Your message dated Sat, 15 Nov 2025 11:21:45 +0000
with message-id
<736c7150dc08501cc89945035c406eaf9688e144.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 13.2
has caused the Debian Bug report #1119909,
regarding trixie-pu: package luksmeta/9-4+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1119909: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119909
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:luksmeta
User: [email protected]
Usertags: pu
[ Reason ]
Fixes CVE-2025-11568: A data corruption vulnerability may lead to a
permanent loss of the stored information.
This was marked <no-dsa> by the security team, hence going via
stable-proposed-updates.
[ Impact ]
(What is the impact for the user if the update isn't approved?)
Loss of (encrypted) data after malicious/stupd usage of the luksmeta
program.
[ Tests ]
The fix cherry-picked upstream also contains an update to the test
suite, executed during build.
[ Risks ]
Actual code change is rather small and looks reasonable.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
Version in unstable is 10-1, uploaded 2025-11-01
[ Changes ]
Only change is the upstream commit that fixes the issue. All
the details are in the patch.
[ Other info ]
Nothing worth mentioning.
Cheers,
Christoph
diff -Nru luksmeta-9/debian/changelog luksmeta-9/debian/changelog
--- luksmeta-9/debian/changelog 2022-12-25 21:30:44.000000000 +0100
+++ luksmeta-9/debian/changelog 2025-11-01 19:15:26.000000000 +0100
@@ -1,3 +1,10 @@
+luksmeta (9-4+deb13u1) trixie; urgency=high
+
+ * Cherry-pick "Fix handling of large metadata". Closes: #111828
+ [CVE-2025-11568]
+
+ -- Christoph Biedl <[email protected]> Sat, 01 Nov 2025
19:15:26 +0100
+
luksmeta (9-4) unstable; urgency=medium
* Replace patches with version from upstream
diff -Nru
luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch
luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch
---
luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch
1970-01-01 01:00:00.000000000 +0100
+++
luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch
2025-11-01 19:08:41.000000000 +0100
@@ -0,0 +1,82 @@
+Subject: Fix handling of large metadata
+ID: CVE-2025-11568
+Origin: upstream, commit v9-9-g0179988
<https://github.com/latchset/luksmeta/commit/v9-9-g0179988>
+Author: Sergio Correia <[email protected]>
+Date: Wed Oct 22 15:58:01 2025 +0100
+Bug-Debian: https://bugs.debian.org/111828
+
+ Prevent metadata from being written beyond the gap between the LUKS
+ header and encrypted data. The overflow check now correctly validates
+ that the end position of new metadata does not exceed the hard limit,
+ preventing corruption of encrypted data.
+
+ Also add upfront size validation to reject metadata larger than the
+ total available space.
+
+ Fix: CVE-2025-11568
+
+ Signed-off-by: Sergio Correia <[email protected]>
+
+--- a/libluksmeta.c
++++ b/libluksmeta.c
+@@ -69,8 +69,12 @@
+ }
+
+ static inline bool
+-overlap(const lm_t *lm, uint32_t start, size_t end)
++overlap(const lm_t *lm, uint32_t start, size_t end, uint32_t hard_limit)
+ {
++ /* Make sure the data fits the available area in the gap. */
++ if (end > hard_limit)
++ return true;
++
+ for (int i = 0; i < LUKS_NSLOTS; i++) {
+ const lm_slot_t *s = &lm->slots[i];
+ uint32_t e = s->offset + s->length;
+@@ -90,8 +94,13 @@
+ {
+ size = ALIGN(size, true);
+
++ /* Make sure the data is not larger than the total available
++ * area in the gap. */
++ if (length < size)
++ return 0;
++
+ for (uint32_t off = ALIGN(1, true); off < length; off += ALIGN(1, true)) {
+- if (!overlap(lm, off, off + size))
++ if (!overlap(lm, off, off + size, lm->slots[0].offset + length))
+ return off;
+ }
+
+--- a/test-luksmeta
++++ b/test-luksmeta
+@@ -3,9 +3,12 @@
+ trap 'exit' ERR
+
+ export tmp=`mktemp /tmp/luksmeta.XXXXXXXXXX`
++export tmpdata=`mktemp /tmp/luksmeta.XXXXXXXXXX`
++
+
+ function onexit() {
+ rm -f $tmp
++ rm -f "${tmpdata}"
+ }
+
+ trap 'onexit' EXIT
+@@ -56,3 +59,16 @@
+ test "`./luksmeta load -s 0 -d $tmp`" == "hi"
+ ./luksmeta init -n -f -d $tmp
+ ! ./luksmeta load -s 0 -d $tmp
++
++# CVE-2025-11568 - test attempt to store extremely large amount of data in a
slot.
++./luksmeta init -f -d "${tmp}"
++dd bs=1024k count=1 </dev/zero >"${tmpdata}"
++! ./luksmeta save -s 1 -u 23149359-1b61-4803-b818-774ab730fbec -d "${tmp}" <
"${tmpdata}"
++
++# Additional test for CVE-2025-11568 boundary conditions.
++# Verify overflow protection with multiple existing slots at various offsets.
++./luksmeta init -f -d "${tmp}"
++echo "a" | ./luksmeta save -s 0 -u 11111111-1111-1111-1111-111111111111 -d
"${tmp}"
++echo "b" | ./luksmeta save -s 1 -u 22222222-2222-2222-2222-222222222222 -d
"${tmp}"
++dd bs=1024 count=900 </dev/zero >"${tmpdata}"
++! ./luksmeta save -s 2 -u 33333333-3333-3333-3333-333333333333 -d "${tmp}" <
"${tmpdata}"
diff -Nru luksmeta-9/debian/patches/series luksmeta-9/debian/patches/series
--- luksmeta-9/debian/patches/series 2022-12-25 21:30:44.000000000 +0100
+++ luksmeta-9/debian/patches/series 2025-11-01 19:07:35.000000000 +0100
@@ -6,3 +6,4 @@
local.test-luksmeta.patch
local.dont-fail-tests-for-disabled-module-load.patch
local.use-asciidoctor-to-build-manpages.patch
+1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.2
Hi,
The updates referenced in each of these bugs were included in today's
13.2 trixie point release.
Regards,
Adam
--- End Message ---
