Version in base suite: 1.14.20-1

Base version: pupnp_1.14.20-1
Target version: pupnp_1.14.20-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pupnp/pupnp_1.14.20-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pupnp/pupnp_1.14.20-1+deb13u1.dsc

 changelog                                                      |    7 ++
 patches/0001-uri.c-Dominik-Blain-s-fix-for-vulnerability.patch |   31 ++++++++++
 patches/series                                                 |    1 
 3 files changed, 39 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpkzstyjok/pupnp_1.14.20-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpkzstyjok/pupnp_1.14.20-1+deb13u1.dsc: no acceptable signature found
diff -Nru pupnp-1.14.20/debian/changelog pupnp-1.14.20/debian/changelog
--- pupnp-1.14.20/debian/changelog	2024-12-15 18:06:48.000000000 +0000
+++ pupnp-1.14.20/debian/changelog	2026-06-22 11:21:09.000000000 +0000
@@ -1,3 +1,10 @@
+pupnp (1:1.14.20-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2026-41682: SSRF port confusion
+
+ -- Adrian Bunk <bunk@debian.org>  Mon, 22 Jun 2026 14:21:09 +0300
+
 pupnp (1:1.14.20-1) unstable; urgency=medium
 
   * New upstream version 1.14.20
diff -Nru pupnp-1.14.20/debian/patches/0001-uri.c-Dominik-Blain-s-fix-for-vulnerability.patch pupnp-1.14.20/debian/patches/0001-uri.c-Dominik-Blain-s-fix-for-vulnerability.patch
--- pupnp-1.14.20/debian/patches/0001-uri.c-Dominik-Blain-s-fix-for-vulnerability.patch	1970-01-01 00:00:00.000000000 +0000
+++ pupnp-1.14.20/debian/patches/0001-uri.c-Dominik-Blain-s-fix-for-vulnerability.patch	2026-06-22 11:20:40.000000000 +0000
@@ -0,0 +1,31 @@
+From 7e960b98f8079a1adf8d64ecd212e661db7f7c9c Mon Sep 17 00:00:00 2001
+From: Marcelo Roberto Jimenez <marcelo.jimenez@gmail.com>
+Date: Sat, 18 Apr 2026 13:01:35 -0300
+Subject: uri.c: Dominik Blain's fix for vulnerability
+
+See:
+https://github.com/pupnp/pupnp/security/advisories/GHSA-q522-6w45-4j58
+
+Signed-off-by: Marcelo Roberto Jimenez <marcelo.jimenez@gmail.com>
+---
+ upnp/src/genlib/net/uri/uri.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/upnp/src/genlib/net/uri/uri.c b/upnp/src/genlib/net/uri/uri.c
+index 772d671e..ea64d9ff 100644
+--- a/upnp/src/genlib/net/uri/uri.c
++++ b/upnp/src/genlib/net/uri/uri.c
+@@ -403,6 +403,10 @@ static int parse_hostport(
+ 		srvport = c;
+ 		while (*c != '\0' && isdigit(*c))
+ 			c++;
++		long port_l = strtol(srvport, NULL, 10);
++		if (port_l <= 0 || port_l > 65535) {
++			return UPNP_E_INVALID_URL;
++		}
+ 		port = (unsigned short int)atoi(srvport);
+ 		if (port == 0)
+ 			/* Bad port number. */
+-- 
+2.47.3
+
diff -Nru pupnp-1.14.20/debian/patches/series pupnp-1.14.20/debian/patches/series
--- pupnp-1.14.20/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ pupnp-1.14.20/debian/patches/series	2026-06-22 11:21:07.000000000 +0000
@@ -0,0 +1 @@
+0001-uri.c-Dominik-Blain-s-fix-for-vulnerability.patch