Version in base suite: 1.1.1-6 Base version: usbmuxd_1.1.1-6 Target version: usbmuxd_1.1.1-6+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/u/usbmuxd/usbmuxd_1.1.1-6.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/u/usbmuxd/usbmuxd_1.1.1-6+deb13u1.dsc changelog | 7 + gbp.conf | 2 patches/0005-conf-Make-sure-to-sanitize-input-for-SavePairRecord-.patch | 50 ++++++++++ patches/series | 1 4 files changed, 59 insertions(+), 1 deletion(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4z46vmst/usbmuxd_1.1.1-6.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4z46vmst/usbmuxd_1.1.1-6+deb13u1.dsc: no acceptable signature found diff -Nru usbmuxd-1.1.1/debian/changelog usbmuxd-1.1.1/debian/changelog --- usbmuxd-1.1.1/debian/changelog 2025-01-24 09:19:55.000000000 +0000 +++ usbmuxd-1.1.1/debian/changelog 2026-02-05 14:59:25.000000000 +0000 @@ -1,3 +1,10 @@ +usbmuxd (1.1.1-6+deb13u1) trixie-security; urgency=medium + + * d/patch: add fix for path traversal vulnerability (CVE-2025-66004) + (Closes: #1122507) + + -- Yves-Alexis Perez Thu, 05 Feb 2026 15:59:25 +0100 + usbmuxd (1.1.1-6) unstable; urgency=medium * change license on metainfo file to MIT. diff -Nru usbmuxd-1.1.1/debian/gbp.conf usbmuxd-1.1.1/debian/gbp.conf --- usbmuxd-1.1.1/debian/gbp.conf 2025-01-24 09:19:55.000000000 +0000 +++ usbmuxd-1.1.1/debian/gbp.conf 2026-02-05 14:59:25.000000000 +0000 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/master +debian-branch = debian/trixie upstream-branch = upstream/master pristine-tar = True upstream-tag = %(version)s diff -Nru usbmuxd-1.1.1/debian/patches/0005-conf-Make-sure-to-sanitize-input-for-SavePairRecord-.patch usbmuxd-1.1.1/debian/patches/0005-conf-Make-sure-to-sanitize-input-for-SavePairRecord-.patch --- usbmuxd-1.1.1/debian/patches/0005-conf-Make-sure-to-sanitize-input-for-SavePairRecord-.patch 1970-01-01 00:00:00.000000000 +0000 +++ usbmuxd-1.1.1/debian/patches/0005-conf-Make-sure-to-sanitize-input-for-SavePairRecord-.patch 2026-02-05 14:59:25.000000000 +0000 @@ -0,0 +1,50 @@ +From: Nikias Bassen +Date: Sat, 6 Dec 2025 02:13:05 +0100 +Subject: conf: Make sure to sanitize input for SavePairRecord command + +A path traversal vulnerability was discovered in usbmuxd that allows +arbitrary, unprivileged local users to delete and create files named +`*.plist` as the `usbmux` user. + +See https://bugzilla.opensuse.org/show_bug.cgi?id=1254302 +--- + src/conf.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/src/conf.c b/src/conf.c +index f9fce08..fdba707 100644 +--- a/src/conf.c ++++ b/src/conf.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + + #ifdef WIN32 + #include +@@ -406,13 +407,19 @@ int config_set_device_record(const char *udid, char* record_data, uint64_t recor + if (!udid || !record_data || record_size < 8) + return -EINVAL; + +- plist_t plist = NULL; +- if (memcmp(record_data, "bplist00", 8) == 0) { +- plist_from_bin(record_data, record_size, &plist); +- } else { +- plist_from_xml(record_data, record_size, &plist); ++ /* verify udid input */ ++ const char* u = udid; ++ while (*u != '\0') { ++ if (!isalnum(*u) && (*u != '-')) { ++ usbmuxd_log(LL_ERROR, "ERROR: %s: udid contains invalid character.\n", __func__); ++ return -EINVAL; ++ } ++ u++; + } + ++ plist_t plist = NULL; ++ plist_from_memory(record_data, record_size, &plist, NULL); ++ + if (!plist || plist_get_node_type(plist) != PLIST_DICT) { + if (plist) + plist_free(plist); diff -Nru usbmuxd-1.1.1/debian/patches/series usbmuxd-1.1.1/debian/patches/series --- usbmuxd-1.1.1/debian/patches/series 2025-01-24 09:19:55.000000000 +0000 +++ usbmuxd-1.1.1/debian/patches/series 2026-02-05 14:59:25.000000000 +0000 @@ -2,3 +2,4 @@ 0002-drop-PIDFile-directive-use-default-one-in-run.patch 0003-Port-to-libplist-2.3.0.patch 0004-conf-Fix-false-plist-read-write-errors-caused-by-usi.patch +0005-conf-Make-sure-to-sanitize-input-for-SavePairRecord-.patch