new file mode 100644
@@ -0,0 +1,150 @@
+From d44cd1cc4fbb70a9ae9e71890024ae8367fcb912 Mon Sep 17 00:00:00 2001
+From: Gerhard Rieger <gerhard@dest-unreach.org>
+Date: Thu, 25 Jun 2026 14:55:59 +0200
+Subject: [PATCH] Version 1.8.1.2 - fixed SOCKS5 client buffer overflow
+ (CVE-2026-56123)
+
+CVE: CVE-2026-56123
+Upstream-Status: Backport [repo.or.cz/socat.git/commitdiff/d44cd1cc4fbb70a9ae9e71890024ae8367fcb912]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ CHANGES | 13 ++++++++++
+ test.sh | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ xio-socks5.h | 4 +--
+ 3 files changed, 88 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index ba82024..3c2f230 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,4 +1,17 @@
+
++Security:
++ Socat security advisory 10
++ CVE-2026-56123
++ There was a possible heap overflow in the socks5 client code. It could
++ be triggered by connecting to a malicious socks5 server that expected
++ this connection and had knowledge about details of the client binary
++ code.
++ Only builds with C signed char (vs.unsigned char) are affected.
++ Thanks to Tristan Madani for finding and reporting this issue, and for
++ conveying the process.
++ Test: SOCKS5_OVERFL
++
++
+ ####################### V 1.8.0.0
+
+ Security:
+diff --git a/test.sh b/test.sh
+index 53bbb2a..467ac57 100755
+--- a/test.sh
++++ b/test.sh
+@@ -601,6 +601,9 @@ rm -rf "$TD" || (echo "cannot rm $TD" >&2; exit 1)
+ mkdir -p "$TD"
+ #trap "rm -r $TD" 0 3
+
++BINDIR=$td/bin
++mkdir -p $BINDIR
++
+ echo "Using temp directory $TD"
+
+ case "$TESTS" in
+@@ -19217,6 +19220,76 @@ fi # NUMCOND
+ esac
+ N=$((N+1))
+
++# Above tests introduced with 1.8.1.0 (none with 1.8.1.1)
++#==============================================================================
++# Below tests introduced with 1.8.1.2
++
++
++# Test socks5 client buffer overflow (CVE-2026-56123)
++NAME=SOCKS5_OVERFL
++case "$TESTS" in
++*%$N%*|*%functions%*|*%bugs%*|*%security%*|*%socks5%*|*%socks%*|*%%*|*%%*|*%socket%*|*%$NAME%*)
++#*%internet%*|*%root%*|*%listen%*|*%fork%*|*%ip4%*|*%tcp4%*|*%bug%*|...
++TEST="$NAME: socks5 client buffer overflow"
++# Start a listener that emulates a malicious socks5 server, using a temporary
++# shell script;
++# connect using Socat with socks5 client;
++# when is terminates with rc=0 the test succeeded (not vulnerable)
++if ! eval $NUMCOND; then :
++# Check if this test can be performed meaningfully
++elif ! cond=$(checkconds \
++ "" \
++ "" \
++ "" \
++ "IP4 TCP LISTEN SHELL GOPEN SOCKS5" \
++ "TCP4-LISTEN SHELL GOPEN SOCKS5" \
++ "socksport" \
++ "tcp4" ); then
++ $PRINTF "test $F_n $TEST... ${YELLOW}$cond${NORMAL}\n" $N
++ cant
++else
++ mkdir -p "$BINDIR"
++ tf="$td/test$N.stdout"
++ te="$td/test$N.stderr"
++ tdiff="$td/test$N.diff"
++ tsh="$BINDIR/test$N.sh"
++ cat >"$tsh" <<__EOF__
++$ECHO -n "\\x05\\x00"
++relsleep 1
++$ECHO -n "\\x05\\x00\\x00\\x03\\xfdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++__EOF__
++ chmod a+x "$tsh"
++ newport tcp4 # -> PORT
++ CMD0="$TRACE $SOCAT $opts TCP4-LISTEN:$PORT SHELL:$tsh"
++ CMD1="$TRACE $SOCAT $opts /dev/null SOCKS5:$LOCALHOST4:17.34.51.68:85,socksport=$PORT"
++ printf "test $F_n $TEST... " $N
++ $CMD0 >/dev/null 2>"${te}0" &
++ pid0=$!
++ waittcp4port $PORT 1
++ $CMD1 >"${tf}1" 2>"${te}1"
++ rc1=$?
++ kill $pid0 2>/dev/null; wait
++ if [ "$rc1" -ne 0 ]; then
++ $PRINTF "$FAILED (rc1=$rc1)\n"
++ echo "$CMD0 &"
++ cat "${te}0" >&2
++ echo "$CMD1"
++ cat "${te}1" >&2
++ failed
++ else
++ $PRINTF "$OK\n"
++ if [ "$VERBOSE" ]; then echo "$CMD0 &"; fi
++ if [ "$DEBUG" ]; then cat "${te}0" >&2; fi
++ if [ "$VERBOSE" ]; then echo "$CMD1"; fi
++ if [ "$DEBUG" ]; then cat "${te}1" >&2; fi
++ ok
++ fi
++fi # NUMCOND
++ ;;
++esac
++N=$((N+1))
++
++
+ # end of common tests
+
+ ##################################################################################
+diff --git a/xio-socks5.h b/xio-socks5.h
+index 4dab76b..d4712d2 100644
+--- a/xio-socks5.h
++++ b/xio-socks5.h
+@@ -23,7 +23,7 @@ struct socks5_request {
+ uint8_t command;
+ uint8_t reserved;
+ uint8_t address_type;
+- char dstdata[];
++ unsigned char dstdata[];
+ };
+
+ struct socks5_reply {
+@@ -31,7 +31,7 @@ struct socks5_reply {
+ uint8_t reply;
+ uint8_t reserved;
+ uint8_t address_type;
+- char dstdata[];
++ unsigned char dstdata[];
+ };
+
+ extern const struct addrdesc xioaddr_socks5_connect;
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \
file://0001-fix-compile-procan.c-failed.patch \
file://CVE-2024-54661.patch \
+ file://CVE-2026-56123.patch \
"
SRC_URI[sha256sum] = "e1de683dd22ee0e3a6c6bbff269abe18ab0c9d7eb650204f125155b9005faca7"