Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:swupdate User: [email protected] Usertags: pu
[ Reason ] CVE-2026-28525 [ Impact ] Vulnerable for integer underflow in a webserver component [ Tests ] Compilation succeeds. [ Risks ] code is trivial (integer change from 8 to 6 and whitespace changes) [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] Apply the upstream fix for CVE-2026-28525
diff -Nru swupdate-2024.12.1+dfsg/debian/changelog swupdate-2024.12.1+dfsg/debian/changelog --- swupdate-2024.12.1+dfsg/debian/changelog 2025-11-18 07:52:59.000000000 +0000 +++ swupdate-2024.12.1+dfsg/debian/changelog 2026-05-03 19:20:46.000000000 +0000 @@ -1,3 +1,9 @@ +swupdate (2024.12.1+dfsg-3+deb13u2) trixie; urgency=medium + + * Apply ustream CVE-2026-28525 patch + + -- Bastian Germann <[email protected]> Sun, 03 May 2026 19:20:46 +0000 + swupdate (2024.12.1+dfsg-3+deb13u1) trixie; urgency=medium * Backport: suricatta/wfx: Fix rebooting (Closes: #1118485) diff -Nru swupdate-2024.12.1+dfsg/debian/patches/CVE-2026-28525.diff swupdate-2024.12.1+dfsg/debian/patches/CVE-2026-28525.diff --- swupdate-2024.12.1+dfsg/debian/patches/CVE-2026-28525.diff 1970-01-01 00:00:00.000000000 +0000 +++ swupdate-2024.12.1+dfsg/debian/patches/CVE-2026-28525.diff 2026-05-03 19:20:15.000000000 +0000 @@ -0,0 +1,48 @@ +Origin: upstream, beee2dc0feef1cfe84f1aa6fc980e104b2e47a74 +From: Stefano Babic <[email protected]> +Date: Thu, 19 Mar 2026 10:50:13 +0100 +Subject: mongoose: Integer Underflow in Multipart Upload Parser + +The function mg_http_multipart_continue_wait_for_chunk() has +a discrepancy between its guard condition and a subsequent +subtraction in the else branch. The guard at line 250 checks +`(int) io->len < mp_stream->boundary.len + 6`, allowing execution +to continue when io->len >= boundary.len + 6. +However, when mg_strstr() finds the boundary string in the +buffer (else branch at line 264), data_len is computed as +`io->len - (mp_stream->boundary.len + 8)`. The +6 vs +8 +mismatch means that when io->len is in the range [boundary.len + 6, +boundary.len + 7], the subtraction underflows the size_t +variable to SIZE_MAX or SIZE_MAX - 1. + +This will fix CVE-2026-28525. + +Description of issue copied from vulnerability report - many thanks to +Kazuma for his analyses. + +Signed-off-by: Stefano Babic <[email protected]> +Reported by: Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc." +--- + mongoose/mongoose_multipart.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/mongoose/mongoose_multipart.c b/mongoose/mongoose_multipart.c +index 12ea5434..7fdc1863 100644 +--- a/mongoose/mongoose_multipart.c ++++ b/mongoose/mongoose_multipart.c +@@ -261,12 +261,12 @@ static int mg_http_multipart_continue_wait_for_chunk(struct mg_connection *c) { + } + return 0; + } else { +- size_t data_len = io->len - (mp_stream->boundary.len + 8); ++ size_t data_len = io->len - (mp_stream->boundary.len + 6); + size_t consumed = mg_http_multipart_call_handler(c, MG_EV_HTTP_PART_DATA, +- (char *) io->buf, data_len); ++ (char *) io->buf, data_len); + mg_iobuf_del(io, 0, consumed); + if (consumed == data_len) { +- mg_iobuf_del(io, 0, mp_stream->boundary.len + 8); ++ mg_iobuf_del(io, 0, mp_stream->boundary.len + 6); + mp_stream->state = MPS_FINALIZE; + return 1; + } else { diff -Nru swupdate-2024.12.1+dfsg/debian/patches/series swupdate-2024.12.1+dfsg/debian/patches/series --- swupdate-2024.12.1+dfsg/debian/patches/series 2025-11-18 07:52:59.000000000 +0000 +++ swupdate-2024.12.1+dfsg/debian/patches/series 2026-05-03 19:20:35.000000000 +0000 @@ -1,3 +1,4 @@ +CVE-2026-28525.diff Link-config-to-swupdate-www-path.diff Replace-Font-Awesome-5-with-Fork-Awesome.diff use-gcc-compiler.diff
