Version in base suite: 3.3.1-1 Base version: mxml_3.3.1-1 Target version: mxml_3.3.1-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/mxml/mxml_3.3.1-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/m/mxml/mxml_3.3.1-1+deb13u1.dsc changelog | 7 ++ patches/0001-Fix-access-issue-in-mxmlIndexNew-Issue-350.patch | 25 ++++++++++ patches/series | 1 3 files changed, 33 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmphtfio5ni/mxml_3.3.1-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmphtfio5ni/mxml_3.3.1-1+deb13u1.dsc: no acceptable signature found diff -Nru mxml-3.3.1/debian/changelog mxml-3.3.1/debian/changelog --- mxml-3.3.1/debian/changelog 2022-07-29 08:04:42.000000000 +0000 +++ mxml-3.3.1/debian/changelog 2026-06-19 11:17:53.000000000 +0000 @@ -1,3 +1,10 @@ +mxml (3.3.1-1+deb13u1) trixie; urgency=medium + + * Non-maintainer upload. + * CVE-2026-5037: Out-of-bounds read in index_sort() (Closes: #1132328) + + -- Adrian Bunk Fri, 19 Jun 2026 14:17:53 +0300 + mxml (3.3.1-1) unstable; urgency=medium * New upstream release diff -Nru mxml-3.3.1/debian/patches/0001-Fix-access-issue-in-mxmlIndexNew-Issue-350.patch mxml-3.3.1/debian/patches/0001-Fix-access-issue-in-mxmlIndexNew-Issue-350.patch --- mxml-3.3.1/debian/patches/0001-Fix-access-issue-in-mxmlIndexNew-Issue-350.patch 1970-01-01 00:00:00.000000000 +0000 +++ mxml-3.3.1/debian/patches/0001-Fix-access-issue-in-mxmlIndexNew-Issue-350.patch 2026-06-19 11:17:18.000000000 +0000 @@ -0,0 +1,25 @@ +From dc646842629275cda0f77f3dd6a5b269ab007fa2 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Thu, 12 Mar 2026 20:28:25 -0400 +Subject: Fix access issue in mxmlIndexNew (Issue #350) + +--- + mxml-index.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mxml-index.c b/mxml-index.c +index ca1ea7b..72836f9 100644 +--- a/mxml-index.c ++++ b/mxml-index.c +@@ -644,7 +644,7 @@ index_sort(mxml_index_t *ind, /* I - Index to sort */ + * Recursively sort the left partition as needed... + */ + +- if (left < (tempr - 1)) ++ if (tempr > 0 && left < (tempr - 1)) + index_sort(ind, left, tempr - 1); + } + while (right > (left = tempr + 1)); +-- +2.47.3 + diff -Nru mxml-3.3.1/debian/patches/series mxml-3.3.1/debian/patches/series --- mxml-3.3.1/debian/patches/series 2022-07-29 08:04:42.000000000 +0000 +++ mxml-3.3.1/debian/patches/series 2026-06-19 11:17:46.000000000 +0000 @@ -5,3 +5,4 @@ 06_autoheader-fixes.patch 07_compile_fixes.patch 08_cross.patch +0001-Fix-access-issue-in-mxmlIndexNew-Issue-350.patch