Version in base suite: 2.3.3-1

Base version: libsignal-protocol-c_2.3.3-1
Target version: libsignal-protocol-c_2.3.3-1+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libs/libsignal-protocol-c/libsignal-protocol-c_2.3.3-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libs/libsignal-protocol-c/libsignal-protocol-c_2.3.3-1+deb11u1.dsc

 changelog                                   |    7 ++++++
 patches/fix-unsigned-integer-overflow.patch |   30 ++++++++++++++++++++++++++++
 patches/series                              |    1 
 3 files changed, 38 insertions(+)

diff -Nru libsignal-protocol-c-2.3.3/debian/changelog libsignal-protocol-c-2.3.3/debian/changelog
--- libsignal-protocol-c-2.3.3/debian/changelog	2020-05-02 17:09:00.000000000 +0000
+++ libsignal-protocol-c-2.3.3/debian/changelog	2023-04-26 07:15:11.000000000 +0000
@@ -1,3 +1,10 @@
+libsignal-protocol-c (2.3.3-1+deb11u1) bullseye; urgency=medium
+
+  * Add patch to fix unsigned integer overflow in protobuf code
+    CVE: https://security-tracker.debian.org/tracker/CVE-2022-48468
+
+ -- Martin <debacle@debian.org>  Wed, 26 Apr 2023 07:15:11 +0000
+
 libsignal-protocol-c (2.3.3-1) unstable; urgency=medium
 
   * New upstream version.
diff -Nru libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch
--- libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch	1970-01-01 00:00:00.000000000 +0000
+++ libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch	2023-04-22 19:16:20.000000000 +0000
@@ -0,0 +1,30 @@
+Description: Fix unsigned integer overflow
+ and fix regression caused by that fix
+ related CVE:
+ https://security-tracker.debian.org/tracker/CVE-2022-48468
+Author: 10054172 <hui.zhang@thalesgroup.com>, Todd C. Miller <Todd.Miller@sudo.ws>
+Origin: other
+Bug: https://github.com/protobuf-c/protobuf-c/issues/499
+Last-Update: 2023-04-20
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/protobuf-c/protobuf-c.c
++++ b/src/protobuf-c/protobuf-c.c
+@@ -2456,10 +2456,13 @@
+ 			return FALSE;
+ 
+ 		def_mess = scanned_member->field->default_value;
+-		subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
+-						 allocator,
+-						 len - pref_len,
+-						 data + pref_len);
++		if (len >= pref_len)
++			subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
++							 allocator,
++							 len - pref_len,
++							 data + pref_len);
++		else
++			subm = NULL;
+ 
+ 		if (maybe_clear &&
+ 		    *pmessage != NULL &&
diff -Nru libsignal-protocol-c-2.3.3/debian/patches/series libsignal-protocol-c-2.3.3/debian/patches/series
--- libsignal-protocol-c-2.3.3/debian/patches/series	2020-05-02 17:06:41.000000000 +0000
+++ libsignal-protocol-c-2.3.3/debian/patches/series	2023-04-22 19:16:20.000000000 +0000
@@ -1 +1,2 @@
 full-library-version-soname.patch
+fix-unsigned-integer-overflow.patch