Version in base suite: 4.8.0-1 Base version: libslirp_4.8.0-1 Target version: libslirp_4.8.0-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libs/libslirp/libslirp_4.8.0-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libs/libslirp/libslirp_4.8.0-1+deb13u1.dsc changelog | 9 gbp.conf | 1 patches/oob-cap-urgent-data-to-what-is-available-CVE-2026-9539.patch | 123 ++++++++++ patches/series | 1 4 files changed, 134 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmppvaw1vfm/libslirp_4.8.0-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmppvaw1vfm/libslirp_4.8.0-1+deb13u1.dsc: no acceptable signature found diff -Nru libslirp-4.8.0/debian/changelog libslirp-4.8.0/debian/changelog --- libslirp-4.8.0/debian/changelog 2024-06-16 15:17:55.000000000 +0000 +++ libslirp-4.8.0/debian/changelog 2026-06-26 16:13:32.000000000 +0000 @@ -1,3 +1,12 @@ +libslirp (4.8.0-1+deb13u1) trixie; urgency=medium + + * d/gbp.conf: switch to debian/trixie branch + * oob-cap-urgent-data-to-what-is-available-CVE-2026-9539.patch + patch from upstream to fix CVE-2026-9539 (oob heap read and integer + underflow allowing reading sensitive host-process memory) + + -- Michael Tokarev Fri, 26 Jun 2026 19:13:32 +0300 + libslirp (4.8.0-1) unstable; urgency=medium [ Michael Tokarev ] diff -Nru libslirp-4.8.0/debian/gbp.conf libslirp-4.8.0/debian/gbp.conf --- libslirp-4.8.0/debian/gbp.conf 2023-04-23 06:28:04.000000000 +0000 +++ libslirp-4.8.0/debian/gbp.conf 2026-06-26 16:11:38.000000000 +0000 @@ -1,2 +1,3 @@ [DEFAULT] upstream-vcs-tag = v%(version)s +debian-branch = debian/trixie diff -Nru libslirp-4.8.0/debian/patches/oob-cap-urgent-data-to-what-is-available-CVE-2026-9539.patch libslirp-4.8.0/debian/patches/oob-cap-urgent-data-to-what-is-available-CVE-2026-9539.patch --- libslirp-4.8.0/debian/patches/oob-cap-urgent-data-to-what-is-available-CVE-2026-9539.patch 1970-01-01 00:00:00.000000000 +0000 +++ libslirp-4.8.0/debian/patches/oob-cap-urgent-data-to-what-is-available-CVE-2026-9539.patch 2026-06-26 16:11:38.000000000 +0000 @@ -0,0 +1,123 @@ +From: Samuel Thibault +Date: Sat, 23 May 2026 22:06:59 +0200 +Subject: oob: cap urgent data count to what is actually available +Origin: upstream, https://gitlab.freedesktop.org/slirp/libslirp/-/commit/927bca7344e31fd58e2f7afaca784aad4400eb84 +Forwarded: not-needed +Bug: https://gitlab.freedesktop.org/slirp/libslirp/-/work_items/93 + +so_urgc is provided by the guest sender, so can arbitrary and beyond +what we actually have. Worse, this can lead to an sb_cc integer +underflow leading to leaking gigabytes of data. + +Fixes #93 + +Signed-off-by: Samuel Thibault +--- + src/socket.c | 40 +++++++++++++++++++++++----------------- + 1 file changed, 23 insertions(+), 17 deletions(-) + +diff --git a/src/socket.c b/src/socket.c +index 77c5cf6..c491d0f 100644 +--- a/src/socket.c ++++ b/src/socket.c +@@ -339,7 +339,8 @@ int sorecvoob(struct socket *so) + int sosendoob(struct socket *so) + { + struct sbuf *sb = &so->so_rcv; +- char buff[2048]; /* XXX Shouldn't be sending more oob data than this */ ++ uint32_t urgc = so->so_urgc; ++ char buff[2048]; + + int n; + +@@ -347,12 +348,15 @@ int sosendoob(struct socket *so) + DEBUG_ARG("so = %p", so); + DEBUG_ARG("sb->sb_cc = %d", sb->sb_cc); + +- if (so->so_urgc > sizeof(buff)) +- so->so_urgc = sizeof(buff); /* XXXX */ ++ if (urgc > sizeof(buff)) ++ urgc = sizeof(buff); ++ ++ if (urgc > sb->sb_cc) ++ urgc = sb->sb_cc; + + if (sb->sb_rptr < sb->sb_wptr) { + /* We can send it directly */ +- n = slirp_send(so, sb->sb_rptr, so->so_urgc, ++ n = slirp_send(so, sb->sb_rptr, urgc, + (MSG_OOB)); /* |MSG_DONTWAIT)); */ + } else { + /* +@@ -360,7 +364,6 @@ int sosendoob(struct socket *so) + * we must copy all data to a linear buffer then + * send it all + */ +- uint32_t urgc = so->so_urgc; /* Amount of room left in buff */ + int len = (sb->sb_data + sb->sb_datalen) - sb->sb_rptr; + if (len > urgc) { + len = urgc; +@@ -405,7 +408,7 @@ int sosendoob(struct socket *so) + */ + int sowrite(struct socket *so) + { +- int n, nn; ++ int n, nn, noob = 0; + struct sbuf *sb = &so->so_rcv; + int len = sb->sb_cc; + struct iovec iov[2]; +@@ -415,16 +418,20 @@ int sowrite(struct socket *so) + + if (so->so_urgc) { + uint32_t expected = so->so_urgc; +- if (sosendoob(so) < expected) { +- /* Treat a short write as a fatal error too, +- * rather than continuing on and sending the urgent +- * data as if it were non-urgent and leaving the +- * so_urgc count wrong. +- */ ++ int noob = sosendoob(so); ++ ++ if (noob <= 0) + goto err_disconnected; +- } ++ ++ if (noob < expected) ++ /* Short write: either we have not yet received all ++ * urgent data, or the socket buffers are full. Leave ++ * it for later when we have data or have room. */ ++ return noob; ++ + if (sb->sb_cc == 0) +- return 0; ++ /* Nothing left to write actually */ ++ return noob; + } + + /* +@@ -455,12 +462,11 @@ int sowrite(struct socket *so) + } else + n = 1; + } +- /* Check if there's urgent data to send, and if so, send it */ + + nn = slirp_send(so, iov[0].iov_base, iov[0].iov_len, 0); + /* This should never happen, but people tell me it does *shrug* */ + if (nn < 0 && (errno == EAGAIN || errno == EINTR)) +- return 0; ++ return noob; + + if (nn <= 0) { + goto err_disconnected; +@@ -487,7 +493,7 @@ int sowrite(struct socket *so) + if ((so->so_state & SS_FWDRAIN) && sb->sb_cc == 0) + sofcantsendmore(so); + +- return nn; ++ return noob + nn; + + err_disconnected: + DEBUG_MISC(" --- sowrite disconnected, so->so_state = %x, errno = %d", +-- +2.47.3 + diff -Nru libslirp-4.8.0/debian/patches/series libslirp-4.8.0/debian/patches/series --- libslirp-4.8.0/debian/patches/series 2023-04-23 06:28:04.000000000 +0000 +++ libslirp-4.8.0/debian/patches/series 2026-06-26 16:11:38.000000000 +0000 @@ -0,0 +1 @@ +oob-cap-urgent-data-to-what-is-available-CVE-2026-9539.patch