diff --git a/debian/changelog b/debian/changelog index d144803..ec62eb4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +alsa-lib (1.2.15.3-1deepin4) unstable; urgency=medium + + * Fix CVE-2026-25068: heap buffer overflow in topology decoder + + -- deepin-ci-robot Sat, 25 Apr 2026 14:32:23 +0800 + alsa-lib (1.2.15.3-1deepin3) unstable; urgency=medium * Add sw support. diff --git a/debian/patches/CVE-2026-25068.patch b/debian/patches/CVE-2026-25068.patch new file mode 100644 index 0000000..a60eb41 --- /dev/null +++ b/debian/patches/CVE-2026-25068.patch @@ -0,0 +1,27 @@ +Description: Fix CVE-2026-25068: heap buffer overflow in topology decoder + Add boundary check for channel mixer count to prevent heap corruption + from malicious binary topology files. +Author: Jaroslav Kysela +Origin: upstream, https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 +Bug: https://security-tracker.debian.org/tracker/CVE-2026-25068 +Forwarded: not-needed +--- + src/topology/ctl.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/topology/ctl.c b/src/topology/ctl.c +index a0c24518..322c461c 100644 +--- a/src/topology/ctl.c ++++ b/src/topology/ctl.c +@@ -1250,6 +1250,11 @@ int tplg_decode_control_mixer1(snd_tplg_t *tplg, + if (mc->num_channels > 0) { + map = tplg_calloc(heap, sizeof(*map)); + map->num_channels = mc->num_channels; ++ if (map->num_channels > SND_TPLG_MAX_CHAN || ++ map->num_channels > SND_SOC_TPLG_MAX_CHAN) { ++ snd_error(TOPOLOGY, "mixer: unexpected channel count %d", map->num_channels); ++ return -EINVAL; ++ } + for (i = 0; i < map->num_channels; i++) { + map->channel[i].reg = mc->channel[i].reg; + map->channel[i].shift = mc->channel[i].shift; diff --git a/debian/patches/series b/debian/patches/series index 5189341..0e47dca 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 0001-Enabled-extended-namehints-in-alsa.conf.patch 0001-deepin-sw_64-support.patch +CVE-2026-25068.patch