On Sat, Dec 20, 2025 at 02:35:36PM +0100, Holger Levsen wrote: > [ Checklist ] > [ ] *all* changes are documented in the d/changelog > [ ] I reviewed all changes and I approve them > [ ] attach debdiff against the package in (old)stable debdiff attached now. I plan to upload this within the next few days, so that then binNMUs can be scheduled, probably in 2025 still. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ Hope isn't a plan, but it's a hell of a drug.
diff -Nru rust-sequoia-openpgp-2.0.0/debian/changelog rust-sequoia-openpgp-2.0.0/debian/changelog
--- rust-sequoia-openpgp-2.0.0/debian/changelog 2025-04-14 21:49:23.000000000 +0200
+++ rust-sequoia-openpgp-2.0.0/debian/changelog 2025-12-22 16:27:34.000000000 +0100
@@ -1,3 +1,11 @@
+rust-sequoia-openpgp (2.0.0-2+deb13u1) trixie; urgency=medium
+
+ * Add upstream commit b59886e5 (via debian/patches, edited to apply cleanly)
+ to fix an underflow in aes_key_unwrap / CVE-2025-67897 to prevent DOS
+ (crash) via special crafted encrypted messages. Closes: #1122582.
+
+ -- Holger Levsen <holger@debian.org> Mon, 22 Dec 2025 16:27:34 +0100
+
rust-sequoia-openpgp (2.0.0-2) unstable; urgency=medium
* Team upload.
diff -Nru rust-sequoia-openpgp-2.0.0/debian/patches/0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch rust-sequoia-openpgp-2.0.0/debian/patches/0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch
--- rust-sequoia-openpgp-2.0.0/debian/patches/0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch 1970-01-01 01:00:00.000000000 +0100
+++ rust-sequoia-openpgp-2.0.0/debian/patches/0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch 2025-12-22 16:27:34.000000000 +0100
@@ -0,0 +1,98 @@
+From b59886e5e7bdf7169ed330f309a6633d131776e5 Mon Sep 17 00:00:00 2001
+From: "Neal H. Walfield" <neal@sequoia-pgp.org>
+Date: Fri, 7 Nov 2025 14:50:42 +0100
+Subject: [PATCH] openpgp: Fix an underflow in aes_key_unwrap.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ - The `aes_key_unwrap` function would panic if passed a ciphertext
+ that was too short. In a debug build, it would panic due to a
+ subtraction underflow. In a release build, it would use the small
+ negative quantity to allocate a vector. Since the allocator
+ expects an unsigned quantity, the negative value would be
+ interpreted as a huge allocation. The allocator would then fail
+ to allocate the memory and panic.
+
+ An attacker could trigger this panic by sending a victim an
+ encrypted message whose PKESK or SKESK packet has been specially
+ modified. When the victim decrypts the message, the program would
+ crash.
+
+ - Fix it.
+
+ - Reported-by: Jan Różański.
+---
+
+diff --git a/src/crypto/ecdh.rs b/src/crypto/ecdh.rs
+index 26404ae9..a7e779fa 100644
+--- a/src/crypto/ecdh.rs
++++ b/src/crypto/ecdh.rs
+@@ -326,6 +326,11 @@ pub fn aes_key_unwrap(algo: SymmetricAlgorithm, key: &Protected,
+ // Inputs: Ciphertext, (n+1) 64-bit values {C0, C1, ..., Cn}, and
+ // Key, K (the KEK).
+ // Outputs: Plaintext, n 64-bit values {P1, P2, ..., Pn}.
++ if ciphertext.len() < 16 {
++ return Err(Error::InvalidArgument(
++ "Ciphertext must be at least 16 bytes".into()).into());
++ }
++
+ let n = ciphertext.len() / 8 - 1;
+ let mut plaintext = Vec::with_capacity(ciphertext.len() - 8);
+
+@@ -590,4 +595,52 @@ mod tests {
+
+ Ok(())
+ }
++
++ #[test]
++ fn aes_key_unwrap_underflow() {
++ // The `aes_key_unwrap` function would panic if passed a
++ // ciphertext that was too short. In a debug build, it would
++ // panic due to a subtraction underflow. In a release build,
++ // it would use the small negative quantity to allocate a
++ // vector. Since the allocator expects an unsigned quantity,
++ // the negative value would be interpreted as a huge
++ // allocation. The allocator would then fail to allocate the
++ // memory and panic.
++ //
++ // The aes_key_unwrap function would panic if passed a
++ // ciphertext that was too short. In a debug build, it would
++ // panic due to a subtraction underflow. In a release build,
++ // it would use the wrapped negative quantity to allocate a
++ // vector. Since the wrapped value is huge, it would fail to
++ // allocate the memory and panic.
++ //
++ // This test checks that short ciphertexts fail with an error
++ // and don't panic.
++
++ use crate::fmt::hex;
++
++ let key = hex::decode("c733a461b6bc6d2d15b3ac95cd02c102")
++ .expect("valid hex");
++ let key = Protected::from(key);
++
++ let ciphertext = hex::decode("\
++54a1b6d2e41fd30b34c83fc384996f7a\
++ca6904149310621e45ad14bd370a6cad\
++72d0a11048adddc856fa57e0240cd2ea")
++ .expect("valid hex");
++
++ let algo = SymmetricAlgorithm::AES128;
++
++ // Yes, this key really decryptes this cipher text.
++ assert!(aes_key_unwrap(algo.clone(), &key, &ciphertext).is_ok());
++
++ for i in 0..ciphertext.len() - 1 {
++ if let Err(err) = aes_key_unwrap(algo.clone(), &key, &ciphertext[..i]) {
++ eprintln!("{}: {}", i, err);
++ } else {
++ panic!("Expected failure for {} bytes of ciphertext, but succeeded",
++ i);
++ }
++ }
++ }
+ }
+--
+2.47.3
+
diff -Nru rust-sequoia-openpgp-2.0.0/debian/patches/series rust-sequoia-openpgp-2.0.0/debian/patches/series
--- rust-sequoia-openpgp-2.0.0/debian/patches/series 2025-04-14 21:49:23.000000000 +0200
+++ rust-sequoia-openpgp-2.0.0/debian/patches/series 2025-12-22 16:27:34.000000000 +0100
@@ -1,3 +1,4 @@
cleanup-deps.patch
drop-experimental-and-variable-time-crypto-backends.patch
simplify-base64.patch
+0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch
Attachment:
signature.asc
Description: PGP signature