Version in base suite: 1.1.1-2

Base version: usbmuxd_1.1.1-2
Target version: usbmuxd_1.1.1-2+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/u/usbmuxd/usbmuxd_1.1.1-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/u/usbmuxd/usbmuxd_1.1.1-2+deb12u1.dsc

 changelog                                                               |    7 +
 gbp.conf                                                                |    2 
 patches/0005-conf-Make-sure-to-sanitize-input-for-SavePairRecord-.patch |   52 ++++++++++
 patches/series                                                          |    1 
 4 files changed, 61 insertions(+), 1 deletion(-)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp_ypabcnk/usbmuxd_1.1.1-2.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp_ypabcnk/usbmuxd_1.1.1-2+deb12u1.dsc: no acceptable signature found
diff -Nru usbmuxd-1.1.1/debian/changelog usbmuxd-1.1.1/debian/changelog
--- usbmuxd-1.1.1/debian/changelog	2020-06-23 10:49:43.000000000 +0000
+++ usbmuxd-1.1.1/debian/changelog	2026-02-05 17:25:20.000000000 +0000
@@ -1,3 +1,10 @@
+usbmuxd (1.1.1-2+deb12u1) bookworm-security; urgency=medium
+
+  * d/patch: add fix for path traversal vulnerability (CVE-2025-66004)
+    (Closes: #1122507)
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Thu, 05 Feb 2026 18:25:20 +0100
+
 usbmuxd (1.1.1-2) unstable; urgency=medium
 
   * Upload to unstable
diff -Nru usbmuxd-1.1.1/debian/gbp.conf usbmuxd-1.1.1/debian/gbp.conf
--- usbmuxd-1.1.1/debian/gbp.conf	2020-06-23 10:49:43.000000000 +0000
+++ usbmuxd-1.1.1/debian/gbp.conf	2026-02-05 17:25:20.000000000 +0000
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/bookworm
 upstream-branch = upstream/master
 pristine-tar = True
 upstream-tag = %(version)s
diff -Nru usbmuxd-1.1.1/debian/patches/0005-conf-Make-sure-to-sanitize-input-for-SavePairRecord-.patch usbmuxd-1.1.1/debian/patches/0005-conf-Make-sure-to-sanitize-input-for-SavePairRecord-.patch
--- usbmuxd-1.1.1/debian/patches/0005-conf-Make-sure-to-sanitize-input-for-SavePairRecord-.patch	1970-01-01 00:00:00.000000000 +0000
+++ usbmuxd-1.1.1/debian/patches/0005-conf-Make-sure-to-sanitize-input-for-SavePairRecord-.patch	2026-02-05 17:25:20.000000000 +0000
@@ -0,0 +1,52 @@
+From: Nikias Bassen <nikias@gmx.li>
+Date: Sat, 6 Dec 2025 02:13:05 +0100
+Subject: conf: Make sure to sanitize input for SavePairRecord command
+
+A path traversal vulnerability was discovered in usbmuxd that allows
+arbitrary, unprivileged local users to delete and create files named
+`*.plist` as the `usbmux` user.
+
+See https://bugzilla.opensuse.org/show_bug.cgi?id=1254302
+
+Yves-Alexis Perez: adjusted for libplist < 2.3.0
+---
+ src/conf.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/src/conf.c b/src/conf.c
+index 609d246..30708eb 100644
+--- a/src/conf.c
++++ b/src/conf.c
+@@ -34,6 +34,7 @@
+ #include <libgen.h>
+ #include <sys/stat.h>
+ #include <errno.h>
++#include <ctype.h>
+ 
+ #ifdef WIN32
+ #include <shlobj.h>
+@@ -405,13 +406,19 @@ int config_set_device_record(const char *udid, char* record_data, uint64_t recor
+ 	if (!udid || !record_data || record_size < 8)
+ 		return -EINVAL;
+ 
+-	plist_t plist = NULL;
+-	if (memcmp(record_data, "bplist00", 8) == 0) {
+-		plist_from_bin(record_data, record_size, &plist);
+-	} else {
+-		plist_from_xml(record_data, record_size, &plist);
++	/* verify udid input */
++	const char* u = udid;
++	while (*u != '\0') {
++		if (!isalnum(*u) && (*u != '-')) {
++			usbmuxd_log(LL_ERROR, "ERROR: %s: udid contains invalid character.\n", __func__);
++			return -EINVAL;
++		}
++		u++;
+ 	}
+ 
++	plist_t plist = NULL;
++	plist_from_memory(record_data, record_size, &plist);
++
+ 	if (!plist || plist_get_node_type(plist) != PLIST_DICT) {
+ 		if (plist)
+ 			plist_free(plist);
diff -Nru usbmuxd-1.1.1/debian/patches/series usbmuxd-1.1.1/debian/patches/series
--- usbmuxd-1.1.1/debian/patches/series	2020-06-23 10:49:43.000000000 +0000
+++ usbmuxd-1.1.1/debian/patches/series	2026-02-05 17:25:20.000000000 +0000
@@ -1,2 +1,3 @@
 Fix-FTBFS-in-kfreebsd.patch
 0002-drop-PIDFile-directive-use-default-one-in-run.patch
+0005-conf-Make-sure-to-sanitize-input-for-SavePairRecord-.patch