Bug#1123925: direwolf: CVE-2025-34457 CVE-2025-34458

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1123925: direwolf: CVE-2025-34457 CVE-2025-34458
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 24 Dec 2025 07:29:11 +0100
Message-id: <[🔎] 176655775144.1887060.15901746253339393758.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1123925@bugs.debian.org

Source: direwolf
Version: 1.8.1+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for direwolf.

CVE-2025-34457[0]:
| wb2osz/direwolf (Dire Wolf) versions up to and including 1.8, prior
| to commit 694c954, contain a stack-based buffer overflow
| vulnerability in the function kiss_rec_byte() located in
| src/kiss_frame.c. When processing crafted KISS frames that reach the
| maximum allowed frame length (MAX_KISS_LEN), the function appends a
| terminating FEND byte without reserving sufficient space in the
| stack buffer. This results in an out-of-bounds write followed by an
| out-of-bounds read during the subsequent call to kiss_unwrap(),
| leading to stack memory corruption or application crashes. This
| vulnerability may allow remote unauthenticated attackers to trigger
| a denial-of-service condition.


CVE-2025-34458[1]:
| wb2osz/direwolf (Dire Wolf) versions up to and including 1.8, prior
| to commit 3658a87, contain a reachable assertion vulnerability in
| the APRS MIC-E decoder function aprs_mic_e() located in
| src/decode_aprs.c. When processing a specially crafted AX.25 frame
| containing a MIC-E message with an empty or truncated comment field,
| the application triggers an unhandled assertion checking for a non-
| empty comment. This assertion failure causes immediate process
| termination, allowing a remote, unauthenticated attacker to cause a
| denial of service by sending malformed APRS traffic.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-34457
    https://www.cve.org/CVERecord?id=CVE-2025-34457
[1] https://security-tracker.debian.org/tracker/CVE-2025-34458
    https://www.cve.org/CVERecord?id=CVE-2025-34458

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1123925: direwolf: CVE-2025-34457 CVE-2025-34458
  - From: hibby <hibby@debian.org>
- Bug#1123925: direwolf: CVE-2025-34457 CVE-2025-34458
  - From: Hibby <hibby@debian.org>

Prev by Date: Processing of soapyhydrasdr_0.1.0-3_source.changes
Next by Date: Bug#1123925: direwolf: CVE-2025-34457 CVE-2025-34458
Previous by thread: Processing of soapyhydrasdr_0.1.0-3_source.changes
Next by thread: Bug#1123925: direwolf: CVE-2025-34457 CVE-2025-34458
Index(es):
- Date
- Thread