[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1119909: marked as done (trixie-pu: package luksmeta/9-4+deb13u1)

Your message dated Sat, 15 Nov 2025 11:21:45 +0000
with message-id <736c7150dc08501cc89945035c406eaf9688e144.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 13.2
has caused the Debian Bug report #1119909,
regarding trixie-pu: package luksmeta/9-4+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1119909: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119909
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: luksmeta@packages.debian.org
Control: affects -1 + src:luksmeta
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Fixes CVE-2025-11568: A data corruption vulnerability may lead to a
permanent loss of the stored information.

This was marked <no-dsa> by the security team, hence going via
stable-proposed-updates.

[ Impact ]
(What is the impact for the user if the update isn't approved?)

Loss of (encrypted) data after malicious/stupd usage of the luksmeta
program.

[ Tests ]
The fix cherry-picked upstream also contains an update to the test
suite, executed during build.

[ Risks ]
Actual code change is rather small and looks reasonable.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable
      Version in unstable is 10-1, uploaded 2025-11-01

[ Changes ]
Only change is the upstream commit that fixes the issue. All
the details are in the patch.

[ Other info ]
Nothing worth mentioning.

Cheers,

    Christoph

diff -Nru luksmeta-9/debian/changelog luksmeta-9/debian/changelog
--- luksmeta-9/debian/changelog	2022-12-25 21:30:44.000000000 +0100
+++ luksmeta-9/debian/changelog	2025-11-01 19:15:26.000000000 +0100
@@ -1,3 +1,10 @@
+luksmeta (9-4+deb13u1) trixie; urgency=high
+
+  * Cherry-pick "Fix handling of large metadata". Closes: #111828
+    [CVE-2025-11568]
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de>  Sat, 01 Nov 2025 19:15:26 +0100
+
 luksmeta (9-4) unstable; urgency=medium
 
   * Replace patches with version from upstream
diff -Nru luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch
--- luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch	1970-01-01 01:00:00.000000000 +0100
+++ luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch	2025-11-01 19:08:41.000000000 +0100
@@ -0,0 +1,82 @@
+Subject: Fix handling of large metadata
+ID: CVE-2025-11568
+Origin: upstream, commit v9-9-g0179988 <https://github.com/latchset/luksmeta/commit/v9-9-g0179988>
+Author: Sergio Correia <scorreia@redhat.com>
+Date: Wed Oct 22 15:58:01 2025 +0100
+Bug-Debian: https://bugs.debian.org/111828
+
+    Prevent metadata from being written beyond the gap between the LUKS
+    header and encrypted data. The overflow check now correctly validates
+    that the end position of new metadata does not exceed the hard limit,
+    preventing corruption of encrypted data.
+
+    Also add upfront size validation to reject metadata larger than the
+    total available space.
+
+    Fix: CVE-2025-11568
+
+    Signed-off-by: Sergio Correia <scorreia@redhat.com>
+
+--- a/libluksmeta.c
++++ b/libluksmeta.c
+@@ -69,8 +69,12 @@
+ }
+ 
+ static inline bool
+-overlap(const lm_t *lm, uint32_t start, size_t end)
++overlap(const lm_t *lm, uint32_t start, size_t end, uint32_t hard_limit)
+ {
++    /* Make sure the data fits the available area in the gap. */
++    if (end > hard_limit)
++        return true;
++
+     for (int i = 0; i < LUKS_NSLOTS; i++) {
+         const lm_slot_t *s = &lm->slots[i];
+         uint32_t e = s->offset + s->length;
+@@ -90,8 +94,13 @@
+ {
+     size = ALIGN(size, true);
+ 
++    /* Make sure the data is not larger than the total available
++     * area in the gap. */
++    if (length < size)
++        return 0;
++
+     for (uint32_t off = ALIGN(1, true); off < length; off += ALIGN(1, true)) {
+-        if (!overlap(lm, off, off + size))
++        if (!overlap(lm, off, off + size, lm->slots[0].offset + length))
+             return off;
+     }
+ 
+--- a/test-luksmeta
++++ b/test-luksmeta
+@@ -3,9 +3,12 @@
+ trap 'exit' ERR
+ 
+ export tmp=`mktemp /tmp/luksmeta.XXXXXXXXXX`
++export tmpdata=`mktemp /tmp/luksmeta.XXXXXXXXXX`
++
+ 
+ function onexit() {
+     rm -f $tmp
++    rm -f "${tmpdata}"
+ }
+ 
+ trap 'onexit' EXIT
+@@ -56,3 +59,16 @@
+ test "`./luksmeta load -s 0 -d $tmp`" == "hi"
+ ./luksmeta init -n -f -d $tmp
+ ! ./luksmeta load -s 0 -d $tmp
++
++# CVE-2025-11568 - test attempt to store extremely large amount of data in a slot.
++./luksmeta init -f -d "${tmp}"
++dd bs=1024k count=1 </dev/zero >"${tmpdata}"
++! ./luksmeta save -s 1 -u 23149359-1b61-4803-b818-774ab730fbec -d "${tmp}" < "${tmpdata}"
++
++# Additional test for CVE-2025-11568 boundary conditions.
++# Verify overflow protection with multiple existing slots at various offsets.
++./luksmeta init -f -d "${tmp}"
++echo "a" | ./luksmeta save -s 0 -u 11111111-1111-1111-1111-111111111111 -d "${tmp}"
++echo "b" | ./luksmeta save -s 1 -u 22222222-2222-2222-2222-222222222222 -d "${tmp}"
++dd bs=1024 count=900 </dev/zero >"${tmpdata}"
++! ./luksmeta save -s 2 -u 33333333-3333-3333-3333-333333333333 -d "${tmp}" < "${tmpdata}"
diff -Nru luksmeta-9/debian/patches/series luksmeta-9/debian/patches/series
--- luksmeta-9/debian/patches/series	2022-12-25 21:30:44.000000000 +0100
+++ luksmeta-9/debian/patches/series	2025-11-01 19:07:35.000000000 +0100
@@ -6,3 +6,4 @@
 local.test-luksmeta.patch
 local.dont-fail-tests-for-disabled-module-load.patch
 local.use-asciidoctor-to-build-manpages.patch
+1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 13.2

Hi,

The updates referenced in each of these bugs were included in today's
13.2 trixie point release.

Regards,

Adam

--- End Message ---
Reply to: