Version in base suite: 2.2.1-3

Base version: libcue_2.2.1-3
Target version: libcue_2.2.1-3+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libc/libcue/libcue_2.2.1-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libc/libcue/libcue_2.2.1-3+deb11u1.dsc

 changelog                    |    6 ++++++
 patches/CVE-2023-43641.patch |   11 +++++++++++
 patches/series               |    1 +
 3 files changed, 18 insertions(+)

diff -Nru libcue-2.2.1/debian/changelog libcue-2.2.1/debian/changelog
--- libcue-2.2.1/debian/changelog	2021-02-13 04:02:01.000000000 +0000
+++ libcue-2.2.1/debian/changelog	2023-10-09 22:51:31.000000000 +0000
@@ -1,3 +1,9 @@
+libcue (2.2.1-3+deb11u1) bullseye-security; urgency=medium
+
+  * CVE-2023-43641
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Tue, 10 Oct 2023 00:51:31 +0200
+
 libcue (2.2.1-3) unstable; urgency=medium
 
   * QA upload.
diff -Nru libcue-2.2.1/debian/patches/CVE-2023-43641.patch libcue-2.2.1/debian/patches/CVE-2023-43641.patch
--- libcue-2.2.1/debian/patches/CVE-2023-43641.patch	1970-01-01 00:00:00.000000000 +0000
+++ libcue-2.2.1/debian/patches/CVE-2023-43641.patch	2023-10-09 22:51:31.000000000 +0000
@@ -0,0 +1,11 @@
+--- libcue-2.2.1.orig/cd.c
++++ libcue-2.2.1/cd.c
+@@ -339,7 +339,7 @@ track_get_rem(const Track* track)
+ 
+ void track_set_index(Track *track, int i, long ind)
+ {
+-	if (i > MAXINDEX) {
++	if (i < 0 || i > MAXINDEX) {
+ 		fprintf(stderr, "too many indexes\n");
+                 return;
+         }
diff -Nru libcue-2.2.1/debian/patches/series libcue-2.2.1/debian/patches/series
--- libcue-2.2.1/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ libcue-2.2.1/debian/patches/series	2023-10-09 22:51:31.000000000 +0000
@@ -0,0 +1 @@
+CVE-2023-43641.patch