Your message dated Tue, 27 Jan 2026 00:03:39 +0000
with message-id <[email protected]>
and subject line Bug#1123925: fixed in direwolf 1.7+dfsg-2+deb13u1
has caused the Debian Bug report #1123925,
regarding direwolf: CVE-2025-34457 CVE-2025-34458
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1123925: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123925
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: direwolf
Version: 1.8.1+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for direwolf.
CVE-2025-34457[0]:
| wb2osz/direwolf (Dire Wolf) versions up to and including 1.8, prior
| to commit 694c954, contain a stack-based buffer overflow
| vulnerability in the function kiss_rec_byte() located in
| src/kiss_frame.c. When processing crafted KISS frames that reach the
| maximum allowed frame length (MAX_KISS_LEN), the function appends a
| terminating FEND byte without reserving sufficient space in the
| stack buffer. This results in an out-of-bounds write followed by an
| out-of-bounds read during the subsequent call to kiss_unwrap(),
| leading to stack memory corruption or application crashes. This
| vulnerability may allow remote unauthenticated attackers to trigger
| a denial-of-service condition.
CVE-2025-34458[1]:
| wb2osz/direwolf (Dire Wolf) versions up to and including 1.8, prior
| to commit 3658a87, contain a reachable assertion vulnerability in
| the APRS MIC-E decoder function aprs_mic_e() located in
| src/decode_aprs.c. When processing a specially crafted AX.25 frame
| containing a MIC-E message with an empty or truncated comment field,
| the application triggers an unhandled assertion checking for a non-
| empty comment. This assertion failure causes immediate process
| termination, allowing a remote, unauthenticated attacker to cause a
| denial of service by sending malformed APRS traffic.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-34457
https://www.cve.org/CVERecord?id=CVE-2025-34457
[1] https://security-tracker.debian.org/tracker/CVE-2025-34458
https://www.cve.org/CVERecord?id=CVE-2025-34458
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: direwolf
Source-Version: 1.7+dfsg-2+deb13u1
Done: Dave Hibberd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
direwolf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dave Hibberd <[email protected]> (supplier of updated direwolf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 29 Dec 2025 15:58:09 +0000
Source: direwolf
Architecture: source
Version: 1.7+dfsg-2+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Hamradio Maintainers <[email protected]>
Changed-By: Dave Hibberd <[email protected]>
Closes: 1123925
Changes:
direwolf (1.7+dfsg-2+deb13u1) trixie; urgency=medium
.
* Backport patch 0004-Resolve-CVE-2025-34457.patch from unstable
- Fixes CVE-2025-34457 KISS Stack Buffer Overflow
* Closes: #1123925
Checksums-Sha1:
2a74019975fab3f27180580a62cbb4e32ccd752a 1758 direwolf_1.7+dfsg-2+deb13u1.dsc
398a8947b4a4a7c712e43599dec6c6f0fd836818 9868
direwolf_1.7+dfsg-2+deb13u1.debian.tar.xz
7f26cc0a183b757ae29d44a4bcdee3f4e3c01139 7363
direwolf_1.7+dfsg-2+deb13u1_amd64.buildinfo
Checksums-Sha256:
26ddc928d3963229ede1833a1bc87515b11b9eea979a7318054604ed47304e10 1758
direwolf_1.7+dfsg-2+deb13u1.dsc
cfbdaffd89db31e7f67368f013a5ef606716a28c418b88a7f9086ad639ece6aa 9868
direwolf_1.7+dfsg-2+deb13u1.debian.tar.xz
2292d9b13aca4527deec0cce2b1313c71d5afc96d132e6dc215b32a322fa603a 7363
direwolf_1.7+dfsg-2+deb13u1_amd64.buildinfo
Files:
d17f7e799fe06b4096279c3d3c1dd268 1758 hamradio optional
direwolf_1.7+dfsg-2+deb13u1.dsc
e8a8fcaab20f2e3a54a8f43c55dec2ab 9868 hamradio optional
direwolf_1.7+dfsg-2+deb13u1.debian.tar.xz
105abaa8a9011444cdb8096e59301430 7363 hamradio optional
direwolf_1.7+dfsg-2+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEXk9UUZPolpyKWbgKA6H7ehkEdxsFAmlm2pgACgkQA6H7ehkE
dxsz6QgAijMjOtGrTogLU+/n9yRTAJIAhIT8OscTO14wAo2xfNduv/TxTJ/vrbb+
lTgvLuPcHF5/D6Wn/I4dWkhW0I57kvy5h+pMR0WZW7ZcOsOQ8kd7cT0yicrp6kYL
9BjhmnUXDzb1ICvmBww/Hz+LjcyML9jWXHz6sADJ/m3fyhuduLlMZh6z8nL8gd/z
WvUOeRVjxs2Ionr+CwWkJO1AXPt2AEIy04Dkvh8LHiDmsZXFkEc3wrWLggyMp2za
DR5hMF/sBVvdRGugujbQXhfrjV3d3DeN/10gwis65zLBYrgpp71HL8LySk4tdgJX
FevaewlNCTdFJg0D4Tj6aKIpSspaNw==
=33Mg
-----END PGP SIGNATURE-----
pgpwodIrGS6Ay.pgp
Description: PGP signature
--- End Message ---
