Version in base suite: 1.49-1 Base version: libtext-csv-xs-perl_1.49-1 Target version: libtext-csv-xs-perl_1.49-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libt/libtext-csv-xs-perl/libtext-csv-xs-perl_1.49-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libt/libtext-csv-xs-perl/libtext-csv-xs-perl_1.49-1+deb12u1.dsc changelog | 8 patches/0001-Fix-bug-in-set_diag-surfaced-by-PERL_RC_STACK.patch | 53 ++++ patches/CVE-2026-7111/01-b69bd94.patch | 41 +++ patches/CVE-2026-7111/02-c17f31a.patch | 109 ++++++++++ patches/series | 3 salsa-ci.yml | 9 6 files changed, 223 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp623cilgo/libtext-csv-xs-perl_1.49-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp623cilgo/libtext-csv-xs-perl_1.49-1+deb12u1.dsc: no acceptable signature found diff -Nru libtext-csv-xs-perl-1.49/debian/changelog libtext-csv-xs-perl-1.49/debian/changelog --- libtext-csv-xs-perl-1.49/debian/changelog 2023-01-05 18:56:23.000000000 +0000 +++ libtext-csv-xs-perl-1.49/debian/changelog 2026-06-25 12:54:17.000000000 +0000 @@ -1,3 +1,11 @@ +libtext-csv-xs-perl (1.49-1+deb12u1) bookworm-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * Fix CVE-2026-7111: Use-after-free when registered callbacks extend the + Perl argument stack. (Closes: #1135232) + + -- Guilhem Moulin Thu, 25 Jun 2026 14:54:17 +0200 + libtext-csv-xs-perl (1.49-1) unstable; urgency=medium * Import upstream version 1.49. diff -Nru libtext-csv-xs-perl-1.49/debian/patches/0001-Fix-bug-in-set_diag-surfaced-by-PERL_RC_STACK.patch libtext-csv-xs-perl-1.49/debian/patches/0001-Fix-bug-in-set_diag-surfaced-by-PERL_RC_STACK.patch --- libtext-csv-xs-perl-1.49/debian/patches/0001-Fix-bug-in-set_diag-surfaced-by-PERL_RC_STACK.patch 1970-01-01 00:00:00.000000000 +0000 +++ libtext-csv-xs-perl-1.49/debian/patches/0001-Fix-bug-in-set_diag-surfaced-by-PERL_RC_STACK.patch 2026-06-25 12:54:17.000000000 +0000 @@ -0,0 +1,53 @@ +From: "H.Merijn Brand - Tux" +Date: Tue, 28 Feb 2023 18:38:35 +0100 +Subject: Fix bug in set_diag surfaced by PERL_RC_STACK + +Origin: https://github.com/cpan-authors/Text-CSV_XS/commit/6c2c876535286568a67dc05128c7b969465dd476 +--- + CSV_XS.xs | 2 +- + t/12_acc.t | 8 ++++++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/CSV_XS.xs b/CSV_XS.xs +index 14d5e78..1ccdb88 100644 +--- a/CSV_XS.xs ++++ b/CSV_XS.xs +@@ -2294,7 +2294,7 @@ SetDiag (self, xse, ...) + ST (0) = sv_2mortal (SvDiag (xse)); + } + +- if (xse && items > 1 && SvPOK (ST (2))) { ++ if (xse && items > 2 && SvPOK (ST (2))) { + sv_setpvn (ST (0), SvPVX (ST (2)), SvCUR (ST (2))); + SvIOK_on (ST (0)); + } +diff --git a/t/12_acc.t b/t/12_acc.t +index 0b1d277..a1ecfe4 100644 +--- a/t/12_acc.t ++++ b/t/12_acc.t +@@ -189,19 +189,23 @@ foreach my $esc (undef, "", " ", "\t", "!!!!!!") { + foreach my $quo (undef, "", " ", "\t", "!!!!!!") { + defined $esc && $esc =~ m/[ \t]/ or + defined $quo && $quo =~ m/[ \t]/ or next; ++ my $wc = join " " => map { !defined ? "" : ++ s/^$//r =~ s/ //r =~ s/\t//r } ++ "esc:", $esc, "quo:", $quo; + eval { $csv = Text::CSV_XS->new ({ + escape => $esc, + quote => $quo, + allow_whitespace => 1, + }) }; +- like ((Text::CSV_XS::error_diag)[1], qr{^INI - allow_whitespace}, "Wrong combo - error message"); +- is ((Text::CSV_XS::error_diag)[0], 1002, "Wrong combo - numeric error"); ++ like ((Text::CSV_XS::error_diag)[1], qr{^INI - allow_whitespace}, "Wrong combo - error message: $wc"); ++ is ((Text::CSV_XS::error_diag)[0], 1002, "Wrong combo - numeric error: $wc"); + } + } + + # Test 1003 in constructor + foreach my $x ("\r", "\n", "\r\n", "x\n", "\rx") { + foreach my $attr (qw( sep_char quote_char escape_char )) { ++ #ok (1, "attr: $attr => ", $x =~ s/\n/\\n/gr =~ s/\r/\\r/gr); + eval { $csv = Text::CSV_XS->new ({ $attr => $x }) }; + is ((Text::CSV_XS::error_diag)[0], 1003, "eol in $attr"); + } diff -Nru libtext-csv-xs-perl-1.49/debian/patches/CVE-2026-7111/01-b69bd94.patch libtext-csv-xs-perl-1.49/debian/patches/CVE-2026-7111/01-b69bd94.patch --- libtext-csv-xs-perl-1.49/debian/patches/CVE-2026-7111/01-b69bd94.patch 1970-01-01 00:00:00.000000000 +0000 +++ libtext-csv-xs-perl-1.49/debian/patches/CVE-2026-7111/01-b69bd94.patch 2026-06-25 12:54:17.000000000 +0000 @@ -0,0 +1,41 @@ +From: "H.Merijn Brand - Tux" +Date: Mon, 24 Nov 2025 11:18:13 +0100 +Subject: Working on issue #65 - filter / after_parse + +Using filter in an AOH env can cause "Not an ARRAY reference" +When explicitly using an "after_parse" callback before that, +everything works fine. No fix yet. Also needs explicit tests + +Origin: https://github.com/cpan-authors/Text-CSV_XS/commit/b69bd94c2847cf3a28442af6286a345435955bcd +Bug: https://github.com/cpan-authors/Text-CSV_XS/issues/65 +Bug-Debian: https://bugs.debian.org/1135232 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-7111 +--- + t/91_csv_cb.t | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/t/91_csv_cb.t b/t/91_csv_cb.t +index c5bfd66..994501f 100644 +--- a/t/91_csv_cb.t ++++ b/t/91_csv_cb.t +@@ -4,7 +4,7 @@ use strict; + use warnings; + + #use Test::More "no_plan"; +- use Test::More tests => 58; ++ use Test::More tests => 59; + + BEGIN { + use_ok "Text::CSV_XS", ("csv"); +@@ -66,7 +66,10 @@ is_deeply (csv (in => $tfn, filter => { 2 => sub { /a/ }, + ], "AOA with filter on col 1 and 2"); + is_deeply (csv (in => $tfn, filter => { foo => sub { $_ > 1 }}), [ + { foo => 2, bar => "a b", baz => "" }, +- ], "AOH with filter on column name"); ++ ], "AOH with filter on column name last line matches"); ++is_deeply (csv (in => $tfn, filter => { foo => sub { $_ < 2 }}), [ ++ { foo => 1, bar => 2, baz => 3 }, ++ ], "AOH with filter on column name last line does not match"); + + is_deeply (csv (in => $tfn, headers => "lc"), + [ { foo => 1, bar => 2, baz => 3 }, diff -Nru libtext-csv-xs-perl-1.49/debian/patches/CVE-2026-7111/02-c17f31a.patch libtext-csv-xs-perl-1.49/debian/patches/CVE-2026-7111/02-c17f31a.patch --- libtext-csv-xs-perl-1.49/debian/patches/CVE-2026-7111/02-c17f31a.patch 1970-01-01 00:00:00.000000000 +0000 +++ libtext-csv-xs-perl-1.49/debian/patches/CVE-2026-7111/02-c17f31a.patch 2026-06-25 12:54:17.000000000 +0000 @@ -0,0 +1,109 @@ +From: "H.Merijn Brand - Tux" +Date: Sat, 25 Apr 2026 16:18:57 +0200 +Subject: Fix possible stack corruption (thanks leont) + +SPAGAIN required if callbacks can extend the stack + +Origin: https://github.com/cpan-authors/Text-CSV_XS/commit/c17f31a5f2bf36674748eb4b6e25672f0571a224 +Bug: https://github.com/cpan-authors/Text-CSV_XS/issues/65 +Bug-Debian: https://bugs.debian.org/1135232 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-7111 +--- + CSV_XS.xs | 40 ++++++++++++++++++---------------------- + 