Version in base suite: 2.2.1+dfsg1-1 Base version: lwip_2.2.1+dfsg1-1 Target version: lwip_2.2.1+dfsg1-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lwip/lwip_2.2.1+dfsg1-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lwip/lwip_2.2.1+dfsg1-1+deb13u1.dsc changelog | 14 ++++++++++++++ patches/CVE_2026_8836 | 28 ++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 43 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp59bl6y_0/lwip_2.2.1+dfsg1-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp59bl6y_0/lwip_2.2.1+dfsg1-1+deb13u1.dsc: no acceptable signature found diff -Nru lwip-2.2.1+dfsg1/debian/changelog lwip-2.2.1+dfsg1/debian/changelog --- lwip-2.2.1+dfsg1/debian/changelog 2025-03-01 18:47:48.000000000 +0000 +++ lwip-2.2.1+dfsg1/debian/changelog 2026-05-29 13:18:47.000000000 +0000 @@ -1,3 +1,17 @@ +lwip (2.2.1+dfsg1-1+deb13u1) trixie; urgency=medium + + * Fix CVE-2026-8836: snmpv3: fix handling packets with invalid + msgAuthenticationParameters length + * A remote attacker can send a crafted msgAuthenticationParameters field + to overflow a stack buffer in snmp_parse_inbound_frame(). + * Re-enables the bounds check on msgAuthenticationParameters length in + snmp_parse_inbound_frame() and clamps the copy length to + SNMP_V3_MAX_AUTH_PARAM_LENGTH instead of using the attacker-controlled + TLV value length + * https://savannah.nongnu.org/bugs/?68194 + + -- Joan Lledó Fri, 29 May 2026 15:18:47 +0200 + lwip (2.2.1+dfsg1-1) unstable; urgency=medium * New upstream release diff -Nru lwip-2.2.1+dfsg1/debian/patches/CVE_2026_8836 lwip-2.2.1+dfsg1/debian/patches/CVE_2026_8836 --- lwip-2.2.1+dfsg1/debian/patches/CVE_2026_8836 1970-01-01 00:00:00.000000000 +0000 +++ lwip-2.2.1+dfsg1/debian/patches/CVE_2026_8836 2026-05-29 13:18:47.000000000 +0000 @@ -0,0 +1,28 @@ +Description: Fix CVE-2026-8836 +Forwarded: https://savannah.nongnu.org/bugs/?68194 +Author: 0rbitingZer0 <0rbitingZer0@proton.me> +Last-Update: 2026-05-26 + +--- + src/apps/snmp/snmp_msg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/apps/snmp/snmp_msg.c b/src/apps/snmp/snmp_msg.c +index f8c75bb7..156b36e3 100644 +--- a/src/apps/snmp/snmp_msg.c ++++ b/src/apps/snmp/snmp_msg.c +@@ -946,9 +946,9 @@ snmp_parse_inbound_frame(struct snmp_request *request) + inbound_msgAuthenticationParameters_offset = pbuf_stream.offset; + LWIP_UNUSED_ARG(inbound_msgAuthenticationParameters_offset); + /* Read auth parameters */ +- /* IF_PARSE_ASSERT(tlv.value_len <= SNMP_V3_MAX_AUTH_PARAM_LENGTH); */ ++ IF_PARSE_ASSERT(tlv.value_len <= SNMP_V3_MAX_AUTH_PARAM_LENGTH); + IF_PARSE_EXEC(snmp_asn1_dec_raw(&pbuf_stream, tlv.value_len, request->msg_authentication_parameters, +- &u16_value, tlv.value_len)); ++ &u16_value, SNMP_V3_MAX_AUTH_PARAM_LENGTH)); + request->msg_authentication_parameters_len = (u8_t)u16_value; + + /* msgPrivacyParameters */ +-- +cgit v1.2.3 + diff -Nru lwip-2.2.1+dfsg1/debian/patches/series lwip-2.2.1+dfsg1/debian/patches/series --- lwip-2.2.1+dfsg1/debian/patches/series 2025-02-08 11:32:42.000000000 +0000 +++ lwip-2.2.1+dfsg1/debian/patches/series 2026-05-29 13:18:47.000000000 +0000 @@ -2,3 +2,4 @@ empty_block_last max_sockets doxygen +CVE_2026_8836