Version in base suite: 4.3.4-1.1+deb13u2

Base version: libcoap3_4.3.4-1.1+deb13u2
Target version: libcoap3_4.3.4-1.1+deb13u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libc/libcoap3/libcoap3_4.3.4-1.1+deb13u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libc/libcoap3/libcoap3_4.3.4-1.1+deb13u3.dsc

 changelog                    |    9 +++
 patches/CVE-2025-34468.patch |  123 +++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2026-29013.patch |   80 +++++++++++++++++++++++++++
 patches/series               |    3 +
 4 files changed, 215 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmprr9vdn0r/libcoap3_4.3.4-1.1+deb13u2.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmprr9vdn0r/libcoap3_4.3.4-1.1+deb13u3.dsc: no acceptable signature found
diff -Nru libcoap3-4.3.4/debian/changelog libcoap3-4.3.4/debian/changelog
--- libcoap3-4.3.4/debian/changelog	2025-12-29 17:23:22.000000000 +0000
+++ libcoap3-4.3.4/debian/changelog	2026-04-19 08:23:22.000000000 +0000
@@ -1,3 +1,12 @@
+libcoap3 (4.3.4-1.1+deb13u3) trixie; urgency=medium
+
+  * CVE-2026-29013 (Closes: #1134340)
+    fix out-of-bounds read
+  * CVE-2025-34468 (Closes: #1124407)
+    fix stack-based buffer overflow
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Sun, 19 Apr 2026 10:23:22 +0200
+
 libcoap3 (4.3.4-1.1+deb13u2) trixie; urgency=medium
 
   * CVE-2025-59391 (Closes: #1122290)
diff -Nru libcoap3-4.3.4/debian/patches/CVE-2025-34468.patch libcoap3-4.3.4/debian/patches/CVE-2025-34468.patch
--- libcoap3-4.3.4/debian/patches/CVE-2025-34468.patch	1970-01-01 00:00:00.000000000 +0000
+++ libcoap3-4.3.4/debian/patches/CVE-2025-34468.patch	2026-04-19 08:23:22.000000000 +0000
@@ -0,0 +1,123 @@
+From cc9aba6e01973b7cc06b7b20d0986411e5f5e2ef Mon Sep 17 00:00:00 2001
+From: Jon Shallow <supjps-libcoap@jpshallow.com>
+Date: Fri, 12 Sep 2025 10:07:41 +0100
+Subject: [PATCH] coap_address.c: Validate length of provided host name
+
+Host names larger than 255 bytes will cause an internal buffer overflow.
+
+Hostnames provided to coap_resolve_address_info() now have their length validated.
+
+Discovered by SecMate (https://secmate.dev).
+
+Sanity check host lengths when parsing a CoAP URI when using the coap_split_uri()
+function.
