Package: release.debian.org Severity: normal Tags: bookworm User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:luksmeta
Note: With the version number as an exception, debdiff and this text are
identical to the request for Debian 13 ("trixie") you should have
received a few moments ago. Both stable and oldstable have currently the
same version of luksmeta (9-4).
[ Reason ]
Fixes CVE-2025-11568: A data corruption vulnerability may lead to a
permanent loss of the stored information.
This was marked <no-dsa> by the security team, hence going via
stable-proposed-updates.
[ Impact ]
(What is the impact for the user if the update isn't approved?)
Loss of (encrypted) data after malicious/stupd usage of the luksmeta
program.
[ Tests ]
The fix cherry-picked upstream also contains an update to the test
suite, executed during build.
[ Risks ]
Actual code change is rather small and looks reasonable.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
Version in unstable is 10-1, uploaded 2025-11-01
[ Changes ]
Only change is the upstream commit that fixes the issue. All
the details are in the patch.
[ Other info ]
Nothing worth mentioning.
Cheers,
Christoph
diff -Nru luksmeta-9/debian/changelog luksmeta-9/debian/changelog --- luksmeta-9/debian/changelog 2022-12-25 21:30:44.000000000 +0100 +++ luksmeta-9/debian/changelog 2025-11-01 19:15:26.000000000 +0100 @@ -1,3 +1,10 @@ +luksmeta (9-4+deb12u1) bookworm; urgency=high + + * Cherry-pick "Fix handling of large metadata". Closes: #111828 + [CVE-2025-11568] + + -- Christoph Biedl <[email protected]> Sat, 01 Nov 2025 19:15:26 +0100 + luksmeta (9-4) unstable; urgency=medium * Replace patches with version from upstream diff -Nru luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch --- luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch 1970-01-01 01:00:00.000000000 +0100 +++ luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch 2025-11-01 19:08:41.000000000 +0100 @@ -0,0 +1,82 @@ +Subject: Fix handling of large metadata +ID: CVE-2025-11568 +Origin: upstream, commit v9-9-g0179988 <https://github.com/latchset/luksmeta/commit/v9-9-g0179988> +Author: Sergio Correia <[email protected]> +Date: Wed Oct 22 15:58:01 2025 +0100 +Bug-Debian: https://bugs.debian.org/111828 + + Prevent metadata from being written beyond the gap between the LUKS + header and encrypted data. The overflow check now correctly validates + that the end position of new metadata does not exceed the hard limit, + preventing corruption of encrypted data. + + Also add upfront size validation to reject metadata larger than the + total available space. + + Fix: CVE-2025-11568 + + Signed-off-by: Sergio Correia <[email protected]> + +--- a/libluksmeta.c ++++ b/libluksmeta.c +@@ -69,8 +69,12 @@ + } + + static inline bool +-overlap(const lm_t *lm, uint32_t start, size_t end) ++overlap(const lm_t *lm, uint32_t start, size_t end, uint32_t hard_limit) + { ++ /* Make sure the data fits the available area in the gap. */ ++ if (end > hard_limit) ++ return true; ++ + for (int i = 0; i < LUKS_NSLOTS; i++) { + const lm_slot_t *s = &lm->slots[i]; + uint32_t e = s->offset + s->length; +@@ -90,8 +94,13 @@ + { + size = ALIGN(size, true); + ++ /* Make sure the data is not larger than the total available ++ * area in the gap. */ ++ if (length < size) ++ return 0; ++ + for (uint32_t off = ALIGN(1, true); off < length; off += ALIGN(1, true)) { +- if (!overlap(lm, off, off + size)) ++ if (!overlap(lm, off, off + size, lm->slots[0].offset + length)) + return off; + } + +--- a/test-luksmeta ++++ b/test-luksmeta +@@ -3,9 +3,12 @@ + trap 'exit' ERR + + export tmp=`mktemp /tmp/luksmeta.XXXXXXXXXX` ++export tmpdata=`mktemp /tmp/luksmeta.XXXXXXXXXX` ++ + + function onexit() { + rm -f $tmp ++ rm -f "${tmpdata}" + } + + trap 'onexit' EXIT +@@ -56,3 +59,16 @@ + test "`./luksmeta load -s 0 -d $tmp`" == "hi" + ./luksmeta init -n -f -d $tmp + ! ./luksmeta load -s 0 -d $tmp ++ ++# CVE-2025-11568 - test attempt to store extremely large amount of data in a slot. ++./luksmeta init -f -d "${tmp}" ++dd bs=1024k count=1 </dev/zero >"${tmpdata}" ++! ./luksmeta save -s 1 -u 23149359-1b61-4803-b818-774ab730fbec -d "${tmp}" < "${tmpdata}" ++ ++# Additional test for CVE-2025-11568 boundary conditions. ++# Verify overflow protection with multiple existing slots at various offsets. ++./luksmeta init -f -d "${tmp}" ++echo "a" | ./luksmeta save -s 0 -u 11111111-1111-1111-1111-111111111111 -d "${tmp}" ++echo "b" | ./luksmeta save -s 1 -u 22222222-2222-2222-2222-222222222222 -d "${tmp}" ++dd bs=1024 count=900 </dev/zero >"${tmpdata}" ++! ./luksmeta save -s 2 -u 33333333-3333-3333-3333-333333333333 -d "${tmp}" < "${tmpdata}" diff -Nru luksmeta-9/debian/patches/series luksmeta-9/debian/patches/series --- luksmeta-9/debian/patches/series 2022-12-25 21:30:44.000000000 +0100 +++ luksmeta-9/debian/patches/series 2025-11-01 19:07:35.000000000 +0100 @@ -6,3 +6,4 @@ local.test-luksmeta.patch local.dont-fail-tests-for-disabled-module-load.patch local.use-asciidoctor-to-build-manpages.patch +1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch
signature.asc
Description: PGP signature
