Version in base suite: 0.4.8-3

Base version: pyasn1_0.4.8-3
Target version: pyasn1_0.4.8-3+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pyasn1/pyasn1_0.4.8-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pyasn1/pyasn1_0.4.8-3+deb12u1.dsc

 changelog                    |    8 ++
 patches/CVE-2026-23490.patch |  117 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 126 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpu5fwhlxi/pyasn1_0.4.8-3.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpu5fwhlxi/pyasn1_0.4.8-3+deb12u1.dsc: no acceptable signature found
diff -Nru pyasn1-0.4.8/debian/changelog pyasn1-0.4.8/debian/changelog
--- pyasn1-0.4.8/debian/changelog	2022-12-24 16:08:16.000000000 +0000
+++ pyasn1-0.4.8/debian/changelog	2026-01-23 22:05:30.000000000 +0000
@@ -1,3 +1,11 @@
+pyasn1 (0.4.8-3+deb12u1) bookworm-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fixed continuation octet limits in OID/RELATIVE-OID decoder (CVE-2026-23490)
+    (Closes: #1125753)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 23 Jan 2026 23:05:30 +0100
+
 pyasn1 (0.4.8-3) unstable; urgency=medium
 
   * Team upload.
diff -Nru pyasn1-0.4.8/debian/patches/CVE-2026-23490.patch pyasn1-0.4.8/debian/patches/CVE-2026-23490.patch
--- pyasn1-0.4.8/debian/patches/CVE-2026-23490.patch	1970-01-01 00:00:00.000000000 +0000
+++ pyasn1-0.4.8/debian/patches/CVE-2026-23490.patch	2026-01-23 22:05:23.000000000 +0000
@@ -0,0 +1,117 @@
+From: Simon Pichugin <simon.pichugin@gmail.com>
+Date: Fri, 16 Jan 2026 08:57:23 -0800
+Subject: Merge commit from fork
+Origin: https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970
+Bug-Debian: https://bugs.debian.org/1125753
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-23490
+
+Add limit of 20 continuation octets per OID arc to prevent a potential memory
+exhaustion from excessive continuation bytes input.
+---
+ pyasn1/codec/ber/decoder.py     |  20 ++++-
+ tests/codec/ber/test_decoder.py | 130 ++++++++++++++++++++++++++++++++
+ 2 files changed, 149 insertions(+), 1 deletion(-)
+
+--- a/pyasn1/codec/ber/decoder.py
++++ b/pyasn1/codec/ber/decoder.py
+@@ -22,6 +22,10 @@ LOG = debug.registerLoggee(__name__, fla
+ 
+ noValue = base.noValue
+ 
++# Maximum number of continuation octets (high-bit set) allowed per OID arc.
++# 20 octets allows up to 140-bit integers, supporting UUID-based OIDs
++MAX_OID_ARC_CONTINUATION_OCTETS = 20
++
+ 
+ class AbstractDecoder(object):
+     protoComponent = None
+@@ -342,7 +346,14 @@ class ObjectIdentifierDecoder(AbstractSi
+                 # Construct subid from a number of octets
+                 nextSubId = subId
+                 subId = 0
++                continuationOctetCount = 0
+                 while nextSubId >= 128:
++                    continuationOctetCount += 1
++                    if continuationOctetCount > MAX_OID_ARC_CONTINUATION_OCTETS:
++                        raise error.PyAsn1Error(
++                            'OID arc exceeds maximum continuation octets limit (%d) '
++                            'at position %d' % (MAX_OID_ARC_CONTINUATION_OCTETS, index)
++                        )
+                     subId = (subId << 7) + (nextSubId & 0x7F)
+                     if index >= substrateLen:
+                         raise error.SubstrateUnderrunError(
+--- a/tests/codec/ber/test_decoder.py
++++ b/tests/codec/ber/test_decoder.py
+@@ -407,6 +407,72 @@ class ObjectIdentifierDecoderTestCase(Ba
+             ints2octs((0x06, 0x13, 0x88, 0x37, 0x83, 0xC6, 0xDF, 0xD4, 0xCC, 0xB3, 0xFF, 0xFF, 0xFE, 0xF0, 0xB8, 0xD6, 0xB8, 0xCB, 0xE2, 0xB6, 0x47))
