Bug#1110723: marked as done (trixie-pu: package wolfssl/5.7.2-0.1+deb13u1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#1110723: marked as done (trixie-pu: package wolfssl/5.7.2-0.1+deb13u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 06 Sep 2025 11:17:45 +0000
Message-id: <[🔎] handler.1110723.D1110723.17571573133953018.ackdone@bugs.debian.org>
Reply-to: 1110723@bugs.debian.org
References: <165032e5317517556dd7fd8cf24843112a3fb6ac.camel@adam-barratt.org.uk> <175483237752.34092.14650092727878633201.reportbug@duagon-BXN3S64.localdomain>

Your message dated Sat, 06 Sep 2025 12:14:57 +0100
with message-id <165032e5317517556dd7fd8cf24843112a3fb6ac.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 13.1
has caused the Debian Bug report #1110723,
regarding trixie-pu: package wolfssl/5.7.2-0.1+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1110723: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110723
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: trixie-pu: package wolfssl/5.7.2-0.1+deb13u1
From: Bastian Germann <bage@debian.org>
Date: Sun, 10 Aug 2025 15:26:17 +0200
Message-id: <175483237752.34092.14650092727878633201.reportbug@duagon-BXN3S64.localdomain>

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: wolfssl@packages.debian.org
Control: affects -1 + src:wolfssl
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Fix for CVE-2025-7394. The Security Team does not support wolfssl
officially.

[ Impact ]
Users are vulnerable for CVE-2025-7394.

[ Tests ]
None.

[ Risks ]
Trivial codechange by upstream.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Additional random reseed.

[ Other info ]
I have NMUed the package to fix this.

diff -Nru wolfssl-5.7.2/debian/changelog wolfssl-5.7.2/debian/changelog
--- wolfssl-5.7.2/debian/changelog	2024-09-23 11:52:19.000000000 +0200
+++ wolfssl-5.7.2/debian/changelog	2025-08-10 15:17:47.000000000 +0200
@@ -1,3 +1,9 @@
+wolfssl (5.7.2-0.1+deb13u1) trixie; urgency=medium
+
+  * Fix CVE-2025-7394.
+
+ -- Bastian Germann <bage@debian.org>  Sun, 10 Aug 2025 15:17:47 +0200
+
 wolfssl (5.7.2-0.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2025-7394.patch wolfssl-5.7.2/debian/patches/CVE-2025-7394.patch
--- wolfssl-5.7.2/debian/patches/CVE-2025-7394.patch	1970-01-01 01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2025-7394.patch	2025-08-04 17:57:05.000000000 +0200
@@ -0,0 +1,42 @@
+From 0c12337194ee6dd082f082f0ccaed27fc4ee44f5 Mon Sep 17 00:00:00 2001
+From: Josh Holtrop <josh@wolfssl.com>
+Date: Thu, 5 Jun 2025 19:48:34 -0400
+Subject: [PATCH] Reseed DRBG in RAND_poll()
+
+---
+ src/ssl.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/src/ssl.c b/src/ssl.c
+index 80e55cf865..26c6c9fe67 100644
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -26041,11 +26041,25 @@ int wolfSSL_RAND_poll(void)
+         return  WOLFSSL_FAILURE;
+     }
+     ret = wc_GenerateSeed(&globalRNG.seed, entropy, entropy_sz);
+-    if (ret != 0){
++    if (ret != 0) {
+         WOLFSSL_MSG("Bad wc_RNG_GenerateBlock");
+         ret = WOLFSSL_FAILURE;
+-    }else
+-        ret = WOLFSSL_SUCCESS;
++    }
++    else {
++#ifdef HAVE_HASHDRBG
++        ret = wc_RNG_DRBG_Reseed(&globalRNG, entropy, entropy_sz);
++        if (ret != 0) {
++            WOLFSSL_MSG("Error reseeding DRBG");
++            ret = WOLFSSL_FAILURE;
++        }
++        else {
++            ret = WOLFSSL_SUCCESS;
++        }
++#else
++        WOLFSSL_MSG("RAND_poll called with HAVE_HASHDRBG not set");
++        ret = WOLFSSL_FAILURE;
++#endif
++    }
+ 
+     return ret;
+ }
diff -Nru wolfssl-5.7.2/debian/patches/series wolfssl-5.7.2/debian/patches/series
--- wolfssl-5.7.2/debian/patches/series	2023-11-02 19:33:30.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/series	2025-08-10 15:13:19.000000000 +0200
@@ -1,6 +1,7 @@
 multi-arch.patch
 dfsg.patch
 fix-hurd-i386-flags.patch
+CVE-2025-7394.patch
 disable-crl-monitor.patch
 disable-jobserver.patch
 handle-debian-files.diff

