Package: rtl-433 Version: 25.02-1 Severity: important Tags: patch
According to <URL:https://security-tracker.debian.org/tracker/CVE-2025-34450 > there is a security vulnerability with parsing large raw RF input data, as described in <URL: https://github.com/merbanan/rtl_433/issues/3375 >. A fix has been included upstream in <URL:https://github.com/dd32/rtl_433/commit/25e47f8932f0401392ef1d3c8cc9ed5595bc894a > and is already included in unstable and testing. But the issue is also in Debian Trixie/stable and should perhaps be fixed there too? This is the upstream patch used: commit 25e47f8932f0401392ef1d3c8cc9ed5595bc894a Author: Christian W. Zuckschwerdt <[email protected]> Date: Wed Oct 8 10:11:15 2025 +0200 Fix overflow in rfraw test data parsing (closes #3375) diff --git a/src/rfraw.c b/src/rfraw.c index 9f4c9780..71a1c365 100644 --- a/src/rfraw.c +++ b/src/rfraw.c @@ -159,9 +159,14 @@ static bool parse_rfraw(pulse_data_t *data, char const **p) data->num_pulses++; pulse_needed = true; } + // abort reading if the pulse data array is full + if (data->num_pulses >= PD_MAX_PULSES) { + break; + } } //data->gap[data->num_pulses - 1] = 3000; // TODO: extend last gap? + // expand reapeats as long as the pulse data array has enough space unsigned pkt_pulses = data->num_pulses - prev_pulses; for (int i = 1; i < repeats && data->num_pulses + pkt_pulses <= PD_MAX_PULSES; ++i) { memcpy(&data->pulse[data->num_pulses], &data->pulse[prev_pulses], pkt_pulses * sizeof (*data->pulse)); -- Happy hacking Petter Reinholdtsen
