Version in base suite: 2.2.2-1.1 Base version: gsasl_2.2.2-1.1 Target version: gsasl_2.2.2-1.1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gsasl/gsasl_2.2.2-1.1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gsasl/gsasl_2.2.2-1.1+deb13u1.dsc changelog | 6 ++ patches/0001-Fix-NULL-pointer-dereference-in-DIGEST-MD5-parser.patch | 28 ++++++++++ patches/series | 1 3 files changed, 35 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpyxm6gbp_/gsasl_2.2.2-1.1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpyxm6gbp_/gsasl_2.2.2-1.1+deb13u1.dsc: no acceptable signature found diff -Nru gsasl-2.2.2/debian/changelog gsasl-2.2.2/debian/changelog --- gsasl-2.2.2/debian/changelog 2025-05-02 16:14:12.000000000 +0000 +++ gsasl-2.2.2/debian/changelog 2026-05-13 11:13:50.000000000 +0000 @@ -1,3 +1,9 @@ +gsasl (2.2.2-1.1+deb13u1) trixie-security; urgency=medium + + * Fix NULL pointer dereference in DIGEST-MD5 parser + + -- Simon Josefsson Wed, 13 May 2026 13:13:50 +0200 + gsasl (2.2.2-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru gsasl-2.2.2/debian/patches/0001-Fix-NULL-pointer-dereference-in-DIGEST-MD5-parser.patch gsasl-2.2.2/debian/patches/0001-Fix-NULL-pointer-dereference-in-DIGEST-MD5-parser.patch --- gsasl-2.2.2/debian/patches/0001-Fix-NULL-pointer-dereference-in-DIGEST-MD5-parser.patch 1970-01-01 00:00:00.000000000 +0000 +++ gsasl-2.2.2/debian/patches/0001-Fix-NULL-pointer-dereference-in-DIGEST-MD5-parser.patch 2026-05-13 11:00:26.000000000 +0000 @@ -0,0 +1,28 @@ +From da9b5ae2962b014879e4a406c3b38f25aa70e97a Mon Sep 17 00:00:00 2001 +From: zhangph +Date: Wed, 13 May 2026 09:20:31 +0200 +Subject: [PATCH] Fix NULL pointer dereference in DIGEST-MD5 parser + +https://lists.gnu.org/archive/html/help-gsasl/2026-05/msg00000.html + +Signed-off-by: Simon Josefsson +--- + lib/digest-md5/getsubopt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/digest-md5/getsubopt.c b/lib/digest-md5/getsubopt.c +index 7d1531be..2c7f5090 100644 +--- a/lib/digest-md5/getsubopt.c ++++ b/lib/digest-md5/getsubopt.c +@@ -71,7 +71,7 @@ digest_md5_getsubopt (char **optionp, + && tokens[cnt][vstart - *optionp] == '\0') + { + /* We found the current option in TOKENS. */ +- *valuep = vstart != endp ? vstart + 1 : NULL; ++ *valuep = vstart != endp ? vstart + 1 : (char *) ""; + + while (*valuep && (**valuep == ' ' || + **valuep == '\t' || +-- +2.54.0 + diff -Nru gsasl-2.2.2/debian/patches/series gsasl-2.2.2/debian/patches/series --- gsasl-2.2.2/debian/patches/series 2025-05-02 16:13:53.000000000 +0000 +++ gsasl-2.2.2/debian/patches/series 2026-05-13 11:13:38.000000000 +0000 @@ -1 +1,2 @@ 0001-tests-update-dovecot-config-for-2.4.x.patch +0001-Fix-NULL-pointer-dereference-in-DIGEST-MD5-parser.patch