Bug#1125257: trixie-pu: package direwolf/1.7+dfsg-2+deb13u1
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: direwolf@packages.debian.org, hibby@debian.org
Control: affects -1 + src:direwolf
User: release.debian.org@packages.debian.org
Usertags: pu
Hello!
Please allow direwolf/1.7+dfsg-2+deb13u1 to be uploaded.
[ Reason ]
This version of Direwolf has one CVE filed against it currently,
CVE-2025-34457.
Due to the relatively niche nature of the software, this is not worthy of a DSA
but fixing it is desirable nonetheless.
[ Impact ]
Users are currently vulnerable to a DOS through this software.
[ Tests ]
On my Trixie workstation, the package has shown no regressions with this patch.
[ Risks ]
I don't expect anything to break, the code changes are minor and only truncate
incoming data to lengths defined in specification. Valid communication is
unaffected
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in stable
[X] the issue is verified as fixed in unstable
[ Changes ]
The commit containing specific changes from upstream has been backported to
unstable as 1.8.1+dfsg-2 and this stable release.
[ Other info ]
As this is my first stable update, I have not uploaded to stable yet. Lintian
shows it as NMU as I have used my debian.org email which was not in the stable
upload.
diff -Nru direwolf-1.7+dfsg/debian/changelog direwolf-1.7+dfsg/debian/changelog
--- direwolf-1.7+dfsg/debian/changelog 2023-11-23 15:19:26.000000000 +0000
+++ direwolf-1.7+dfsg/debian/changelog 2025-12-29 15:58:09.000000000 +0000
@@ -1,3 +1,10 @@
+direwolf (1.7+dfsg-2+deb13u1) trixie; urgency=medium
+
+ * Backport patch 0004-Resolve-CVE-2025-34457.patch from unstable
+ - Fixes CVE-2025-34457 KISS Stack Buffer Overflow
+
+ -- Dave Hibberd <hibby@debian.org> Mon, 29 Dec 2025 15:58:09 +0000
+
direwolf (1.7+dfsg-2) unstable; urgency=medium
* Move 99-direwolf-cmedia.rules to /usr/lib/udev/rules.d/.
diff -Nru direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch
--- direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch 1970-01-01 01:00:00.000000000 +0100
+++ direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch 2025-12-29 15:51:46.000000000 +0000
@@ -0,0 +1,74 @@
+From: Dave Hibberd <hibby@debian.org>
+Date: Wed, 24 Dec 2025 17:33:03 +0000
+Subject: Resolve CVE-2025-34457
+
+---
+
+diff --git a/src/kiss_frame.c b/src/kiss_frame.c
+index 65a0942..d644ff2 100644
+--- a/src/kiss_frame.c
++++ b/src/kiss_frame.c
+@@ -251,10 +251,12 @@ int kiss_encapsulate (unsigned char *in, int ilen, unsigned char *out)
+ *
+ * Inputs: out - Where to put the resulting frame without
+ * the escapes or FEND.
++ * Storage must be at least as long as input.
++ * Output can never be longer than input.
+ * First byte is the "type indicator" with type and
+ * channel but we don't care about that here.
+ * We treat it like any other byte with special handling
+- * if it happens to be FESC.
++ * if it happens to be one of the escaped characters.
+ * Note that this is "binary" data and can contain
+ * nul (0x00) values. Don't treat it like a text string!
+ *
+@@ -280,7 +282,7 @@ int kiss_unwrap (unsigned char *in, int ilen, unsigned char *out)
+ }
+
+ if (in[ilen-1] == FEND) {
+- ilen--; /* Don't try to process below. */
++ ilen--; /* Remove FEND from he end. */
+ }
+ else {
+ text_color_set(DW_COLOR_ERROR);
+@@ -342,6 +344,8 @@ int kiss_unwrap (unsigned char *in, int ilen, unsigned char *out)
+ *
+ * Inputs: kf - Current state of building a frame.
+ * ch - A byte from the input stream.
++ * Note that it can be any value 0-255.
++ * This is binary data, not a nul terminated string.
+ * debug - Activates debug output.
+ * kps - KISS TCP port status block.
+ * NULL for pseudo terminal and serial port.
+@@ -442,8 +446,9 @@ void kiss_rec_byte (kiss_frame_t *kf, unsigned char ch, int debug,
+
+
+ if (ch == FEND) {
+-
+- unsigned char unwrapped[AX25_MAX_PACKET_LEN];
++ // Unwrapped result can't be longer than received encoded KISS.
++ // kf->kiss_msg is MAX_KISS_LEN so that is enough for here.
++ unsigned char unwrapped[MAX_KISS_LEN];
+ int ulen;
+
+ /* End of frame. */
+@@ -482,12 +487,17 @@ void kiss_rec_byte (kiss_frame_t *kf, unsigned char ch, int debug,
+ return;
+ }
+
+- if (kf->kiss_len < MAX_KISS_LEN) {
++ // Issue 617.
++ // In the KS_COLLECTING state, non-FEND bytes were being collected up until
++ // the MAX_KISS_LEN limit, leaving no room for appending the final FEND byte
++ // at the end. By reducing the collection limit by one, there is room for
++ // that final byte.
++ if (kf->kiss_len < MAX_KISS_LEN - 1) {
+ kf->kiss_msg[kf->kiss_len++] = ch;
+ }
+ else {
+ text_color_set(DW_COLOR_ERROR);
+- dw_printf ("KISS message exceeded maximum length.\n");
++ dw_printf ("KISS message exceeded maximum length. Discarding excess.\n");
+ }
+ return;
+ break;
diff -Nru direwolf-1.7+dfsg/debian/patches/series direwolf-1.7+dfsg/debian/patches/series
--- direwolf-1.7+dfsg/debian/patches/series 2023-11-23 13:53:33.000000000 +0000
+++ direwolf-1.7+dfsg/debian/patches/series 2025-12-29 15:35:24.000000000 +0000
@@ -2,3 +2,4 @@
no-install-pdf
desktop-main-category
lib-udev-rules
+0004-Resolve-CVE-2025-34457.patch
diff -Nru direwolf-1.7+dfsg/debian/changelog direwolf-1.7+dfsg/debian/changelog
--- direwolf-1.7+dfsg/debian/changelog 2023-11-23 15:19:26.000000000 +0000
+++ direwolf-1.7+dfsg/debian/changelog 2025-12-29 15:58:09.000000000 +0000
@@ -1,3 +1,10 @@
+direwolf (1.7+dfsg-2+deb13u1) trixie; urgency=medium
+
+ * Backport patch 0004-Resolve-CVE-2025-34457.patch from unstable
+ - Fixes CVE-2025-34457 KISS Stack Buffer Overflow
+
+ -- Dave Hibberd <hibby@debian.org> Mon, 29 Dec 2025 15:58:09 +0000
+
direwolf (1.7+dfsg-2) unstable; urgency=medium
* Move 99-direwolf-cmedia.rules to /usr/lib/udev/rules.d/.
diff -Nru direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch
--- direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch 1970-01-01 01:00:00.000000000 +0100
+++ direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch 2025-12-29 15:51:46.000000000 +0000
@@ -0,0 +1,74 @@
+From: Dave Hibberd <hibby@debian.org>
+Date: Wed, 24 Dec 2025 17:33:03 +0000
+Subject: Resolve CVE-2025-34457
+
+---
+
+diff --git a/src/kiss_frame.c b/src/kiss_frame.c
+index 65a0942..d644ff2 100644
+--- a/src/kiss_frame.c
++++ b/src/kiss_frame.c
+@@ -251,10 +251,12 @@ int kiss_encapsulate (unsigned char *in, int ilen, unsigned char *out)
+ *
+ * Inputs: out - Where to put the resulting frame without
+ * the escapes or FEND.
++ * Storage must be at least as long as input.
++ * Output can never be longer than input.
+ * First byte is the "type indicator" with type and
+ * channel but we don't care about that here.
+ * We treat it like any other byte with special handling
+- * if it happens to be FESC.
++ * if it happens to be one of the escaped characters.
+ * Note that this is "binary" data and can contain
+ * nul (0x00) values. Don't treat it like a text string!
+ *
+@@ -280,7 +282,7 @@ int kiss_unwrap (unsigned char *in, int ilen, unsigned char *out)
+ }
+
+ if (in[ilen-1] == FEND) {
+- ilen--; /* Don't try to process below. */
++ ilen--; /* Remove FEND from he end. */
+ }
+ else {
+ text_color_set(DW_COLOR_ERROR);
+@@ -342,6 +344,8 @@ int kiss_unwrap (unsigned char *in, int ilen, unsigned char *out)
+ *
+ * Inputs: kf - Current state of building a frame.
+ * ch - A byte from the input stream.
++ * Note that it can be any value 0-255.
++ * This is binary data, not a nul terminated string.
+ * debug - Activates debug output.
+ * kps - KISS TCP port status block.
+ * NULL for pseudo terminal and serial port.
+@@ -442,8 +446,9 @@ void kiss_rec_byte (kiss_frame_t *kf, unsigned char ch, int debug,
+
+
+ if (ch == FEND) {
+-
+- unsigned char unwrapped[AX25_MAX_PACKET_LEN];
++ // Unwrapped result can't be longer than received encoded KISS.
++ // kf->kiss_msg is MAX_KISS_LEN so that is enough for here.
++ unsigned char unwrapped[MAX_KISS_LEN];
+ int ulen;
+
+ /* End of frame. */
+@@ -482,12 +487,17 @@ void kiss_rec_byte (kiss_frame_t *kf, unsigned char ch, int debug,
+ return;
+ }
+
+- if (kf->kiss_len < MAX_KISS_LEN) {
++ // Issue 617.
++ // In the KS_COLLECTING state, non-FEND bytes were being collected up until
++ // the MAX_KISS_LEN limit, leaving no room for appending the final FEND byte
++ // at the end. By reducing the collection limit by one, there is room for
++ // that final byte.
++ if (kf->kiss_len < MAX_KISS_LEN - 1) {
+ kf->kiss_msg[kf->kiss_len++] = ch;
+ }
+ else {
+ text_color_set(DW_COLOR_ERROR);
+- dw_printf ("KISS message exceeded maximum length.\n");
++ dw_printf ("KISS message exceeded maximum length. Discarding excess.\n");
+ }
+ return;
+ break;
diff -Nru direwolf-1.7+dfsg/debian/patches/series direwolf-1.7+dfsg/debian/patches/series
--- direwolf-1.7+dfsg/debian/patches/series 2023-11-23 13:53:33.000000000 +0000
+++ direwolf-1.7+dfsg/debian/patches/series 2025-12-29 15:35:24.000000000 +0000
@@ -2,3 +2,4 @@
no-install-pdf
desktop-main-category
lib-udev-rules
+0004-Resolve-CVE-2025-34457.patch
Reply to: