[Git][debian-gis-team/mapnik][master] 2 commits: Add upstream patch to fix CVE-2025-15564. (closes: #1126071)

Thu Feb 12 12:07:35 GMT 2026


Bas Couwenberg pushed to branch master at Debian GIS Project / mapnik


Commits:
dada9871 by Bas Couwenberg at 2026-02-12T12:55:52+01:00
Add upstream patch to fix CVE-2025-15564. (closes: #1126071)

- - - - -
34fa2830 by Bas Couwenberg at 2026-02-12T12:55:52+01:00
Set distribution to unstable.

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2025-15564.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,9 +1,11 @@
-mapnik (4.2.1+ds-2) UNRELEASED; urgency=medium
+mapnik (4.2.1+ds-2) unstable; urgency=high
 
   * Drop obsolete libboost-system-dev (build) dependency.
     (closes: #1127078)
+  * Add upstream patch to fix CVE-2025-15564.
+    (closes: #1126071)
 
- -- Bas Couwenberg <sebastic at debian.org>  Fri, 06 Feb 2026 17:09:37 +0100
+ -- Bas Couwenberg <sebastic at debian.org>  Thu, 12 Feb 2026 12:54:08 +0100
 
 mapnik (4.2.1+ds-1) unstable; urgency=medium
 


=====================================
debian/patches/CVE-2025-15564.patch
=====================================
@@ -0,0 +1,46 @@
+Description: Fix CVE-2025-15564.
+ Avoid "modulo by zero" exceptions by returning
+ `mapnik::value_null` when rhs is zero (cosistent with `div` implementation)
+ (including specialisations using `std::fmod` which return NAN if rhs is zero
+ https://en.cppreference.com/w/cpp/numeric/math/fmod)
+Author: Artem Pavlenko <artem at mapnik.org>
+Origin: https://github.com/mapnik/mapnik/commit/fd54b92004f29e223345ddcbcc36257abd94952b
+Bug: https://github.com/mapnik/mapnik/issues/4545
+
+--- a/src/value.cpp
++++ b/src/value.cpp
+@@ -386,6 +386,8 @@ struct mod
+     template<typename T>
+     value_type operator()(T lhs, T rhs) const
+     {
++        if (rhs == 0)
++            return value_type();
+         return lhs % rhs;
+     }
+ 
+@@ -395,15 +397,24 @@ struct mod
+ 
+     value_type operator()(value_double lhs, value_integer rhs) const
+     {
++        if (rhs == 0)
++            return value_type();
+         return std::fmod(lhs, static_cast<value_double>(rhs));
+     }
+ 
+     value_type operator()(value_integer lhs, value_double rhs) const
+     {
++        if (rhs == 0)
++            return value_type();
+         return std::fmod(static_cast<value_double>(lhs), rhs);
+     }
+ 
+-    value_type operator()(value_double lhs, value_double rhs) const { return std::fmod(lhs, rhs); }
++    value_type operator()(value_double lhs, value_double rhs) const
++    {
++        if (rhs == 0)
++            return value_type();
++        return std::fmod(lhs, rhs);
++    }
+ };
+ 
+ template<typename V>


=====================================
debian/patches/series
=====================================
@@ -1 +1,2 @@
 boost1.89.patch
+CVE-2025-15564.patch



View it on GitLab: https://salsa.debian.org/debian-gis-team/mapnik/-/compare/79c99570080da1a90c40bb36f44951e7869c77d4...34fa2830b2e3aa2debeec363a774f7eeb2140a9b

-- 
View it on GitLab: https://salsa.debian.org/debian-gis-team/mapnik/-/compare/79c99570080da1a90c40bb36f44951e7869c77d4...34fa2830b2e3aa2debeec363a774f7eeb2140a9b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-grass-devel/attachments/20260212/24acb6f2/attachment-0001.htm>
