Version in base suite: 0.15.0-1

Base version: librabbitmq_0.15.0-1
Target version: librabbitmq_0.15.0-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libr/librabbitmq/librabbitmq_0.15.0-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libr/librabbitmq/librabbitmq_0.15.0-1+deb13u1.dsc

 changelog                    |   11 ++++++
 patches/CVE-2026-44235.patch |   76 +++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2026-44236.patch |   39 ++++++++++++++++++++++
 patches/series               |    2 +
 4 files changed, 128 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp9lzirhx1/librabbitmq_0.15.0-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp9lzirhx1/librabbitmq_0.15.0-1+deb13u1.dsc: no acceptable signature found
diff -Nru librabbitmq-0.15.0/debian/changelog librabbitmq-0.15.0/debian/changelog
--- librabbitmq-0.15.0/debian/changelog	2024-11-22 13:21:29.000000000 +0000
+++ librabbitmq-0.15.0/debian/changelog	2026-06-10 14:29:23.000000000 +0000
@@ -1,3 +1,14 @@
+librabbitmq (0.15.0-1+deb13u1) trixie-security; urgency=medium
+
+  * [b57bf8d] d/patches/CVE-2026-44235.patch: added from upstream.
+    Fix out-of-bounds read via undersized frames in amqp_handle_input
+    (GHSA-9mmv-r8g3-qp46, CVE-2026-44235)
+  * [890d6c5] d/patches/CVE-2026-44236.patch: added from upstream.
+    Fix client crash when server negotiates frame_max below the AMQP
+    protocol minimum (GHSA-jh48-qjf5-fx5v, CVE-2026-44236)
+
+ -- Florian Ernst <florian@debian.org>  Wed, 10 Jun 2026 16:29:23 +0200
+
 librabbitmq (0.15.0-1) unstable; urgency=medium
 
