Version in base suite: 1.6.0+dfsg-3

Base version: pcsx2_1.6.0+dfsg-3
Target version: pcsx2_1.6.0+dfsg-3+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pcsx2/pcsx2_1.6.0+dfsg-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pcsx2/pcsx2_1.6.0+dfsg-3+deb13u1.dsc

 changelog                    |    7 ++
 patches/CVE-2025-49589.patch |  124 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 132 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpck4ds6lt/pcsx2_1.6.0+dfsg-3.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpck4ds6lt/pcsx2_1.6.0+dfsg-3+deb13u1.dsc: no acceptable signature found
diff -Nru pcsx2-1.6.0+dfsg/debian/changelog pcsx2-1.6.0+dfsg/debian/changelog
--- pcsx2-1.6.0+dfsg/debian/changelog	2024-12-23 14:57:26.000000000 +0000
+++ pcsx2-1.6.0+dfsg/debian/changelog	2026-03-01 20:32:47.000000000 +0000
@@ -1,3 +1,10 @@
+pcsx2 (1.6.0+dfsg-3+deb13u1) trixie; urgency=medium
+
+  [ Sébastien Noel ]
+  * Backport security fix for CVE-2025-49589.
+
+ -- Christopher Obbard <obbardc@debian.org>  Sun, 01 Mar 2026 20:32:47 +0000
+
 pcsx2 (1.6.0+dfsg-3) unstable; urgency=medium
 
   * Team Upload
diff -Nru pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch
--- pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch	1970-01-01 00:00:00.000000000 +0000
+++ pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch	2026-03-01 20:32:47.000000000 +0000
@@ -0,0 +1,124 @@
+Description: CVE-2025-49589
+ backport the following upstream commit:
+  4c9d2f99b17b1e6f281a264b673f39d95ede6c21
+  6eac0bbcb1d59197a1aa99e41dfae0f87bc23848
+Origin: upstream
+Forwarded: not-needed
+Last-Update: 2026-01-19
+
+--- a/pcsx2/IopBios.cpp
++++ b/pcsx2/IopBios.cpp
+@@ -20,6 +20,7 @@
+ 
+ #include <ctype.h>
+ #include <string.h>
++#include <algorithm>
+ 
+ #ifndef O_BINARY
+ #define O_BINARY 0
+@@ -490,8 +491,12 @@ namespace sysmem {
+ 
+ 		if (!SysConsole.iopConsole.IsActive()) return 1;
+ 
+-		char tmp[1024], tmp2[1024];
++		// maximum allowed size for our buffer before we truncate
++		const unsigned int max_len = 4096;
++		char tmp[max_len], tmp2[max_len];
+ 		char *ptmp = tmp;
++		unsigned int printed_bytes = 0;
++		int remaining_buf = max_len - 1;
+ 		int n=1, i=0, j = 0;
+ 
+ 		while (fmt[i])
+@@ -502,35 +507,50 @@ namespace sysmem {
+ 					j = 0;
+ 					tmp2[j++] = '%';
+ _start:
+-					switch (fmt[++i])
++					// let's check whether this is our null terminator
++					// before allowing the parser to proceed
++					if (fmt[i + 1])
+ 					{
+-						case '.':
+-						case 'l':
+-							tmp2[j++] = fmt[i];
+-							goto _start;
+-						default:
+-							if (fmt[i] >= '0' && fmt[i] <= '9')
+-							{
++						switch (fmt[++i])
++						{
++							case '.':
++							case 'l':
++								if (j >= max_len)
++									break;
+ 								tmp2[j++] = fmt[i];
+ 								goto _start;
+-							}
+-							break;
++							default:
++								if (fmt[i] >= '0' && fmt[i] <= '9')
++								{
++									if (j >= max_len)
++										break;
++									tmp2[j++] = fmt[i];
++									goto _start;
++								}
++								break;
++						}
+ 					}
+ 
++					if (j >= max_len)
++						break;
+ 					tmp2[j++] = fmt[i];
+ 					tmp2[j] = 0;
+ 
+ 					switch (fmt[i])
+ 					{
+ 						case 'f': case 'F':
+-							ptmp+= sprintf(ptmp, tmp2, (float)iopMemRead32(sp + n * 4));
++							printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (float)iopMemRead32(sp + n * 4)));
++							remaining_buf -= printed_bytes;
++							ptmp += printed_bytes;
+ 							n++;
+ 							break;
+ 
+ 						case 'a': case 'A':
+ 						case 'e': case 'E':
+ 						case 'g': case 'G':
+-							ptmp+= sprintf(ptmp, tmp2, (double)iopMemRead32(sp + n * 4));
++							printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (double)iopMemRead32(sp + n * 4)));
++							remaining_buf -= printed_bytes;
++							ptmp += printed_bytes;
+ 							n++;
+ 							break;
+ 
+@@ -539,19 +559,25 @@ _start:
+ 						case 'd': case 'D':
+ 						case 'o': case 'O':
+ 						case 'x': case 'X':
+-							ptmp+= sprintf(ptmp, tmp2, (u32)iopMemRead32(sp + n * 4));
++							printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (u32)iopMemRead32(sp + n * 4)));
++							remaining_buf -= printed_bytes;
++							ptmp += printed_bytes;
+ 							n++;
+ 							break;
+ 
+ 						case 'c':
+-							ptmp+= sprintf(ptmp, tmp2, (u8)iopMemRead32(sp + n * 4));
++							printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (u8)iopMemRead32(sp + n * 4)));
++							remaining_buf -= printed_bytes;
++							ptmp += printed_bytes;
+ 							n++;
+ 							break;
+ 
+ 						case 's':
+ 							{
+ 								std::string s = iopMemReadString(iopMemRead32(sp + n * 4));
+-								ptmp += sprintf(ptmp, tmp2, s.data());
++								printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, s.data()));
++								remaining_buf -= printed_bytes;
++								ptmp += printed_bytes;
+ 								n++;
+ 							}
+ 							break;
diff -Nru pcsx2-1.6.0+dfsg/debian/patches/series pcsx2-1.6.0+dfsg/debian/patches/series
--- pcsx2-1.6.0+dfsg/debian/patches/series	2024-12-23 14:37:39.000000000 +0000
+++ pcsx2-1.6.0+dfsg/debian/patches/series	2026-03-01 20:32:47.000000000 +0000
@@ -1,2 +1,3 @@
 wxwidgets3.2.patch
 cpp_error_ftbfs.patch
+CVE-2025-49589.patch