--- End Message ---

--- Begin Message ---

To: 1109572-done@bugs.debian.org, 1110100-done@bugs.debian.org, 1110170-done@bugs.debian.org, 1110707-done@bugs.debian.org, 1110723-done@bugs.debian.org, 1110737-done@bugs.debian.org, 1110855-done@bugs.debian.org, 1110958-done@bugs.debian.org, 1110977-done@bugs.debian.org, 1111036-done@bugs.debian.org, 1111075-done@bugs.debian.org, 1111122-done@bugs.debian.org, 1111225-done@bugs.debian.org, 1111231-done@bugs.debian.org, 1111256-done@bugs.debian.org, 1111257-done@bugs.debian.org, 1111308-done@bugs.debian.org, 1111361-done@bugs.debian.org, 1111422-done@bugs.debian.org, 1111425-done@bugs.debian.org, 1111470-done@bugs.debian.org, 1111602-done@bugs.debian.org, 1111603-done@bugs.debian.org, 1111604-done@bugs.debian.org, 1111608-done@bugs.debian.org, 1111621-done@bugs.debian.org, 1111644-done@bugs.debian.org, 1111646-done@bugs.debian.org, 1111672-done@bugs.debian.org, 1111675-done@bugs.debian.org, 1111684-done@bugs.debian.org, 1111794-done@bugs.debian.org, 1111798-done@bugs.debian.org, 1111852-done@bugs.debian.org, 1111860-done@bugs.debian.org, 1111917-done@bugs.debian.org, 1111938-done@bugs.debian.org, 1111960-done@bugs.debian.org, 1111972-done@bugs.debian.org, 1111991-done@bugs.debian.org, 1112021-done@bugs.debian.org, 1112029-done@bugs.debian.org, 1112038-done@bugs.debian.org, 1112054-done@bugs.debian.org, 1112096-done@bugs.debian.org, 1112099-done@bugs.debian.org, 1112140-done@bugs.debian.org, 1112196-done@bugs.debian.org, 1112215-done@bugs.debian.org, 1112237-done@bugs.debian.org, 1112272-done@bugs.debian.org, 1112287-done@bugs.debian.org, 1112308-done@bugs.debian.org, 1112312-done@bugs.debian.org, 1112323-done@bugs.debian.org, 1112335-done@bugs.debian.org, 1112355-done@bugs.debian.org, 1112367-done@bugs.debian.org, 1112483-done@bugs.debian.org, 1112529-done@bugs.debian.org, 1112533-done@bugs.debian.org, 1112543-done@bugs.debian.org

Subject: Closing p-u requests for fixes included in 13.1

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 06 Sep 2025 12:14:57 +0100

Message-id: <165032e5317517556dd7fd8cf24843112a3fb6ac.camel@adam-barratt.org.uk>
Package: release.debian.org
Version: 13.1

Hi,

Each of the updates referenced by these requests was included in
today's 13.1 point release for trixie.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#1110170: marked as done (trixie-pu: package git/1:2.47.3-0+deb13u1)
Next by Date: Bug#1110813: marked as done (bookworm-pu: package wolfssl/5.5.4-2+deb12u2)
Previous by thread: Bug#1110170: marked as done (trixie-pu: package git/1:2.47.3-0+deb13u1)
Next by thread: Bug#1110813: marked as done (bookworm-pu: package wolfssl/5.5.4-2+deb12u2)
Index(es):
- Date
- Thread