Your message dated Wed, 18 Feb 2026 11:31:25 +0100
with message-id <[email protected]>
and subject line Re: Accepted capstone 5.0.7-1 (source) into unstable
has caused the Debian Bug report #1123740,
regarding capstone: CVE-2025-67873
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1123740: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123740
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: capstone
Version: 5.0.6-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for capstone.
CVE-2025-67873[0]:
| Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and
| prior, Skipdata length is not bounds-checked, so a user-provided
| skipdata callback can make cs_disasm/cs_disasm_iter memcpy more than
| 24 bytes into cs_insn.bytes, causing a heap buffer overflow in the
| disassembly path. Commit cbef767ab33b82166d263895f24084b75b316df3
| fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-67873
https://www.cve.org/CVERecord?id=CVE-2025-67873
[1]
https://github.com/capstone-engine/capstone/security/advisories/GHSA-hj6g-v545-v7jg
[2]
https://github.com/capstone-engine/capstone/commit/cbef767ab33b82166d263895f24084b75b316df3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: capstone
Source-Version: 5.0.7-1
Those CVEs have been fixed upstream with 5.0.7. So closing the bugs
manually.
On Sun, Feb 15, 2026 at 11:37:18AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Sun, 15 Feb 2026 12:10:56 +0100
> Source: capstone
> Architecture: source
> Version: 5.0.7-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Security Tools <[email protected]>
> Changed-By: Hilko Bengen <[email protected]>
> Changes:
> capstone (5.0.7-1) unstable; urgency=medium
> .
> * Team upload.
> * New upstream version 5.0.7
> * Bump Standards-Version
> Checksums-Sha1:
> 0886be9918baea29f86c1bff66a3a069d4fd24f2 2173 capstone_5.0.7-1.dsc
> 5513880163c1f0145fc816e5251a75cb8b8ab0d2 7653624 capstone_5.0.7.orig.tar.gz
> 24f8bfa7dc824abc8b8bb97ef90e200ff65354de 9868 capstone_5.0.7-1.debian.tar.xz
> 2088c8d6aa6efc65cf150474a09160a070a40b74 6595
> capstone_5.0.7-1_source.buildinfo
> Checksums-Sha256:
> 673e3d0f7aaa9bda7bd141c4b316e8884e48d73ffcf8546d084f003b7d385517 2173
> capstone_5.0.7-1.dsc
> 6427a724726d161d1e05fb49fff8cd0064f67836c04ffca3c11d6d859e719caa 7653624
> capstone_5.0.7.orig.tar.gz
> cd7427be12185b7a4de9532af853581da1abe300ff31f03c88cce3c4b775468a 9868
> capstone_5.0.7-1.debian.tar.xz
> 384dd0a99b010d7f4469c3baaa124bf460df81e32d4e13be1519e6d387d2df77 6595
> capstone_5.0.7-1_source.buildinfo
> Files:
> 9ca1ab5b34af9881c863b233f1732afc 2173 devel optional capstone_5.0.7-1.dsc
> 71bf3cf61ec61206757c2431808b77f8 7653624 devel optional
> capstone_5.0.7.orig.tar.gz
> 279842608464d68e938b0c40d1032005 9868 devel optional
> capstone_5.0.7-1.debian.tar.xz
> 34bc2cd6698d5cc0bd0023d28caf7ff1 6595 devel optional
> capstone_5.0.7-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAmmRqtsACgkQdbcQY1wh
> On4R4w/+Pmnb8R9MCILEenAjCLeFVf68mG638fZkAW5ZjcfhAd7XTDjL/m4iAzS5
> 5BPiZN+44Rg+1z0t02NMejcgQmLtqSnFfJxnP9ZGXvMClGIjC507UL41XPM0oqG/
> bC80ydz6Cmzyb9XxcazhQOj6wUOfpGfetsQevHTajgHFKfcNfv5JE6PRRrf5lJxx
> K9tURqA72JD3Gc1q7px1MWi8pCMxtHLI3+fsKnlNmEtyEZVUEap+APDIt9V0X+e9
> VNOsEENS+e9rE61/nXcy77LR9xxueb8QAcNncT3qYw+EQypKdV/y8miNzXg9bWlp
> gZVrBxBF6e3semKraKd3uBhQqVy05uiQfdFbNQs89nXAPFP7vp4+VKb/595ufyOR
> UdZ/PLAIStrJKHN3Fly8wVJclOmzzDzjZ9zyxElE5J9KWJyB/CObwC1HyVYD3UJF
> 0c/7heRdWaovSzj+FBdQN3ws3FYyurApAH5zubIHlV9D6lz/w6MyURHjwIdBNL1S
> QkxE2lmt340NT3lHz5IafWIvrV3ao8eyIne+RFlyv91BKk1dhxs0+CmR7XKnbyDm
> 6UPL5rCi/BYKqZi+s0WTczApXEBl47vx7EE+qBZLzPn/FAXPghYPnsEUEGKFib/z
> xAE45PnMzg7aNn2yz+eGltMy3GNavlxVyRaqCoaHMuuc/iCnYjM=
> =d2Pk
> -----END PGP SIGNATURE-----
--- End Message ---
