Version in base suite: 1.14.1-1

Base version: augeas_1.14.1-1
Target version: augeas_1.14.1-1.1~deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/a/augeas/augeas_1.14.1-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/a/augeas/augeas_1.14.1-1.1~deb13u1.dsc

 changelog                                                               |   15 ++
 patches/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-erro.patch |   75 ++++++++++
 patches/series                                                          |    1 
 3 files changed, 91 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpjstipsfu/augeas_1.14.1-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpjstipsfu/augeas_1.14.1-1.1~deb13u1.dsc: no acceptable signature found
diff -Nru augeas-1.14.1/debian/changelog augeas-1.14.1/debian/changelog
--- augeas-1.14.1/debian/changelog	2023-07-16 12:17:30.000000000 +0000
+++ augeas-1.14.1/debian/changelog	2026-03-06 17:36:23.000000000 +0000
@@ -1,3 +1,18 @@
+augeas (1.14.1-1.1~deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for trixie.
+
+ -- Adrian Bunk <bunk@debian.org>  Fri, 06 Mar 2026 19:36:23 +0200
+
+augeas (1.14.1-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-2588: NULL Pointer Dereference in re_case_expand()
+    (Closes: #1101714)
+
+ -- Adrian Bunk <bunk@debian.org>  Wed, 04 Mar 2026 19:08:37 +0200
+
 augeas (1.14.1-1) unstable; urgency=medium
 
   * New upstream version 1.14.1
diff -Nru augeas-1.14.1/debian/patches/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-erro.patch augeas-1.14.1/debian/patches/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-erro.patch
--- augeas-1.14.1/debian/patches/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-erro.patch	1970-01-01 00:00:00.000000000 +0000
+++ augeas-1.14.1/debian/patches/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-erro.patch	2026-03-04 17:07:57.000000000 +0000
@@ -0,0 +1,75 @@
+From 94186679cc9ea4637537bdefe66c6a33fff1dc3a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abbra@users.noreply.github.com>
+Date: Sun, 30 Mar 2025 12:27:04 +0300
+Subject: CVE-2025-2588: return _REG_ENOSYS if no specific error was set yet
+ parse_regexp failed (#854)
+
+parse_regexp() supposed to set an error on the parser state in case of a
+failure. If no specific error was set, return _REG_ENOSYS to indicate a
+generic failure.
+
+Fixes: https://github.com/hercules-team/augeas/issues/671
+Fixes: https://github.com/hercules-team/augeas/issues/778
+Fixes: https://github.com/hercules-team/augeas/issues/852
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ src/fa.c       | 2 ++
+ src/fa.h       | 3 ++-
+ tests/fatest.c | 6 ++++++
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/fa.c b/src/fa.c
+index 66ac7078..4de5675b 100644
+--- a/src/fa.c
++++ b/src/fa.c
+@@ -3550,6 +3550,8 @@ static struct re *parse_regexp(struct re_parse *parse) {
+     return re;
+ 
+  error:
++    if (re == NULL && parse->error == REG_NOERROR)
++        parse->error = _REG_ENOSYS;
+     re_unref(re);
+     return NULL;
+ }
+diff --git a/src/fa.h b/src/fa.h
+index 1fd754ad..89c9b17e 100644
+--- a/src/fa.h
++++ b/src/fa.h
+@@ -81,7 +81,8 @@ extern int fa_minimization_algorithm;
+  *
+  * On success, FA points to the newly allocated automaton constructed for
+  * RE, and the function returns REG_NOERROR. Otherwise, FA is NULL, and the
+- * return value indicates the error.
++ * return value indicates the error. Special value _REG_ENOSYS indicates
++ * fa_compile() couldn't identify the syntax issue with regexp.
+  *
+  * The FA is case sensitive. Call FA_NOCASE to switch it to
+  * case-insensitive.
+diff --git a/tests/fatest.c b/tests/fatest.c
+index 0c9ca769..6717af8f 100644
+--- a/tests/fatest.c
++++ b/tests/fatest.c
+@@ -589,6 +589,7 @@ static void testExpandNoCase(CuTest *tc) {
+     const char *p1 = "aB";
+     const char *p2 = "[a-cUV]";
+     const char *p3 = "[^a-z]";
++    const char *wrong_regexp = "{&.{";
+     char *s;
+     size_t len;
+     int r;
+@@ -607,6 +608,11 @@ static void testExpandNoCase(CuTest *tc) {
+     CuAssertIntEquals(tc, 0, r);
+     CuAssertStrEquals(tc, "[^A-Za-z]", s);
+     free(s);
++
++    /* Test that fa_expand_nocase does return _REG_ENOSYS */
++    r = fa_expand_nocase(wrong_regexp, strlen(wrong_regexp), &s, &len);
++    CuAssertIntEquals(tc, _REG_ENOSYS, r);
++    free(s);
+ }
+ 
+ static void testNoCaseComplement(CuTest *tc) {
+-- 
+2.47.3
+
diff -Nru augeas-1.14.1/debian/patches/series augeas-1.14.1/debian/patches/series
--- augeas-1.14.1/debian/patches/series	2022-12-11 15:48:41.000000000 +0000
+++ augeas-1.14.1/debian/patches/series	2026-03-04 17:08:36.000000000 +0000
@@ -2,3 +2,4 @@
 0002-Skip-tests-that-need-root-privileges-when-fakeroot-h.patch
 0003-Make-NRPE-lens-less-strict.patch
 0004-Add-Debian-specific-paths-for-ClamAV-configuration-f.patch
+0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-erro.patch