Version in base suite: 2.2.0-1 Base version: gsasl_2.2.0-1 Target version: gsasl_2.2.0-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gsasl/gsasl_2.2.0-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gsasl/gsasl_2.2.0-1+deb12u1.dsc changelog | 6 ++ patches/0001-Fix-NULL-pointer-dereference-in-DIGEST-MD5-parser.patch | 28 ++++++++++ patches/series | 1 3 files changed, 35 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp07c9xd_o/gsasl_2.2.0-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp07c9xd_o/gsasl_2.2.0-1+deb12u1.dsc: no acceptable signature found diff -Nru gsasl-2.2.0/debian/changelog gsasl-2.2.0/debian/changelog --- gsasl-2.2.0/debian/changelog 2022-09-03 15:30:01.000000000 +0000 +++ gsasl-2.2.0/debian/changelog 2026-05-13 12:20:34.000000000 +0000 @@ -1,3 +1,9 @@ +gsasl (2.2.0-1+deb12u1) bookworm-security; urgency=medium + + * Fix NULL pointer dereference in DIGEST-MD5 parser + + -- Simon Josefsson Wed, 13 May 2026 14:20:34 +0200 + gsasl (2.2.0-1) unstable; urgency=medium * New upstream version 2.2.0 diff -Nru gsasl-2.2.0/debian/patches/0001-Fix-NULL-pointer-dereference-in-DIGEST-MD5-parser.patch gsasl-2.2.0/debian/patches/0001-Fix-NULL-pointer-dereference-in-DIGEST-MD5-parser.patch --- gsasl-2.2.0/debian/patches/0001-Fix-NULL-pointer-dereference-in-DIGEST-MD5-parser.patch 1970-01-01 00:00:00.000000000 +0000 +++ gsasl-2.2.0/debian/patches/0001-Fix-NULL-pointer-dereference-in-DIGEST-MD5-parser.patch 2026-05-13 12:19:55.000000000 +0000 @@ -0,0 +1,28 @@ +From da9b5ae2962b014879e4a406c3b38f25aa70e97a Mon Sep 17 00:00:00 2001 +From: zhangph +Date: Wed, 13 May 2026 09:20:31 +0200 +Subject: [PATCH] Fix NULL pointer dereference in DIGEST-MD5 parser + +https://lists.gnu.org/archive/html/help-gsasl/2026-05/msg00000.html + +Signed-off-by: Simon Josefsson +--- + lib/digest-md5/getsubopt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/digest-md5/getsubopt.c b/lib/digest-md5/getsubopt.c +index 7d1531be..2c7f5090 100644 +--- a/lib/digest-md5/getsubopt.c ++++ b/lib/digest-md5/getsubopt.c +@@ -71,7 +71,7 @@ digest_md5_getsubopt (char **optionp, + && tokens[cnt][vstart - *optionp] == '\0') + { + /* We found the current option in TOKENS. */ +- *valuep = vstart != endp ? vstart + 1 : NULL; ++ *valuep = vstart != endp ? vstart + 1 : (char *) ""; + + while (*valuep && (**valuep == ' ' || + **valuep == '\t' || +-- +2.54.0 + diff -Nru gsasl-2.2.0/debian/patches/series gsasl-2.2.0/debian/patches/series --- gsasl-2.2.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ gsasl-2.2.0/debian/patches/series 2026-05-13 12:20:02.000000000 +0000 @@ -0,0 +1 @@ +0001-Fix-NULL-pointer-dereference-in-DIGEST-MD5-parser.patch