Babic +Date: Thu, 19 Mar 2026 10:50:13 +0100 +Subject: mongoose: Integer Underflow in Multipart Upload Parser + +The function mg_http_multipart_continue_wait_for_chunk() has +a discrepancy between its guard condition and a subsequent +subtraction in the else branch. The guard at line 250 checks +`(int) io->len < mp_stream->boundary.len + 6`, allowing execution +to continue when io->len >= boundary.len + 6. +However, when mg_strstr() finds the boundary string in the +buffer (else branch at line 264), data_len is computed as +`io->len - (mp_stream->boundary.len + 8)`. The +6 vs +8 +mismatch means that when io->len is in the range [boundary.len + 6, +boundary.len + 7], the subtraction underflows the size_t +variable to SIZE_MAX or SIZE_MAX - 1. + +This will fix CVE-2026-28525. + +Description of issue copied from vulnerability report - many thanks to +Kazuma for his analyses. + +Signed-off-by: Stefano Babic +Reported by: Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc." +--- + mongoose/mongoose_multipart.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/mongoose/mongoose_multipart.c b/mongoose/mongoose_multipart.c +index 12ea5434..7fdc1863 100644 +--- a/mongoose/mongoose_multipart.c ++++ b/mongoose/mongoose_multipart.c +@@ -261,12 +261,12 @@ static int mg_http_multipart_continue_wait_for_chunk(struct mg_connection *c) { + } + return 0; + } else { +- size_t data_len = io->len - (mp_stream->boundary.len + 8); ++ size_t data_len = io->len - (mp_stream->boundary.len + 6); + size_t consumed = mg_http_multipart_call_handler(c, MG_EV_HTTP_PART_DATA, +- (char *) io->buf, data_len); ++ (char *) io->buf, data_len); + mg_iobuf_del(io, 0, consumed); + if (consumed == data_len) { +- mg_iobuf_del(io, 0, mp_stream->boundary.len + 8); ++ mg_iobuf_del(io, 0, mp_stream->boundary.len + 6); + mp_stream->state = MPS_FINALIZE; + return 1; + } else { diff -Nru swupdate-2022.12+dfsg/debian/patches/series swupdate-2022.12+dfsg/debian/patches/series --- swupdate-2022.12+dfsg/debian/patches/series 2023-04-04 12:41:04.000000000 +0000 +++ swupdate-2022.12+dfsg/debian/patches/series 2026-05-03 19:16:29.000000000 +0000 @@ -1,3 +1,4 @@ +CVE-2026-28525.diff Link-config-to-swupdate-www-path.diff Replace-Font-Awesome-5-with-Fork-Awesome.diff use-gcc-compiler.diff