Bug#1125962: trixie-pu: package pcsx2/1.6.0+dfsg-3

Mon Jan 19 15:35:56 GMT 2026

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: pcsx2 at packages.debian.org, obbardc at debian.org, Sébastien Noel <sebastien at twolife.be>
Control: affects -1 + src:pcsx2
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
pcsx2 in trixie is subject to CVE-2025-49589 (#1107756). Backport patch
from upstream to fix the security issue.

[ Impact ]
Fixes CVE-2025-49589 (#1107756).

[ Tests ]
No regressions when manually running pcsx2.

[ Risks ]
Limited risk - backport of patch from upstream to fix CVE.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Backport security fix for CVE-2025-49589.

[ Other info ]
I am uploading this stable fix on behalf of Sébastien Noel
<sebastien at twolife.be> (in CC).
-------------- next part --------------
diff -Nru pcsx2-1.6.0+dfsg/debian/changelog pcsx2-1.6.0+dfsg/debian/changelog

--- pcsx2-1.6.0+dfsg/debian/changelog	2024-12-23 15:57:26.000000000 +0100
+++ pcsx2-1.6.0+dfsg/debian/changelog	2026-01-19 09:55:23.000000000 +0100
@@ -1,3 +1,9 @@
+pcsx2 (1.6.0+dfsg-3+deb13u1) trixie-security; urgency=medium
+
+  * Backport security fix for CVE-2025-49589.
+
+ -- Sébastien Noel <sebastien at twolife.be>  Mon, 19 Jan 2026 09:55:23 +0100
+
 pcsx2 (1.6.0+dfsg-3) unstable; urgency=medium
 
   * Team Upload
diff -Nru pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch
--- pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch	1970-01-01 01:00:00.000000000 +0100
+++ pcsx2-1.6.0+dfsg/debian/patches/CVE-2025-49589.patch	2026-01-19 09:55:23.000000000 +0100
@@ -0,0 +1,124 @@
+Description: CVE-2025-49589
+ backport the following upstream commit:
+  4c9d2f99b17b1e6f281a264b673f39d95ede6c21
+  6eac0bbcb1d59197a1aa99e41dfae0f87bc23848
+Origin: upstream
+Forwarded: not-needed
+Last-Update: 2026-01-19
+
+--- a/pcsx2/IopBios.cpp
++++ b/pcsx2/IopBios.cpp
+@@ -20,6 +20,7 @@
+ 
+ #include <ctype.h>
+ #include <string.h>
++#include <algorithm>
+ 
+ #ifndef O_BINARY
+ #define O_BINARY 0
+@@ -490,8 +491,12 @@ namespace sysmem {
+ 
+ 		if (!SysConsole.iopConsole.IsActive()) return 1;
+ 
+-		char tmp[1024], tmp2[1024];
++		// maximum allowed size for our buffer before we truncate
++		const unsigned int max_len = 4096;
++		char tmp[max_len], tmp2[max_len];
+ 		char *ptmp = tmp;
++		unsigned int printed_bytes = 0;
++		int remaining_buf = max_len - 1;
+ 		int n=1, i=0, j = 0;
+ 
+ 		while (fmt[i])
+@@ -502,35 +507,50 @@ namespace sysmem {
+ 					j = 0;
+ 					tmp2[j++] = '%';
+ _start:
+-					switch (fmt[++i])
++					// let's check whether this is our null terminator
++					// before allowing the parser to proceed
++					if (fmt[i + 1])
+ 					{
+-						case '.':
+-						case 'l':
+-							tmp2[j++] = fmt[i];
+-							goto _start;
+-						default:
+-							if (fmt[i] >= '0' && fmt[i] <= '9')
+-							{
++						switch (fmt[++i])
++						{
++							case '.':
++							case 'l':
++								if (j >= max_len)
++									break;
+ 								tmp2[j++] = fmt[i];
+ 								goto _start;
+-							}
+-							break;
++							default:
++								if (fmt[i] >= '0' && fmt[i] <= '9')
++								{
++									if (j >= max_len)
++										break;
++									tmp2[j++] = fmt[i];
++									goto _start;
++								}
++								break;
++						}
+ 					}
+ 
++					if (j >= max_len)
++						break;
+ 					tmp2[j++] = fmt[i];
+ 					tmp2[j] = 0;
+ 
+ 					switch (fmt[i])
+ 					{
+ 						case 'f': case 'F':
+-							ptmp+= sprintf(ptmp, tmp2, (float)iopMemRead32(sp + n * 4));
++							printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (float)iopMemRead32(sp + n * 4)));
++							remaining_buf -= printed_bytes;
++							ptmp += printed_bytes;
+ 							n++;
+ 							break;
+ 
+ 						case 'a': case 'A':
+ 						case 'e': case 'E':
+ 						case 'g': case 'G':
+-							ptmp+= sprintf(ptmp, tmp2, (double)iopMemRead32(sp + n * 4));
++							printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (double)iopMemRead32(sp + n * 4)));
++							remaining_buf -= printed_bytes;
++							ptmp += printed_bytes;
+ 							n++;
+ 							break;
+ 
+@@ -539,19 +559,25 @@ _start:
+ 						case 'd': case 'D':
+ 						case 'o': case 'O':
+ 						case 'x': case 'X':
+-							ptmp+= sprintf(ptmp, tmp2, (u32)iopMemRead32(sp + n * 4));
++							printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (u32)iopMemRead32(sp + n * 4)));
++							remaining_buf -= printed_bytes;
++							ptmp += printed_bytes;
+ 							n++;
+ 							break;
+ 
+ 						case 'c':
+-							ptmp+= sprintf(ptmp, tmp2, (u8)iopMemRead32(sp + n * 4));
++							printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, (u8)iopMemRead32(sp + n * 4)));
++							remaining_buf -= printed_bytes;
++							ptmp += printed_bytes;
+ 							n++;
+ 							break;
+ 
+ 						case 's':
+ 							{
+ 								std::string s = iopMemReadString(iopMemRead32(sp + n * 4));
+-								ptmp += sprintf(ptmp, tmp2, s.data());
++								printed_bytes = std::min(remaining_buf, snprintf(ptmp, remaining_buf, tmp2, s.data()));
++								remaining_buf -= printed_bytes;
++								ptmp += printed_bytes;
+ 								n++;
+ 							}
+ 							break;
diff -Nru pcsx2-1.6.0+dfsg/debian/patches/series pcsx2-1.6.0+dfsg/debian/patches/series
--- pcsx2-1.6.0+dfsg/debian/patches/series	2024-12-23 15:37:39.000000000 +0100
+++ pcsx2-1.6.0+dfsg/debian/patches/series	2026-01-19 09:55:23.000000000 +0100
@@ -1,2 +1,3 @@
 wxwidgets3.2.patch
 cpp_error_ftbfs.patch
+CVE-2025-49589.patch