+         ) == ((2, 999, 18446744073709551535184467440737095), null)
+ 
++    def testExcessiveContinuationOctets(self):
++        """Test that OID arcs with excessive continuation octets are rejected."""
++        # Create a payload with 25 continuation octets (exceeds 20 limit)
++        # 0x81 bytes are continuation octets, 0x01 terminates
++        malicious_payload = ints2octs([0x06, 26]) + ints2octs([0x81] * 25) + ints2octs([0x01])
++        try:
++            decoder.decode(malicious_payload)
++        except PyAsn1Error:
++            pass
++        else:
++            assert 0, 'Excessive continuation octets tolerated'
++
++    def testMaxAllowedContinuationOctets(self):
++        """Test that OID arcs at the maximum continuation octets limit work."""
++        # Create a payload with exactly 20 continuation octets (at limit)
++        # This should succeed
++        payload = ints2octs([0x06, 21]) + ints2octs([0x81] * 20) + ints2octs([0x01])
++        try:
++            decoder.decode(payload)
++        except PyAsn1Error:
++            assert 0, 'Valid OID with 20 continuation octets rejected'
++
++    def testOneOverContinuationLimit(self):
++        """Test boundary: 21 continuation octets (one over limit) is rejected."""
++        payload = ints2octs([0x06, 22]) + ints2octs([0x81] * 21) + ints2octs([0x01])
++        try:
++            decoder.decode(payload)
++        except PyAsn1Error:
++            pass
++        else:
++            assert 0, '21 continuation octets tolerated (should be rejected)'
++
++    def testExcessiveContinuationInSecondArc(self):
++        """Test that limit applies to subsequent arcs, not just the first."""
++        # First arc: valid simple byte (0x55 = 85, decodes to arc 2.5)
++        # Second arc: excessive continuation octets
++        payload = ints2octs([0x06, 27]) + ints2octs([0x55]) + ints2octs([0x81] * 25) + ints2octs([0x01])
++        try:
++            decoder.decode(payload)
++        except PyAsn1Error:
++            pass
++        else:
++            assert 0, 'Excessive continuation in second arc tolerated'
++
++    def testMultipleArcsAtLimit(self):
++        """Test multiple arcs each at the continuation limit work correctly."""
++        # Two arcs, each with 20 continuation octets (both at limit)
++        arc1 = ints2octs([0x81] * 20) + ints2octs([0x01])  # 21 bytes
++        arc2 = ints2octs([0x81] * 20) + ints2octs([0x01])  # 21 bytes
++        payload = ints2octs([0x06, 42]) + arc1 + arc2
++        try:
++            decoder.decode(payload)
++        except PyAsn1Error:
++            assert 0, 'Multiple valid arcs at limit rejected'
++
++    def testExcessiveContinuationWithMaxBytes(self):
++        """Test with 0xFF continuation bytes (maximum value, not just 0x81)."""
++        # 0xFF bytes are also continuation octets (high bit set)
++        malicious_payload = ints2octs([0x06, 26]) + ints2octs([0xFF] * 25) + ints2octs([0x01])
++        try:
++            decoder.decode(malicious_payload)
++        except PyAsn1Error:
++            pass
++        else:
++            assert 0, 'Excessive 0xFF continuation octets tolerated'
++
+ 
+ class RealDecoderTestCase(BaseTestCase):
+     def testChar(self):
diff -Nru pyasn1-0.4.8/debian/patches/series pyasn1-0.4.8/debian/patches/series
--- pyasn1-0.4.8/debian/patches/series	2022-12-24 16:05:39.000000000 +0000
+++ pyasn1-0.4.8/debian/patches/series	2026-01-19 19:11:17.000000000 +0000
@@ -1 +1,2 @@
 0002-Remove-some-theme-options-to-avoid-needless-badges-i.patch
+CVE-2026-23490.patch