+---
+ examples/coap-client.c | 11 ++++++-----
+ src/coap_address.c     |  9 +++++++--
+ src/coap_uri.c         | 20 +++++++++++++++++++-
+ 3 files changed, 32 insertions(+), 8 deletions(-)
+
+Index: libcoap3-4.3.4/examples/coap-client.c
+===================================================================
+--- libcoap3-4.3.4.orig/examples/coap-client.c	2026-04-19 11:56:48.793762781 +0200
++++ libcoap3-4.3.4/examples/coap-client.c	2026-04-19 11:56:48.789762746 +0200
+@@ -822,6 +822,12 @@
+ static int
+ cmdline_uri(char *arg) {
+ 
++  /* Sanity check the provided (Proxy)Uri */
++  if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) {
++    coap_log_err("invalid CoAP URI '%s'\n", arg);
++    return -1;
++  }
++
+   if (!proxy_scheme_option && proxy.host.length) {
+     /* create Proxy-Uri from argument */
+     size_t len = strlen(arg);
+@@ -836,11 +842,6 @@
+                                          (unsigned char *)arg));
+ 
+   } else {      /* split arg into Uri-* options */
+-    if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) {
+-      coap_log_err("invalid CoAP URI\n");
+-      return -1;
+-    }
+-
+     /* Need to special case use of reliable */
+     if (uri.scheme == COAP_URI_SCHEME_COAPS && reliable) {
+       if (!coap_tls_is_supported()) {
+Index: libcoap3-4.3.4/src/coap_address.c
+===================================================================
+--- libcoap3-4.3.4.orig/src/coap_address.c	2026-04-19 11:56:48.793762781 +0200
++++ libcoap3-4.3.4/src/coap_address.c	2026-04-19 11:56:48.789762746 +0200
+@@ -469,10 +469,15 @@
+ #endif /* COAP_AF_UNIX_SUPPORT */
+ 
+   memset(addrstr, 0, sizeof(addrstr));
+-  if (address && address->length)
++  if (address && address->length) {
++    if (address->length >= sizeof(addrstr)) {
++      coap_log_warn("Host name too long (%zu > 255)\n", address->length);
++      return NULL;
++    }
+     memcpy(addrstr, address->s, address->length);
+-  else
++  } else {
+     memcpy(addrstr, "localhost", 9);
++  }
+ 
+   memset((char *)&hints, 0, sizeof(hints));
+   hints.ai_socktype = 0;
+Index: libcoap3-4.3.4/src/coap_uri.c
+===================================================================
+--- libcoap3-4.3.4.orig/src/coap_uri.c	2026-04-19 11:56:48.793762781 +0200
++++ libcoap3-4.3.4/src/coap_uri.c	2026-04-19 11:56:48.789762746 +0200
+@@ -59,6 +59,15 @@
+   { "coaps+ws",    443,               0, COAP_URI_SCHEME_COAPS_WS }
+ };
+ 
++/*
++ * Returns  0 All OK
++ *         -1 Insufficient / Invalid parameters
++ *         -2 No '://'
++ *         -3 Ipv6 definition error or no host defined after scheme://
++ *         -4 Invalid port value
++ *         -5 Port defined for Unix domain
++ *         -6 Hostname > 255 chars
++ */
+ static int
+ coap_split_uri_sub(const uint8_t *str_var,
+                    size_t len,
+@@ -165,8 +174,10 @@
+   if (len && *p == '[') {
+     /* IPv6 address reference */
+     ++p;
++    ++q;
++    --len;
+ 
+-    while (len && *q != ']') {
++    while (len && *q != ']' && (isxdigit(*q) || *q == ':')) {
+       ++q;
+       --len;
+     }
+@@ -197,6 +208,12 @@
+       goto error;
+     }
+ 
++    if ((int)(q - p) > 255) {
++      coap_log_warn("Host name length too long (%d > 255)\n", (int)(q - p));
++      res = -6;
++      goto error;
++    }
++
+     COAP_SET_STR(&uri->host, q - p, p);
+   }
+ 
+@@ -222,6 +239,7 @@
+ 
+       /* check if port number is in allowed range */
+       if (uri_port > UINT16_MAX) {
++        coap_log_warn("Port number too big (%ld > 65535)\n", uri_port);
+         res = -4;
+         goto error;
+       }
diff -Nru libcoap3-4.3.4/debian/patches/CVE-2026-29013.patch libcoap3-4.3.4/debian/patches/CVE-2026-29013.patch
--- libcoap3-4.3.4/debian/patches/CVE-2026-29013.patch	1970-01-01 00:00:00.000000000 +0000
+++ libcoap3-4.3.4/debian/patches/CVE-2026-29013.patch	2026-04-19 08:23:22.000000000 +0000
@@ -0,0 +1,80 @@
+From b7847c4dbb0dbee7c90b09a673d4cae256f03718 Mon Sep 17 00:00:00 2001
+From: Jon Shallow <supjps-libcoap@jpshallow.com>
+Date: Tue, 24 Mar 2026 14:15:09 +0000
+Subject: [PATCH] sanitizer: Fix reported issues
+
+coap_new_cache_entry() does not correctly check for no PDU data when called
+with COAP_CACHE_RECORD_PDU. No current libcoap code (examples and library)
+call coap_new_cache_entry() with COAP_CACHE_RECORD_PDU set.