1 file changed, 18 insertions(+), 22 deletions(-) + +diff --git a/CSV_XS.xs b/CSV_XS.xs +index 1ccdb88..91e671b 100644 +--- a/CSV_XS.xs ++++ b/CSV_XS.xs +@@ -121,6 +121,12 @@ static unsigned char ec, ebcdic2ascii[256] = { + croak ("self is not a hash ref"); \ + hv = (HV *)SvRV (self) + ++#define undef &PL_sv_undef ++#define PUT_RETURN(x) \ ++ SPAGAIN; \ ++ ST (0) = x; \ ++ XSRETURN (1) ++ + /* Keep in sync with .pm! */ + #define CACHE_ID_quote_char 0 + #define CACHE_ID_escape_char 1 +@@ -2276,9 +2282,7 @@ BOOT: + Perl_load_module (aTHX_ PERL_LOADMOD_NOIMPORT, newSVpvs ("IO::Handle"), NULL, NULL, NULL); + + void +-SetDiag (self, xse, ...) +- SV *self +- int xse ++SetDiag (SV *self, int xse, SV *line = undef) + + PPCODE: + HV *hv; +@@ -2294,8 +2298,8 @@ SetDiag (self, xse, ...) + ST (0) = sv_2mortal (SvDiag (xse)); + } + +- if (xse && items > 2 && SvPOK (ST (2))) { +- sv_setpvn (ST (0), SvPVX (ST (2)), SvCUR (ST (2))); ++ if (xse && SvPOK (line)) { ++ sv_setpvn (ST (0), SvPVX (line), SvCUR (line)); + SvIOK_on (ST (0)); + } + +@@ -2354,8 +2358,8 @@ Parse (self, src, fields, fflags) + av = (AV *)SvRV (fields); + avf = (AV *)SvRV (fflags); + +- ST (0) = xsParse (self, hv, av, avf, src, 0) ? &PL_sv_yes : &PL_sv_no; +- XSRETURN (1); ++ int x = xsParse (self, hv, av, avf, src, 0); ++ PUT_RETURN (x ? &PL_sv_yes : &PL_sv_no); + /* XS Parse */ + + void +@@ -2378,8 +2382,8 @@ print (self, io, fields) + av = (AV *)SvRV (fields); + } + +- ST (0) = xsCombine (self, hv, av, io, 1) ? &PL_sv_yes : &PL_sv_no; +- XSRETURN (1); ++ int x = xsCombine (self, hv, av, io, 1); ++ PUT_RETURN (x ? &PL_sv_yes : &PL_sv_no); + /* XS print */ + + void +@@ -2395,28 +2399,20 @@ getline (self, io) + CSV_XS_SELF; + av = newAV (); + avf = newAV (); +- ST (0) = xsParse (self, hv, av, avf, io, 1) +- ? sv_2mortal (newRV_noinc ((SV *)av)) +- : &PL_sv_undef; +- XSRETURN (1); ++ int x = xsParse (self, hv, av, avf, io, 1); ++ PUT_RETURN (x ? sv_2mortal (newRV_noinc ((SV *)av)) : undef); + /* XS getline */ + + void +-getline_all (self, io, ...) +- SV *self +- SV *io ++getline_all (SV *self, SV *io, SV *offset = undef, SV *length = undef) + + PPCODE: + HV *hv; +- SV *offset, *length; + + CSV_XS_SELF; + +- offset = items > 2 ? ST (2) : &PL_sv_undef; +- length = items > 3 ? ST (3) : &PL_sv_undef; +- +- ST (0) = xsParse_all (self, hv, io, offset, length); +- XSRETURN (1); ++ SV *x = xsParse_all (self, hv, io, offset, length); ++ PUT_RETURN (x); + /* XS getline_all */ + + void diff -Nru libtext-csv-xs-perl-1.49/debian/patches/series libtext-csv-xs-perl-1.49/debian/patches/series --- libtext-csv-xs-perl-1.49/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ libtext-csv-xs-perl-1.49/debian/patches/series 2026-06-25 12:54:17.000000000 +0000 @@ -0,0 +1,3 @@ +0001-Fix-bug-in-set_diag-surfaced-by-PERL_RC_STACK.patch +CVE-2026-7111/01-b69bd94.patch +CVE-2026-7111/02-c17f31a.patch diff -Nru libtext-csv-xs-perl-1.49/debian/salsa-ci.yml libtext-csv-xs-perl-1.49/debian/salsa-ci.yml --- libtext-csv-xs-perl-1.49/debian/salsa-ci.yml 1970-01-01 00:00:00.000000000 +0000 +++ libtext-csv-xs-perl-1.49/debian/salsa-ci.yml 2026-06-25 12:54:17.000000000 +0000 @@ -0,0 +1,9 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'bookworm' + SALSA_CI_DISABLE_LINTIAN: 1 + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_USCAN: 1