#1140507 trixie-pu: package alsa-lib/1.2.14-1+deb13u1

#1140507#5
Date:
2026-06-21 17:54:49 UTC
From:
To:
Fixes a low impact security issue, debdiff below. All tests in debusine
are looking good.

Cheers,
        Moritz

diff -Nru alsa-lib-1.2.14/debian/changelog alsa-lib-1.2.14/debian/changelog
--- alsa-lib-1.2.14/debian/changelog	2025-04-14 20:26:22.000000000 +0200
+++ alsa-lib-1.2.14/debian/changelog	2026-06-19 20:17:25.000000000 +0200
@@ -1,3 +1,9 @@
+alsa-lib (1.2.14-1+deb13u1) trixie; urgency=medium
+
+  * CVE-2026-25068 (Closes: #1126629)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Fri, 19 Jun 2026 20:17:25 +0200
+
 alsa-lib (1.2.14-1) unstable; urgency=medium

   * New upstream release.
diff -Nru alsa-lib-1.2.14/debian/patches/CVE-2026-25068.patch alsa-lib-1.2.14/debian/patches/CVE-2026-25068.patch
--- alsa-lib-1.2.14/debian/patches/CVE-2026-25068.patch	1970-01-01 01:00:00.000000000 +0100
+++ alsa-lib-1.2.14/debian/patches/CVE-2026-25068.patch	2026-06-19 20:17:25.000000000 +0200
@@ -0,0 +1,20 @@
+From 5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 Mon Sep 17 00:00:00 2001
+From: Jaroslav Kysela <perex@perex.cz>
+Date: Thu, 29 Jan 2026 16:51:09 +0100
+Subject: [PATCH] topology: decoder - add boundary check for channel mixer
+ count
+
+--- alsa-lib-1.2.14.orig/src/topology/ctl.c
++++ alsa-lib-1.2.14/src/topology/ctl.c
+@@ -1247,6 +1247,11 @@ int tplg_decode_control_mixer1(snd_tplg_
+ 	if (mc->num_channels > 0) {
+ 		map = tplg_calloc(heap, sizeof(*map));
+ 		map->num_channels = mc->num_channels;
++		if (map->num_channels > SND_TPLG_MAX_CHAN ||
++		    map->num_channels > SND_SOC_TPLG_MAX_CHAN) {
++			SNDERR("mixer: unexpected channel count %d", map->num_channels);
++			return -EINVAL;
++		}
+ 		for (i = 0; i < map->num_channels; i++) {
+ 			map->channel[i].reg = mc->channel[i].reg;
+ 			map->channel[i].shift = mc->channel[i].shift;
diff -Nru alsa-lib-1.2.14/debian/patches/series alsa-lib-1.2.14/debian/patches/series
--- alsa-lib-1.2.14/debian/patches/series	2024-02-09 21:18:05.000000000 +0100
+++ alsa-lib-1.2.14/debian/patches/series	2026-06-19 20:17:25.000000000 +0200
@@ -1 +1,2 @@
 0001-Enabled-extended-namehints-in-alsa.conf.patch
+CVE-2026-25068.patch