+
+Internal function coap_pdu_resize() can be used to reduce a PDU size,
+creating current options confusion.  Fix is not to reduce PDU if new
+size is smaller than the current used size. No current libcoap code calls
+coap_pdu_resize() to reduce the size.
+
+If there is an issue with the PDU options where the maximum used option
+value is larger than the last defined option value, an assert() is triggered.
+
+All of the coap_*_option() functions correctly manage pdu->max_opt, but
+this issue could occur if coap_pdu_resize() was called to reduce the PDU size
+below that of pdu->used_size.
+---
+ src/coap_cache.c |  3 ++-
+ src/coap_pdu.c   | 11 +++++++++--
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+Index: libcoap3-4.3.4/src/coap_cache.c
+===================================================================
+--- libcoap3-4.3.4.orig/src/coap_cache.c	2026-04-19 10:48:17.714962770 +0200
++++ libcoap3-4.3.4/src/coap_cache.c	2026-04-19 10:48:17.714962770 +0200
+@@ -173,7 +173,8 @@
+       memcpy(entry->pdu, pdu, offsetof(coap_pdu_t, token));
+       memcpy(entry->pdu->token, pdu->token, pdu->used_size);
+       /* And adjust all the pointers etc. */
+-      entry->pdu->data = entry->pdu->token + (pdu->data - pdu->token);
++      if (pdu->data)
++        entry->pdu->data = entry->pdu->token + (pdu->data - pdu->token);
+     }
+   }
+   entry->cache_key = coap_cache_derive_key(session, pdu, session_based);
+Index: libcoap3-4.3.4/src/coap_pdu.c
+===================================================================
+--- libcoap3-4.3.4.orig/src/coap_pdu.c	2026-04-19 10:48:17.714962770 +0200
++++ libcoap3-4.3.4/src/coap_pdu.c	2026-04-19 10:48:17.714962770 +0200
+@@ -244,10 +244,12 @@
+ int
+ coap_pdu_resize(coap_pdu_t *pdu, size_t new_size) {
+   if (new_size > pdu->alloc_size) {
++    /* Expanding the PDU usage */
+ #if !defined(WITH_LWIP)
+     uint8_t *new_hdr;
+     size_t offset;
+ #endif
++
+     if (pdu->max_size && new_size > pdu->max_size) {
+       coap_log_warn("coap_pdu_resize: pdu too big\n");
+       return 0;
+@@ -278,8 +280,8 @@
+     else
+       pdu->actual_token.s = &pdu->token[2];
+ #endif
++    pdu->alloc_size = new_size;
+   }
+-  pdu->alloc_size = new_size;
+   return 1;
+ }
+ 
+@@ -585,7 +587,12 @@
+     }
+     prev_number = opt_iter.number;
+   }
+-  assert(option != NULL);
++  if (option == NULL) {
++    /* Code is broken somewhere */
++    coap_log_warn("coap_insert_option: Broken max_opt\n");
++    return 0;
++  }
++
+   /* size of option inc header to insert */
+   shift = coap_opt_encode_size(number - prev_number, len);
+ 
diff -Nru libcoap3-4.3.4/debian/patches/series libcoap3-4.3.4/debian/patches/series
--- libcoap3-4.3.4/debian/patches/series	2025-12-21 10:30:53.000000000 +0000
+++ libcoap3-4.3.4/debian/patches/series	2026-04-19 08:23:22.000000000 +0000
@@ -3,3 +3,6 @@
 
 CVE-2025-59391.patch
 CVE-2025-65501+65500+65499+65498+65497+65496+65495+65494+65493.patch
+
+CVE-2025-34468.patch
+CVE-2026-29013.patch