Version in base suite: 4.39-1

Base version: libcpanel-json-xs-perl_4.39-1
Target version: libcpanel-json-xs-perl_4.39-2~deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libc/libcpanel-json-xs-perl/libcpanel-json-xs-perl_4.39-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libc/libcpanel-json-xs-perl/libcpanel-json-xs-perl_4.39-2~deb13u1.dsc

 changelog                                   |   13 +++++++
 patches/fix-json_atof_scan1-overflows.patch |   48 ++++++++++++++++++++++++++++
 patches/series                              |    1 
 3 files changed, 62 insertions(+)

diff -Nru libcpanel-json-xs-perl-4.39/debian/changelog libcpanel-json-xs-perl-4.39/debian/changelog
--- libcpanel-json-xs-perl-4.39/debian/changelog	2025-01-11 01:09:43.000000000 +0000
+++ libcpanel-json-xs-perl-4.39/debian/changelog	2025-09-09 03:43:41.000000000 +0000
@@ -1,3 +1,16 @@
+libcpanel-json-xs-perl (4.39-2~deb13u1) trixie-security; urgency=high
+
+  * Rebuild for trixie-security
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 09 Sep 2025 05:43:41 +0200
+
+libcpanel-json-xs-perl (4.39-2) unstable; urgency=medium
+
+  * Team upload.
+  * Fix json_atof_scan1 overflows (CVE-2025-40929)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 08 Sep 2025 21:26:54 +0200
+
 libcpanel-json-xs-perl (4.39-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru libcpanel-json-xs-perl-4.39/debian/patches/fix-json_atof_scan1-overflows.patch libcpanel-json-xs-perl-4.39/debian/patches/fix-json_atof_scan1-overflows.patch
--- libcpanel-json-xs-perl-4.39/debian/patches/fix-json_atof_scan1-overflows.patch	1970-01-01 00:00:00.000000000 +0000
+++ libcpanel-json-xs-perl-4.39/debian/patches/fix-json_atof_scan1-overflows.patch	2025-09-09 03:43:41.000000000 +0000
@@ -0,0 +1,48 @@
+From: Marc Lehmann <schmorp@schmorp.de>
+Date: Sat, 6 Sep 2025 11:31:36 +0200
+Subject: fix json_atof_scan1 overflows
+Origin: https://github.com/rurban/Cpanel-JSON-XS/commit/378236219eaa35742c3962ecbdee364903b0a1f2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-40929
+
+with fuzzed overlong numbers. CVE-2025-40928
+Really the comparisons were wrong.
+---
+ XS.xs | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/XS.xs b/XS.xs
+index 9b1ce2bd5f28..2b9900f62285 100755
+--- a/XS.xs
++++ b/XS.xs
+@@ -710,16 +710,16 @@ json_atof_scan1 (const char *s, NV *accum, int *expo, int postdp, int maxdepth)
+   /* if we recurse too deep, skip all remaining digits */
+   /* to avoid a stack overflow attack */
+   if (UNLIKELY(--maxdepth <= 0))
+-    while (((U8)*s - '0') < 10)
++    while (*s >= '0' && *s <= '9')
+       ++s;
+ 
+   for (;;)
+     {
+-      U8 dig = (U8)*s - '0';
++      U8 dig = (U8)(*s - '0');
+ 
+       if (UNLIKELY(dig >= 10))
+         {
+-          if (dig == (U8)((U8)'.' - (U8)'0'))
++          if (dig == (U8)('.' - '0'))
+             {
+               ++s;
+               json_atof_scan1 (s, accum, expo, 1, maxdepth);
+@@ -739,7 +739,7 @@ json_atof_scan1 (const char *s, NV *accum, int *expo, int postdp, int maxdepth)
+               else if (*s == '+')
+                 ++s;
+ 
+-              while ((dig = (U8)*s - '0') < 10)
++              while (*s >= '0' && *s <= '9')
+                 exp2 = exp2 * 10 + *s++ - '0';
+ 
+               *expo += neg ? -exp2 : exp2;
+-- 
+2.51.0
+
diff -Nru libcpanel-json-xs-perl-4.39/debian/patches/series libcpanel-json-xs-perl-4.39/debian/patches/series
--- libcpanel-json-xs-perl-4.39/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ libcpanel-json-xs-perl-4.39/debian/patches/series	2025-09-09 03:43:41.000000000 +0000
@@ -0,0 +1 @@
+fix-json_atof_scan1-overflows.patch