[Pkg-javascript-devel] RFS: binaryen 129-1 -- compiler and toolchain infrastructure library for WebAssembly

Daichi Fukui a.dog.will.talk at akane.waseda.jp
Sat Apr 11 06:27:14 BST 2026 

Dear Debian Javascript Team,

I am looking for a sponsor for my package "binaryen":

 * Package name     : binaryen
   Version          : 129-1
 * URL              : https://github.com/WebAssembly/binaryen
 * License          : Apache-2.0-with-LLVM-Exceptions, Apache-2.0, Expat
 * Vcs              : https://salsa.debian.org/debian/binaryen
   Section          : devel

The source builds the following binary packages:

  binaryen - compiler and toolchain infrastructure library for WebAssembly

This upload updates binaryen to upstream version 129, which fixes two
security vulnerabilities:

  - CVE-2025-14956: heap-based buffer overflow in
    WasmBinaryReader::readExport (src/wasm/wasm-binary.cpp)
    (Closes: #1123745)
  - CVE-2025-14957: null pointer dereference in
    IRBuilder::makeLocalGet/makeLocalSet/makeLocalTee
    (src/wasm/wasm-ir-builder.cpp)
    (Closes: #1123746)

Additional changes include a patch to fix upstream spelling typos
reported by Lintian, refreshed Lintian overrides for both the binary
and source packages, dropping the now-obsolete armel-specific test
patch, updating the copyright file for the new maintainer year, and
bumping Standards-Version to 4.7.4 (no changes required).

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/binaryen/

Alternatively, you can download the package with 'dget' using this
command:

  dget -x https://mentors.debian.net/debian/pool/main/b/binaryen/binaryen_129-1.dsc

Changes since the last upload:

 binaryen (129-1) unstable; urgency=medium
 .
   [ Fukui Daichi ]
   * New upstream version 129
   * Fix CVE-2025-14956 (Closes: #1123745)
   * Fix CVE-2025-14957 (Closes: #1123746)
     New upstream version 129 fixes the CVEs
   * Add patch to fix spelling typos
   * Update d/copyright for new maintainer year
   * Refresh Lintian overrides for binary and source packages
   * Drop obsolete armel-specific test patch
   * Bump Standards-Version to 4.7.4
   * Override false-positive spelling-error-in-binary tags
     Non-text byte sequences are misidentified as typos

Regards,
Fukui Daichi

More information about the Pkg-javascript-devel mailing list