   * [0dd9015] New upstream version 0.15.0
diff -Nru librabbitmq-0.15.0/debian/patches/CVE-2026-44235.patch librabbitmq-0.15.0/debian/patches/CVE-2026-44235.patch
--- librabbitmq-0.15.0/debian/patches/CVE-2026-44235.patch	1970-01-01 00:00:00.000000000 +0000
+++ librabbitmq-0.15.0/debian/patches/CVE-2026-44235.patch	2026-06-10 14:29:23.000000000 +0000
@@ -0,0 +1,76 @@
+From 1d3afbb056fee5cc9ea05680bf32288715d0d802 Mon Sep 17 00:00:00 2001
+From: Claude <noreply@anthropic.com>
+Date: Tue, 28 Apr 2026 00:30:47 +0000
+Subject: [PATCH] amqp_connection: reject undersized frames in
+ amqp_handle_input
+Origin: upstream, https://github.com/alanxz/rabbitmq-c/commit/1d3afbb056fee5cc9ea05680bf32288715d0d802
+Applied-Upstream: v0.16.0, https://github.com/alanxz/rabbitmq-c/releases/tag/v0.16.0
+
+A malicious AMQP server (or active network attacker on an unencrypted
+connection) can send an AMQP frame whose stated frame body is shorter
+than the per-frame-type header it claims to carry. amqp_handle_input()
+then computed encoded.len as
+
+  state->target_size - HEADER_SIZE - <fixed_header_bytes> - FOOTER_SIZE
+
+with no lower-bound check on target_size. Because encoded.len is a
+size_t, the subtraction wrapped to a value near SIZE_MAX. The bogus
+length was passed to amqp_decode_method() / amqp_decode_properties()
+and through to the table decoder, whose internal bounds checks could
+no longer constrain the parser. The result was an out-of-bounds read
+and process crash on the client side, reachable during amqp_login.
+
+Validate target_size against the minimum required for each frame type
+(METHOD: HEADER_SIZE+4+FOOTER_SIZE, HEADER: HEADER_SIZE+12+FOOTER_SIZE,
+BODY: HEADER_SIZE+FOOTER_SIZE) and return AMQP_STATUS_BAD_AMQP_DATA
+when the frame is too small, before computing encoded.len.
+
+Refs: GHSA-9mmv-r8g3-qp46
+---
+ librabbitmq/amqp_connection.c                 |  19 ++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+Index: git/librabbitmq/amqp_connection.c
+===================================================================
+--- git.orig/librabbitmq/amqp_connection.c
++++ git/librabbitmq/amqp_connection.c
+@@ -320,6 +320,13 @@ int amqp_handle_input(amqp_connection_st
+ 
+       switch (decoded_frame->frame_type) {
+         case AMQP_FRAME_METHOD:
++          /* A METHOD frame body must contain at least the 4-byte method id.
++           * Reject undersized frames before subtracting from target_size to
++           * avoid an unsigned underflow that would yield a huge encoded.len
++           * and cause out-of-bounds reads in amqp_decode_method(). */
++          if (state->target_size < HEADER_SIZE + 4 + FOOTER_SIZE) {
++            return AMQP_STATUS_BAD_AMQP_DATA;
++          }
+           decoded_frame->payload.method.id =
+               amqp_d32(amqp_offset(raw_frame, HEADER_SIZE));
+           encoded.bytes = amqp_offset(raw_frame, HEADER_SIZE + 4);
+@@ -335,6 +342,15 @@ int amqp_handle_input(amqp_connection_st
+           break;
+ 
+         case AMQP_FRAME_HEADER:
++          /* A HEADER frame body must contain at least 12 bytes (class_id,
++           * weight, body_size). Reject undersized frames before subtracting
++           * from target_size to avoid an unsigned underflow that would yield
++           * a huge encoded.len and cause out-of-bounds reads in
++           * amqp_decode_properties() / the table decoder
++           * (CVE: GHSA-9mmv-r8g3-qp46). */
++          if (state->target_size < HEADER_SIZE + 12 + FOOTER_SIZE) {
++            return AMQP_STATUS_BAD_AMQP_DATA;
++          }
+           decoded_frame->payload.properties.class_id =
+               amqp_d16(amqp_offset(raw_frame, HEADER_SIZE));
+           /* unused 2-byte weight field goes here */
+@@ -354,6 +370,9 @@ int amqp_handle_input(amqp_connection_st
+           break;
+ 
+         case AMQP_FRAME_BODY:
++          if (state->target_size < HEADER_SIZE + FOOTER_SIZE) {
++            return AMQP_STATUS_BAD_AMQP_DATA;
++          }
+           decoded_frame->payload.body_fragment.len =
+               state->target_size - HEADER_SIZE - FOOTER_SIZE;
+           decoded_frame->payload.body_fragment.bytes =
diff -Nru librabbitmq-0.15.0/debian/patches/CVE-2026-44236.patch librabbitmq-0.15.0/debian/patches/CVE-2026-44236.patch
--- librabbitmq-0.15.0/debian/patches/CVE-2026-44236.patch	1970-01-01 00:00:00.000000000 +0000
+++ librabbitmq-0.15.0/debian/patches/CVE-2026-44236.patch	2026-06-10 14:29:23.000000000 +0000
@@ -0,0 +1,39 @@
+From 4777d0b5c58cb02966a04a85832436bd66ed5d1f Mon Sep 17 00:00:00 2001
+From: Kevin Valerio <kvalerio@protonmail.com>
+Date: Tue, 28 Apr 2026 13:45:22 +0200
+Subject: [PATCH] fix(connection): enforce minimum frame_max
+Origin: upstream, https://github.com/alanxz/rabbitmq-c/commit/4777d0b5c58cb02966a04a85832436bd66ed5d1f
+Applied-Upstream: v0.16.0, https://github.com/alanxz/rabbitmq-c/releases/tag/v0.16.0
+
+---
+ librabbitmq/amqp_connection.c |  4 +++
+ librabbitmq/amqp_socket.c     |  1 +
+ 2 files changed, 5 insertions(+), 0 deletions(-)
+
+Index: git/librabbitmq/amqp_connection.c
+===================================================================
+--- git.orig/librabbitmq/amqp_connection.c
++++ git/librabbitmq/amqp_connection.c
+@@ -113,6 +113,10 @@ int amqp_tune_connection(amqp_connection
+ 
+   ENFORCE_STATE(state, CONNECTION_STATE_IDLE);
+ 
++  if (frame_max < AMQP_FRAME_MIN_SIZE) {
++    frame_max = AMQP_FRAME_MIN_SIZE;
++  }
++
+   state->channel_max = channel_max;
+   state->frame_max = frame_max;
+ 
+Index: git/librabbitmq/amqp_socket.c
+===================================================================
+--- git.orig/librabbitmq/amqp_socket.c
++++ git/librabbitmq/amqp_socket.c
+@@ -1387,6 +1387,7 @@ static amqp_rpc_reply_t amqp_login_inner
+   if (res < 0) {
+     goto error_res;
+   }
++  client_frame_max = (uint32_t)amqp_get_frame_max(state);
+ 
+   {
+     amqp_connection_tune_ok_t s;
diff -Nru librabbitmq-0.15.0/debian/patches/series librabbitmq-0.15.0/debian/patches/series
--- librabbitmq-0.15.0/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ librabbitmq-0.15.0/debian/patches/series	2026-06-10 14:29:23.000000000 +0000
@@ -0,0 +1,2 @@
+CVE-2026-44235.patch
+CVE-2026-44236.patch