Bug#1123739: marked as done (capstone: CVE-2025-68114)

Debian Bug Tracking System Wed, 18 Feb 2026 02:33:24 -0800

Your message dated Wed, 18 Feb 2026 11:31:25 +0100
with message-id <[email protected]>
and subject line Re: Accepted capstone 5.0.7-1 (source) into unstable
has caused the Debian Bug report #1123739,
regarding capstone: CVE-2025-68114
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1123739: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123739
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: capstone
Version: 5.0.6-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for capstone.

CVE-2025-68114[0]:
| Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and
| prior, an unchecked vsnprintf return in SStream_concat lets a
| malicious cs_opt_mem.vsnprintf drive SStream’s index negative or
| past the end, leading to a stack buffer underflow/overflow when the
| next write occurs. Commit 2c7797182a1618be12017d7d41e0b6581d5d529e
| fixes the issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-68114
    https://www.cve.org/CVERecord?id=CVE-2025-68114
[1] 
https://github.com/capstone-engine/capstone/security/advisories/GHSA-85f5-6xr3-q76r
[2] 
https://github.com/capstone-engine/capstone/commit/2c7797182a1618be12017d7d41e0b6581d5d529e

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: capstone
Source-Version: 5.0.7-1

Those CVEs have been fixed upstream with 5.0.7. So closing the bugs
manually.

On Sun, Feb 15, 2026 at 11:37:18AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Sun, 15 Feb 2026 12:10:56 +0100
> Source: capstone
> Architecture: source
> Version: 5.0.7-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Security Tools <[email protected]>
> Changed-By: Hilko Bengen <[email protected]>
> Changes:
>  capstone (5.0.7-1) unstable; urgency=medium
>  .
>    * Team upload.
>    * New upstream version 5.0.7
>    * Bump Standards-Version
> Checksums-Sha1:
>  0886be9918baea29f86c1bff66a3a069d4fd24f2 2173 capstone_5.0.7-1.dsc
>  5513880163c1f0145fc816e5251a75cb8b8ab0d2 7653624 capstone_5.0.7.orig.tar.gz
>  24f8bfa7dc824abc8b8bb97ef90e200ff65354de 9868 capstone_5.0.7-1.debian.tar.xz
>  2088c8d6aa6efc65cf150474a09160a070a40b74 6595 
> capstone_5.0.7-1_source.buildinfo
> Checksums-Sha256:
>  673e3d0f7aaa9bda7bd141c4b316e8884e48d73ffcf8546d084f003b7d385517 2173 
> capstone_5.0.7-1.dsc
>  6427a724726d161d1e05fb49fff8cd0064f67836c04ffca3c11d6d859e719caa 7653624 
> capstone_5.0.7.orig.tar.gz
>  cd7427be12185b7a4de9532af853581da1abe300ff31f03c88cce3c4b775468a 9868 
> capstone_5.0.7-1.debian.tar.xz
>  384dd0a99b010d7f4469c3baaa124bf460df81e32d4e13be1519e6d387d2df77 6595 
> capstone_5.0.7-1_source.buildinfo
> Files:
>  9ca1ab5b34af9881c863b233f1732afc 2173 devel optional capstone_5.0.7-1.dsc
>  71bf3cf61ec61206757c2431808b77f8 7653624 devel optional 
> capstone_5.0.7.orig.tar.gz
>  279842608464d68e938b0c40d1032005 9868 devel optional 
> capstone_5.0.7-1.debian.tar.xz
>  34bc2cd6698d5cc0bd0023d28caf7ff1 6595 devel optional 
> capstone_5.0.7-1_source.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQIzBAEBCgAdFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAmmRqtsACgkQdbcQY1wh
> On4R4w/+Pmnb8R9MCILEenAjCLeFVf68mG638fZkAW5ZjcfhAd7XTDjL/m4iAzS5
> 5BPiZN+44Rg+1z0t02NMejcgQmLtqSnFfJxnP9ZGXvMClGIjC507UL41XPM0oqG/
> bC80ydz6Cmzyb9XxcazhQOj6wUOfpGfetsQevHTajgHFKfcNfv5JE6PRRrf5lJxx
> K9tURqA72JD3Gc1q7px1MWi8pCMxtHLI3+fsKnlNmEtyEZVUEap+APDIt9V0X+e9
> VNOsEENS+e9rE61/nXcy77LR9xxueb8QAcNncT3qYw+EQypKdV/y8miNzXg9bWlp
> gZVrBxBF6e3semKraKd3uBhQqVy05uiQfdFbNQs89nXAPFP7vp4+VKb/595ufyOR
> UdZ/PLAIStrJKHN3Fly8wVJclOmzzDzjZ9zyxElE5J9KWJyB/CObwC1HyVYD3UJF
> 0c/7heRdWaovSzj+FBdQN3ws3FYyurApAH5zubIHlV9D6lz/w6MyURHjwIdBNL1S
> QkxE2lmt340NT3lHz5IafWIvrV3ao8eyIne+RFlyv91BKk1dhxs0+CmR7XKnbyDm
> 6UPL5rCi/BYKqZi+s0WTczApXEBl47vx7EE+qBZLzPn/FAXPghYPnsEUEGKFib/z
> xAE45PnMzg7aNn2yz+eGltMy3GNavlxVyRaqCoaHMuuc/iCnYjM=
> =d2Pk
> -----END PGP SIGNATURE-----

--- End Message ---

Bug#1123739: marked as done (capstone: CVE-2025-68114)

Reply via email to