Version in base suite: 4.9-1 Base version: sed_4.9-1 Target version: sed_4.9-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/sed/sed_4.9-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/sed/sed_4.9-1+deb12u1.dsc changelog | 8 + patches/sed-i-follow-symlinks-fix-TOCTOU-race-CVE-2026-5958.patch | 43 ++++++++++ patches/series | 1 3 files changed, 52 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp5n91k390/sed_4.9-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp5n91k390/sed_4.9-1+deb12u1.dsc: no acceptable signature found diff -Nru sed-4.9/debian/changelog sed-4.9/debian/changelog --- sed-4.9/debian/changelog 2023-01-05 19:55:25.000000000 +0000 +++ sed-4.9/debian/changelog 2026-04-21 07:50:58.000000000 +0000 @@ -1,3 +1,11 @@ +sed (4.9-1+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * sed: -i --follow-symlinks: fix TOCTOU race (CVE-2026-5958) + (Closes: #1134495) + + -- Salvatore Bonaccorso Tue, 21 Apr 2026 09:50:58 +0200 + sed (4.9-1) unstable; urgency=medium * New upstream version. diff -Nru sed-4.9/debian/patches/sed-i-follow-symlinks-fix-TOCTOU-race-CVE-2026-5958.patch sed-4.9/debian/patches/sed-i-follow-symlinks-fix-TOCTOU-race-CVE-2026-5958.patch --- sed-4.9/debian/patches/sed-i-follow-symlinks-fix-TOCTOU-race-CVE-2026-5958.patch 1970-01-01 00:00:00.000000000 +0000 +++ sed-4.9/debian/patches/sed-i-follow-symlinks-fix-TOCTOU-race-CVE-2026-5958.patch 2026-04-21 07:50:49.000000000 +0000 @@ -0,0 +1,43 @@ +From: Jim Meyering +Date: Fri, 3 Apr 2026 14:59:52 -0700 +Subject: sed: -i --follow-symlinks: fix TOCTOU race (CVE-2026-5958) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://gitweb.git.savannah.gnu.org/gitweb/?p=sed.git;a=commitdiff;h=6b9b43c55ccd3beadbc0094b983c82bdb389f33b +Bug-Debian: https://bugs.debian.org/1134495 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-5958 + +When using -i with --follow-symlinks, sed resolved the symlink via +readlink() and then opened the original symlink path in a separate +syscall. An attacker who swapped the symlink between those two +operations could cause sed to read from an attacker-controlled file +while writing the result to the originally resolved target, enabling +arbitrary file overwrite. Fix by opening the already-resolved path +rather than re-traversing the symlink. +Reported by MichaƂ Majchrowicz and Marcin Wyczechowski (AFINE Team). +* sed/execute.c (open_next_file): Use input->in_file_name (the +resolved path) rather than "name" (the original symlink) in the +ck_fopen call. +* NEWS: Mention this. +--- + NEWS | 5 +++++ + sed/execute.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/sed/execute.c b/sed/execute.c +index eee3ff9b63b1..3a98df67a06e 100644 +--- a/sed/execute.c ++++ b/sed/execute.c +@@ -562,7 +562,7 @@ open_next_file (const char *name, struct input *input) + if (follow_symlinks) + input->in_file_name = follow_symlink (name); + +- if ( ! (input->fp = ck_fopen (name, read_mode, false)) ) ++ if ( ! (input->fp = ck_fopen (input->in_file_name, read_mode, false)) ) + { + const char *ptr = strerror (errno); + fprintf (stderr, _("%s: can't read %s: %s\n"), program_name, +-- +2.53.0 + diff -Nru sed-4.9/debian/patches/series sed-4.9/debian/patches/series --- sed-4.9/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ sed-4.9/debian/patches/series 2026-04-21 07:50:49.000000000 +0000 @@ -0,0 +1 @@ +sed-i-follow-symlinks-fix-TOCTOU-race-CVE-2026-5958.patch