Debian Patches

Status for libcoap3/4.3.4-1.1+deb13u2

Patch Description Author Forwarded Bugs Origin Last update
CVE-2024-31031.patch commit 214665ac4b44b1b6a7e38d4d6907ee835a174928

coap_pdu.c: Fix UndefinedBehaviorSanitizer: undefined-behavior

This fixes a reported error in coap_update_token() where a size_t
calculation is overflowed (but all ends up with the correct value).

Instead of adding an overflowed size_t, now subtract the reversed
size_t calculation as appropriate.

coap_update_option() and coap_insert_option() similarly updated.

===================================================================		 Jon Shallow <supjps-libcoap@jpshallow.com> no 2024-03-25
CVE-2025-59391.patch [PATCH] OSCORE: Fix OSCORE configuration file parsing issue
With a large boolean parameter value, (longer than "false"), memory
would be read past the "true" or "false" string boundaries in the ".rodata"
section when doing a memcmp(), potetially causing the application to crash
when calling coap_new_oscore_conf() with a specially crafted configuration
file.

It also can provide a mechanism to determine the byte values following the
"true" or "false" string boundaries which could lead to accessing sensitive
information. The standard libcoap library does not have defined keys or
certificates. This can only be done by a specially crafted local application.

Discovered by SecMate (https://secmate.dev).

Now fixed.		 Jon Shallow <supjps-libcoap@jpshallow.com> no 2025-09-04
CVE-2024-0962.patch commit 2b28d8b0e9607e71a145345b4fe49517e052b7d9

coap_oscore.c: Fix parsing OSCORE configuration information

===================================================================		 Jon Shallow <supjps-libcoap@jpshallow.com> no 2024-01-25
CVE-2025-65501+65500+65499+65498+65497+65496+65495+65494+65493.patch [PATCH] coap_openssl.c: Check return values in case internal OpenSSL issue Jon Shallow <supjps-libcoap@jpshallow.com> no 2025-09-19

All known versions for source package 'libcoap3'

Links