Version in base suite: 0.5.16-1

Base version: munge_0.5.16-1
Target version: munge_0.5.16-1.1~deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/munge/munge_0.5.16-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/m/munge/munge_0.5.16-1.1~deb13u1.dsc

 changelog                         |   15 ++++++++++
 patches/buffer-overflow-fix.patch |   52 ++++++++++++++++++++++++++++++++++++++
 patches/oob-read-fix.patch        |   49 +++++++++++++++++++++++++++++++++++
 patches/series                    |    2 +
 4 files changed, 118 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpnqii4sw1/munge_0.5.16-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpnqii4sw1/munge_0.5.16-1.1~deb13u1.dsc: no acceptable signature found
diff -Nru munge-0.5.16/debian/changelog munge-0.5.16/debian/changelog
--- munge-0.5.16/debian/changelog	2025-02-02 11:16:09.000000000 +0000
+++ munge-0.5.16/debian/changelog	2026-02-04 06:57:37.000000000 +0000
@@ -1,3 +1,18 @@
+munge (0.5.16-1.1~deb13u1) trixie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Rebuild for trixie-security
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 04 Feb 2026 07:57:37 +0100
+
+munge (0.5.16-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix out-of-bounds read in credential decoding
+  * Fix buffer overflow when unpacking message address length (CVE-2026-25506)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 04 Feb 2026 07:34:54 +0100
+
 munge (0.5.16-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru munge-0.5.16/debian/patches/buffer-overflow-fix.patch munge-0.5.16/debian/patches/buffer-overflow-fix.patch
--- munge-0.5.16/debian/patches/buffer-overflow-fix.patch	1970-01-01 00:00:00.000000000 +0000
+++ munge-0.5.16/debian/patches/buffer-overflow-fix.patch	2026-02-04 06:57:19.000000000 +0000
@@ -0,0 +1,52 @@
+From bf40cc27c4ce8451d4b062c9de0b67ec40894812 Mon Sep 17 00:00:00 2001
+From: Chris Dunlap <cdunlap@llnl.gov>
+Date: Mon, 26 Jan 2026 20:42:40 -0800
+Subject: [PATCH 2/2] Fix buffer overflow when unpacking message address length
+
+Add validation that addr_len does not exceed the size of the addr
+field before copying IP address data in _msg_unpack().
+
+The m_msg structure contains a 4-byte struct in_addr for the IP
+address.  When unpacking a MUNGE_MSG_DEC_RSP message, the addr_len
+field (uint8_t) was read from untrusted message data and used directly
+in _copy() without validation.  An attacker setting addr_len to 255
+causes _copy() to write 251 bytes past the end of the addr field,
+corrupting subsequent structure members.
+
+This buffer overflow corrupts munged's internal state and can
+be exploited by a local attacker to leak conf->mac_key and other
+cryptographic secrets from process memory.  With the leaked key,
+an attacker can forge arbitrary MUNGE credentials to impersonate any
+user to services that rely on MUNGE for authentication.
+
+Any local user can trigger this by connecting to munged's Unix socket
+and sending a crafted MUNGE_MSG_DEC_RSP message.  While message type
+validation in job_exec() will reject response-type messages, this
+validation occurs after m_msg_recv() has already called _msg_unpack()
+to process the message body.  The buffer overflow occurs during the
+unpacking phase, before the message type is validated and rejected.
+
+A working proof-of-concept exploit exists that demonstrates key
+leakage and credential forgery.
+
+Reported-by: Titouan Lazard <t.lazard@lexfo.fr>
+Security: CVE-2026-25506
+---
+ src/libcommon/m_msg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libcommon/m_msg.c b/src/libcommon/m_msg.c
+index 38e01ae3..eaeaf0b8 100644
+--- a/src/libcommon/m_msg.c
++++ b/src/libcommon/m_msg.c
+@@ -686,6 +686,7 @@ _msg_unpack (m_msg_t m, m_msg_type_t type, const void *src, int srclen)
+             else if ( _copy (m->realm_str, p, m->realm_len, p, q, &p) < 0) ;
+             else if (!_unpack (&(m->ttl), &p, sizeof (m->ttl), q)) ;
+             else if (!_unpack (&(m->addr_len), &p, sizeof (m->addr_len), q)) ;
++            else if (m->addr_len > sizeof (m->addr)) goto err;
+             else if ( _copy (&(m->addr), p, m->addr_len, p, q, &p) < 0) ;
+             else if (!_unpack (&(m->time0), &p, sizeof (m->time0), q)) ;
+             else if (!_unpack (&(m->time1), &p, sizeof (m->time1), q)) ;
+-- 
+2.51.0
+
diff -Nru munge-0.5.16/debian/patches/oob-read-fix.patch munge-0.5.16/debian/patches/oob-read-fix.patch
--- munge-0.5.16/debian/patches/oob-read-fix.patch	1970-01-01 00:00:00.000000000 +0000
+++ munge-0.5.16/debian/patches/oob-read-fix.patch	2026-02-04 06:57:19.000000000 +0000
@@ -0,0 +1,49 @@
+From 5bd6d4db92dabdbed3aaf01ebd5f0d98944326bb Mon Sep 17 00:00:00 2001
+From: Chris Dunlap <cdunlap@llnl.gov>
+Date: Mon, 26 Jan 2026 13:53:36 -0800
+Subject: [PATCH 1/2] Fix out-of-bounds read in credential decoding
+
+Add missing bounds check before copying MAC in dec_unpack_outer().
+
+All other fields unpacked in dec_unpack_outer() validate that
+sufficient data remains in the buffer before reading.  However,
+the MAC was copied without checking if c->mac_len bytes were available.
+
+An attacker can craft a credential specifying a large MAC type
+while providing a truncated credential with insufficient data.
+When memcpy() attempts to copy c->mac_len bytes, it reads beyond the
+received buffer, potentially reading up to 64 bytes of process memory
+(for SHA-512 MACs).  Additionally, subtracting c->mac_len from the
+remaining length causes an integer underflow, making c->inner_len
+negative and resulting in undefined behavior in subsequent operations.
+
+While this is a memory safety violation, subsequent validation
+prevents information disclosure.  When encryption is enabled, either
+malloc() fails with the negative (wrapped to huge) buffer size or
+cipher_update() rejects the negative srclen.  When encryption is
+disabled, mac_update() rejects the negative srclen.  In all cases,
+the credential is rejected before any leaked data could be disclosed
+to the attacker.
+
+Reported-by: Titouan Lazard <t.lazard@lexfo.fr>
+---
+ src/munged/dec.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/munged/dec.c b/src/munged/dec.c
+index e8fdcf8b..7d21922b 100644
+--- a/src/munged/dec.c
++++ b/src/munged/dec.c
+@@ -516,6 +516,9 @@ dec_unpack_outer (munge_cred_t c)
+     /*
+      *  Unpack the MAC.
+      */
++    if (c->mac_len > len) {
++        return (m_msg_set_err (m, EMUNGE_BAD_CRED, strdup ("Truncated MAC")));
++    }
+     memcpy (c->mac, p, c->mac_len);
+     p += c->mac_len;
+     len -= c->mac_len;
+-- 
+2.51.0
+
diff -Nru munge-0.5.16/debian/patches/series munge-0.5.16/debian/patches/series
--- munge-0.5.16/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ munge-0.5.16/debian/patches/series	2026-02-04 06:57:19.000000000 +0000
@@ -0,0 +1,2 @@
+oob-read-fix.patch
+buffer-overflow-fix.patch