On Sat, Dec 20, 2025 at 02:35:36PM +0100, Holger Levsen wrote: > [ Checklist ] > [ ] *all* changes are documented in the d/changelog > [ ] I reviewed all changes and I approve them > [ ] attach debdiff against the package in (old)stable
debdiff attached now.
I plan to upload this within the next few days, so that then binNMUs can
be scheduled, probably in 2025 still.
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
Hope isn't a plan, but it's a hell of a drug.
diff -Nru rust-sequoia-openpgp-2.0.0/debian/changelog rust-sequoia-openpgp-2.0.0/debian/changelog --- rust-sequoia-openpgp-2.0.0/debian/changelog 2025-04-14 21:49:23.000000000 +0200 +++ rust-sequoia-openpgp-2.0.0/debian/changelog 2025-12-22 16:27:34.000000000 +0100 @@ -1,3 +1,11 @@ +rust-sequoia-openpgp (2.0.0-2+deb13u1) trixie; urgency=medium + + * Add upstream commit b59886e5 (via debian/patches, edited to apply cleanly) + to fix an underflow in aes_key_unwrap / CVE-2025-67897 to prevent DOS + (crash) via special crafted encrypted messages. Closes: #1122582. + + -- Holger Levsen <[email protected]> Mon, 22 Dec 2025 16:27:34 +0100 + rust-sequoia-openpgp (2.0.0-2) unstable; urgency=medium * Team upload. diff -Nru rust-sequoia-openpgp-2.0.0/debian/patches/0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch rust-sequoia-openpgp-2.0.0/debian/patches/0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch --- rust-sequoia-openpgp-2.0.0/debian/patches/0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch 1970-01-01 01:00:00.000000000 +0100 +++ rust-sequoia-openpgp-2.0.0/debian/patches/0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch 2025-12-22 16:27:34.000000000 +0100 @@ -0,0 +1,98 @@ +From b59886e5e7bdf7169ed330f309a6633d131776e5 Mon Sep 17 00:00:00 2001 +From: "Neal H. Walfield" <[email protected]> +Date: Fri, 7 Nov 2025 14:50:42 +0100 +Subject: [PATCH] openpgp: Fix an underflow in aes_key_unwrap. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + + - The `aes_key_unwrap` function would panic if passed a ciphertext + that was too short. In a debug build, it would panic due to a + subtraction underflow. In a release build, it would use the small + negative quantity to allocate a vector. Since the allocator + expects an unsigned quantity, the negative value would be + interpreted as a huge allocation. The allocator would then fail + to allocate the memory and panic. + + An attacker could trigger this panic by sending a victim an + encrypted message whose PKESK or SKESK packet has been specially + modified. When the victim decrypts the message, the program would + crash. + + - Fix it. + + - Reported-by: Jan Różański. +--- + +diff --git a/src/crypto/ecdh.rs b/src/crypto/ecdh.rs +index 26404ae9..a7e779fa 100644 +--- a/src/crypto/ecdh.rs ++++ b/src/crypto/ecdh.rs +@@ -326,6 +326,11 @@ pub fn aes_key_unwrap(algo: SymmetricAlgorithm, key: &Protected, + // Inputs: Ciphertext, (n+1) 64-bit values {C0, C1, ..., Cn}, and + // Key, K (the KEK). + // Outputs: Plaintext, n 64-bit values {P1, P2, ..., Pn}. ++ if ciphertext.len() < 16 { ++ return Err(Error::InvalidArgument( ++ "Ciphertext must be at least 16 bytes".into()).into()); ++ } ++ + let n = ciphertext.len() / 8 - 1; + let mut plaintext = Vec::with_capacity(ciphertext.len() - 8); + +@@ -590,4 +595,52 @@ mod tests { + + Ok(()) + } ++ ++ #[test] ++ fn aes_key_unwrap_underflow() { ++ // The `aes_key_unwrap` function would panic if passed a ++ // ciphertext that was too short. In a debug build, it would ++ // panic due to a subtraction underflow. In a release build, ++ // it would use the small negative quantity to allocate a ++ // vector. Since the allocator expects an unsigned quantity, ++ // the negative value would be interpreted as a huge ++ // allocation. The allocator would then fail to allocate the ++ // memory and panic. ++ // ++ // The aes_key_unwrap function would panic if passed a ++ // ciphertext that was too short. In a debug build, it would ++ // panic due to a subtraction underflow. In a release build, ++ // it would use the wrapped negative quantity to allocate a ++ // vector. Since the wrapped value is huge, it would fail to ++ // allocate the memory and panic. ++ // ++ // This test checks that short ciphertexts fail with an error ++ // and don't panic. ++ ++ use crate::fmt::hex; ++ ++ let key = hex::decode("c733a461b6bc6d2d15b3ac95cd02c102") ++ .expect("valid hex"); ++ let key = Protected::from(key); ++ ++ let ciphertext = hex::decode("\ ++54a1b6d2e41fd30b34c83fc384996f7a\ ++ca6904149310621e45ad14bd370a6cad\ ++72d0a11048adddc856fa57e0240cd2ea") ++ .expect("valid hex"); ++ ++ let algo = SymmetricAlgorithm::AES128; ++ ++ // Yes, this key really decryptes this cipher text. ++ assert!(aes_key_unwrap(algo.clone(), &key, &ciphertext).is_ok()); ++ ++ for i in 0..ciphertext.len() - 1 { ++ if let Err(err) = aes_key_unwrap(algo.clone(), &key, &ciphertext[..i]) { ++ eprintln!("{}: {}", i, err); ++ } else { ++ panic!("Expected failure for {} bytes of ciphertext, but succeeded", ++ i); ++ } ++ } ++ } + } +-- +2.47.3 + diff -Nru rust-sequoia-openpgp-2.0.0/debian/patches/series rust-sequoia-openpgp-2.0.0/debian/patches/series --- rust-sequoia-openpgp-2.0.0/debian/patches/series 2025-04-14 21:49:23.000000000 +0200 +++ rust-sequoia-openpgp-2.0.0/debian/patches/series 2025-12-22 16:27:34.000000000 +0100 @@ -1,3 +1,4 @@ cleanup-deps.patch drop-experimental-and-variable-time-crypto-backends.patch simplify-base64.patch +0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch
signature.asc
Description: PGP signature
