Your message dated Sat, 14 Mar 2026 11:48:35 +0000
with message-id <[email protected]>
and subject line Released with 13.4
has caused the Debian Bug report #1129971,
regarding trixie-pu: package augeas/1.14.1-1.1~deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129971
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:augeas
User: [email protected]
Usertags: pu
* CVE-2025-2588: NULL Pointer Dereference in re_case_expand()
(Closes: #1101714)
diffstat for augeas-1.14.1 augeas-1.14.1
changelog | 15
++
patches/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-erro.patch | 75
++++++++++
patches/series | 1
3 files changed, 91 insertions(+)
diff -Nru augeas-1.14.1/debian/changelog augeas-1.14.1/debian/changelog
--- augeas-1.14.1/debian/changelog 2023-07-16 15:17:30.000000000 +0300
+++ augeas-1.14.1/debian/changelog 2026-03-06 19:36:23.000000000 +0200
@@ -1,3 +1,18 @@
+augeas (1.14.1-1.1~deb13u1) trixie; urgency=medium
+
+ * Non-maintainer upload.
+ * Rebuild for trixie.
+
+ -- Adrian Bunk <[email protected]> Fri, 06 Mar 2026 19:36:23 +0200
+
+augeas (1.14.1-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2025-2588: NULL Pointer Dereference in re_case_expand()
+ (Closes: #1101714)
+
+ -- Adrian Bunk <[email protected]> Wed, 04 Mar 2026 19:08:37 +0200
+
augeas (1.14.1-1) unstable; urgency=medium
* New upstream version 1.14.1
diff -Nru
augeas-1.14.1/debian/patches/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-erro.patch
augeas-1.14.1/debian/patches/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-erro.patch
---
augeas-1.14.1/debian/patches/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-erro.patch
1970-01-01 02:00:00.000000000 +0200
+++
augeas-1.14.1/debian/patches/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-erro.patch
2026-03-04 19:07:57.000000000 +0200
@@ -0,0 +1,75 @@
+From 94186679cc9ea4637537bdefe66c6a33fff1dc3a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <[email protected]>
+Date: Sun, 30 Mar 2025 12:27:04 +0300
+Subject: CVE-2025-2588: return _REG_ENOSYS if no specific error was set yet
+ parse_regexp failed (#854)
+
+parse_regexp() supposed to set an error on the parser state in case of a
+failure. If no specific error was set, return _REG_ENOSYS to indicate a
+generic failure.
+
+Fixes: https://github.com/hercules-team/augeas/issues/671
+Fixes: https://github.com/hercules-team/augeas/issues/778
+Fixes: https://github.com/hercules-team/augeas/issues/852
+
+Signed-off-by: Alexander Bokovoy <[email protected]>
+---
+ src/fa.c | 2 ++
+ src/fa.h | 3 ++-
+ tests/fatest.c | 6 ++++++
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/fa.c b/src/fa.c
+index 66ac7078..4de5675b 100644
+--- a/src/fa.c
++++ b/src/fa.c
+@@ -3550,6 +3550,8 @@ static struct re *parse_regexp(struct re_parse *parse) {
+ return re;
+
+ error:
++ if (re == NULL && parse->error == REG_NOERROR)
++ parse->error = _REG_ENOSYS;
+ re_unref(re);
+ return NULL;
+ }
+diff --git a/src/fa.h b/src/fa.h
+index 1fd754ad..89c9b17e 100644
+--- a/src/fa.h
++++ b/src/fa.h
+@@ -81,7 +81,8 @@ extern int fa_minimization_algorithm;
+ *
+ * On success, FA points to the newly allocated automaton constructed for
+ * RE, and the function returns REG_NOERROR. Otherwise, FA is NULL, and the
+- * return value indicates the error.
++ * return value indicates the error. Special value _REG_ENOSYS indicates
++ * fa_compile() couldn't identify the syntax issue with regexp.
+ *
+ * The FA is case sensitive. Call FA_NOCASE to switch it to
+ * case-insensitive.
+diff --git a/tests/fatest.c b/tests/fatest.c
+index 0c9ca769..6717af8f 100644
+--- a/tests/fatest.c
++++ b/tests/fatest.c
+@@ -589,6 +589,7 @@ static void testExpandNoCase(CuTest *tc) {
+ const char *p1 = "aB";
+ const char *p2 = "[a-cUV]";
+ const char *p3 = "[^a-z]";
++ const char *wrong_regexp = "{&.{";
+ char *s;
+ size_t len;
+ int r;
+@@ -607,6 +608,11 @@ static void testExpandNoCase(CuTest *tc) {
+ CuAssertIntEquals(tc, 0, r);
+ CuAssertStrEquals(tc, "[^A-Za-z]", s);
+ free(s);
++
++ /* Test that fa_expand_nocase does return _REG_ENOSYS */
++ r = fa_expand_nocase(wrong_regexp, strlen(wrong_regexp), &s, &len);
++ CuAssertIntEquals(tc, _REG_ENOSYS, r);
++ free(s);
+ }
+
+ static void testNoCaseComplement(CuTest *tc) {
+--
+2.47.3
+
diff -Nru augeas-1.14.1/debian/patches/series
augeas-1.14.1/debian/patches/series
--- augeas-1.14.1/debian/patches/series 2022-12-11 17:48:41.000000000 +0200
+++ augeas-1.14.1/debian/patches/series 2026-03-04 19:08:36.000000000 +0200
@@ -2,3 +2,4 @@
0002-Skip-tests-that-need-root-privileges-when-fakeroot-h.patch
0003-Make-NRPE-lens-less-strict.patch
0004-Add-Debian-specific-paths-for-ClamAV-configuration-f.patch
+0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-erro.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.4
This update has been released as part of Debian 13.4.
--- End Message ---
