Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: luksmeta@packages.debian.org, debian.axhn@manchmal.in-ulm.de
Control: affects -1 + src:luksmeta
Note: With the version number as an exception, debdiff and this text are
identical to the request for Debian 13 ("trixie") you should have
received a few moments ago. Both stable and oldstable have currently the
same version of luksmeta (9-4).
[ Reason ]
Fixes CVE-2025-11568: A data corruption vulnerability may lead to a
permanent loss of the stored information.
This was marked <no-dsa> by the security team, hence going via
stable-proposed-updates.
[ Impact ]
(What is the impact for the user if the update isn't approved?)
Loss of (encrypted) data after malicious/stupd usage of the luksmeta
program.
[ Tests ]
The fix cherry-picked upstream also contains an update to the test
suite, executed during build.
[ Risks ]
Actual code change is rather small and looks reasonable.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
Version in unstable is 10-1, uploaded 2025-11-01
[ Changes ]
Only change is the upstream commit that fixes the issue. All
the details are in the patch.
[ Other info ]
Nothing worth mentioning.
Cheers,
Christoph
diff -Nru luksmeta-9/debian/changelog luksmeta-9/debian/changelog
--- luksmeta-9/debian/changelog 2022-12-25 21:30:44.000000000 +0100
+++ luksmeta-9/debian/changelog 2025-11-01 19:15:26.000000000 +0100
@@ -1,3 +1,10 @@
+luksmeta (9-4+deb12u1) bookworm; urgency=high
+
+ * Cherry-pick "Fix handling of large metadata". Closes: #111828
+ [CVE-2025-11568]
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Sat, 01 Nov 2025 19:15:26 +0100
+
luksmeta (9-4) unstable; urgency=medium
* Replace patches with version from upstream
diff -Nru luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch
--- luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch 1970-01-01 01:00:00.000000000 +0100
+++ luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch 2025-11-01 19:08:41.000000000 +0100
@@ -0,0 +1,82 @@
+Subject: Fix handling of large metadata
+ID: CVE-2025-11568
+Origin: upstream, commit v9-9-g0179988 <https://github.com/latchset/luksmeta/commit/v9-9-g0179988>
+Author: Sergio Correia <scorreia@redhat.com>
+Date: Wed Oct 22 15:58:01 2025 +0100
+Bug-Debian: https://bugs.debian.org/111828
+
+ Prevent metadata from being written beyond the gap between the LUKS
+ header and encrypted data. The overflow check now correctly validates
+ that the end position of new metadata does not exceed the hard limit,
+ preventing corruption of encrypted data.
+
+ Also add upfront size validation to reject metadata larger than the
+ total available space.
+
+ Fix: CVE-2025-11568
+
+ Signed-off-by: Sergio Correia <scorreia@redhat.com>
+
+--- a/libluksmeta.c
++++ b/libluksmeta.c
+@@ -69,8 +69,12 @@
+ }
+
+ static inline bool
+-overlap(const lm_t *lm, uint32_t start, size_t end)
++overlap(const lm_t *lm, uint32_t start, size_t end, uint32_t hard_limit)
+ {
++ /* Make sure the data fits the available area in the gap. */
++ if (end > hard_limit)
++ return true;
++
+ for (int i = 0; i < LUKS_NSLOTS; i++) {
+ const lm_slot_t *s = &lm->slots[i];
+ uint32_t e = s->offset + s->length;
+@@ -90,8 +94,13 @@
+ {
+ size = ALIGN(size, true);
+
++ /* Make sure the data is not larger than the total available
++ * area in the gap. */
++ if (length < size)
++ return 0;
++
+ for (uint32_t off = ALIGN(1, true); off < length; off += ALIGN(1, true)) {
+- if (!overlap(lm, off, off + size))
++ if (!overlap(lm, off, off + size, lm->slots[0].offset + length))
+ return off;
+ }
+
+--- a/test-luksmeta
++++ b/test-luksmeta
+@@ -3,9 +3,12 @@
+ trap 'exit' ERR
+
+ export tmp=`mktemp /tmp/luksmeta.XXXXXXXXXX`
++export tmpdata=`mktemp /tmp/luksmeta.XXXXXXXXXX`
++
+
+ function onexit() {
+ rm -f $tmp
++ rm -f "${tmpdata}"
+ }
+
+ trap 'onexit' EXIT
+@@ -56,3 +59,16 @@
+ test "`./luksmeta load -s 0 -d $tmp`" == "hi"
+ ./luksmeta init -n -f -d $tmp
+ ! ./luksmeta load -s 0 -d $tmp
++
++# CVE-2025-11568 - test attempt to store extremely large amount of data in a slot.
++./luksmeta init -f -d "${tmp}"
++dd bs=1024k count=1 </dev/zero >"${tmpdata}"
++! ./luksmeta save -s 1 -u 23149359-1b61-4803-b818-774ab730fbec -d "${tmp}" < "${tmpdata}"
++
++# Additional test for CVE-2025-11568 boundary conditions.
++# Verify overflow protection with multiple existing slots at various offsets.
++./luksmeta init -f -d "${tmp}"
++echo "a" | ./luksmeta save -s 0 -u 11111111-1111-1111-1111-111111111111 -d "${tmp}"
++echo "b" | ./luksmeta save -s 1 -u 22222222-2222-2222-2222-222222222222 -d "${tmp}"
++dd bs=1024 count=900 </dev/zero >"${tmpdata}"
++! ./luksmeta save -s 2 -u 33333333-3333-3333-3333-333333333333 -d "${tmp}" < "${tmpdata}"
diff -Nru luksmeta-9/debian/patches/series luksmeta-9/debian/patches/series
--- luksmeta-9/debian/patches/series 2022-12-25 21:30:44.000000000 +0100
+++ luksmeta-9/debian/patches/series 2025-11-01 19:07:35.000000000 +0100
@@ -6,3 +6,4 @@
local.test-luksmeta.patch
local.dont-fail-tests-for-disabled-module-load.patch
local.use-asciidoctor-to-build-manpages.patch
+1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch
Attachment:
signature.asc
Description: PGP signature