Bug#1110813: bookworm-pu: package wolfssl/5.5.4-2+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: wolfssl@packages.debian.org
Control: affects -1 + src:wolfssl
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Fix for CVE-2025-7394. The Security Team does not support wolfssl
officially.
[ Impact ]
Users are vulnerable for CVE-2025-7394.
[ Tests ]
None.
[ Risks ]
Trivial codechange by upstream.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
[ Changes ]
Additional random reseed.
[ Other info ]
I have NMUed the package to fix this.
diff -Nru wolfssl-5.5.4/debian/changelog wolfssl-5.5.4/debian/changelog
--- wolfssl-5.5.4/debian/changelog 2023-10-23 19:46:16.000000000 +0200
+++ wolfssl-5.5.4/debian/changelog 2025-08-11 10:16:46.000000000 +0200
@@ -1,3 +1,10 @@
+wolfssl (5.5.4-2+deb12u2) bookworm; urgency=medium
+
+ * Stable update to address the following vulnerabilities:
+ - Fix CVE-2025-7394. (Closes: #1109549)
+
+ -- Bastian Germann <bage@debian.org> Mon, 11 Aug 2025 10:16:46 +0200
+
wolfssl (5.5.4-2+deb12u1) bookworm; urgency=medium
* Stable update to address the following vulnerabilities:
diff -Nru wolfssl-5.5.4/debian/patches/CVE-2025-7394.patch wolfssl-5.5.4/debian/patches/CVE-2025-7394.patch
--- wolfssl-5.5.4/debian/patches/CVE-2025-7394.patch 1970-01-01 01:00:00.000000000 +0100
+++ wolfssl-5.5.4/debian/patches/CVE-2025-7394.patch 2025-08-04 17:57:05.000000000 +0200
@@ -0,0 +1,42 @@
+From 0c12337194ee6dd082f082f0ccaed27fc4ee44f5 Mon Sep 17 00:00:00 2001
+From: Josh Holtrop <josh@wolfssl.com>
+Date: Thu, 5 Jun 2025 19:48:34 -0400
+Subject: [PATCH] Reseed DRBG in RAND_poll()
+
+---
+ src/ssl.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/src/ssl.c b/src/ssl.c
+index 80e55cf865..26c6c9fe67 100644
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -26041,11 +26041,25 @@ int wolfSSL_RAND_poll(void)
+ return WOLFSSL_FAILURE;
+ }
+ ret = wc_GenerateSeed(&globalRNG.seed, entropy, entropy_sz);
+- if (ret != 0){
++ if (ret != 0) {
+ WOLFSSL_MSG("Bad wc_RNG_GenerateBlock");
+ ret = WOLFSSL_FAILURE;
+- }else
+- ret = WOLFSSL_SUCCESS;
++ }
++ else {
++#ifdef HAVE_HASHDRBG
++ ret = wc_RNG_DRBG_Reseed(&globalRNG, entropy, entropy_sz);
++ if (ret != 0) {
++ WOLFSSL_MSG("Error reseeding DRBG");
++ ret = WOLFSSL_FAILURE;
++ }
++ else {
++ ret = WOLFSSL_SUCCESS;
++ }
++#else
++ WOLFSSL_MSG("RAND_poll called with HAVE_HASHDRBG not set");
++ ret = WOLFSSL_FAILURE;
++#endif
++ }
+
+ return ret;
+ }
diff -Nru wolfssl-5.5.4/debian/patches/series wolfssl-5.5.4/debian/patches/series
--- wolfssl-5.5.4/debian/patches/series 2023-10-23 19:46:16.000000000 +0200
+++ wolfssl-5.5.4/debian/patches/series 2025-08-11 10:15:23.000000000 +0200
@@ -5,3 +5,4 @@
disable-crl-monitor.patch
disable-jobserver.patch
cve-2023-3724.patch
+CVE-2025-7394.patch
Reply to: