Your message dated Sat, 10 Jan 2026 11:59:46 +0000
with message-id <[email protected]>
and subject line Released with 12.13
has caused the Debian Bug report #1119910,
regarding bookworm-pu: package luksmeta/9-4+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1119910: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119910
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:luksmeta
Note: With the version number as an exception, debdiff and this text are
identical to the request for Debian 13 ("trixie") you should have
received a few moments ago. Both stable and oldstable have currently the
same version of luksmeta (9-4).
[ Reason ]
Fixes CVE-2025-11568: A data corruption vulnerability may lead to a
permanent loss of the stored information.
This was marked <no-dsa> by the security team, hence going via
stable-proposed-updates.
[ Impact ]
(What is the impact for the user if the update isn't approved?)
Loss of (encrypted) data after malicious/stupd usage of the luksmeta
program.
[ Tests ]
The fix cherry-picked upstream also contains an update to the test
suite, executed during build.
[ Risks ]
Actual code change is rather small and looks reasonable.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
Version in unstable is 10-1, uploaded 2025-11-01
[ Changes ]
Only change is the upstream commit that fixes the issue. All
the details are in the patch.
[ Other info ]
Nothing worth mentioning.
Cheers,
Christoph
diff -Nru luksmeta-9/debian/changelog luksmeta-9/debian/changelog
--- luksmeta-9/debian/changelog 2022-12-25 21:30:44.000000000 +0100
+++ luksmeta-9/debian/changelog 2025-11-01 19:15:26.000000000 +0100
@@ -1,3 +1,10 @@
+luksmeta (9-4+deb12u1) bookworm; urgency=high
+
+ * Cherry-pick "Fix handling of large metadata". Closes: #111828
+ [CVE-2025-11568]
+
+ -- Christoph Biedl <[email protected]> Sat, 01 Nov 2025
19:15:26 +0100
+
luksmeta (9-4) unstable; urgency=medium
* Replace patches with version from upstream
diff -Nru
luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch
luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch
---
luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch
1970-01-01 01:00:00.000000000 +0100
+++
luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch
2025-11-01 19:08:41.000000000 +0100
@@ -0,0 +1,82 @@
+Subject: Fix handling of large metadata
+ID: CVE-2025-11568
+Origin: upstream, commit v9-9-g0179988
<https://github.com/latchset/luksmeta/commit/v9-9-g0179988>
+Author: Sergio Correia <[email protected]>
+Date: Wed Oct 22 15:58:01 2025 +0100
+Bug-Debian: https://bugs.debian.org/111828
+
+ Prevent metadata from being written beyond the gap between the LUKS
+ header and encrypted data. The overflow check now correctly validates
+ that the end position of new metadata does not exceed the hard limit,
+ preventing corruption of encrypted data.
+
+ Also add upfront size validation to reject metadata larger than the
+ total available space.
+
+ Fix: CVE-2025-11568
+
+ Signed-off-by: Sergio Correia <[email protected]>
+
+--- a/libluksmeta.c
++++ b/libluksmeta.c
+@@ -69,8 +69,12 @@
+ }
+
+ static inline bool
+-overlap(const lm_t *lm, uint32_t start, size_t end)
++overlap(const lm_t *lm, uint32_t start, size_t end, uint32_t hard_limit)
+ {
++ /* Make sure the data fits the available area in the gap. */
++ if (end > hard_limit)
++ return true;
++
+ for (int i = 0; i < LUKS_NSLOTS; i++) {
+ const lm_slot_t *s = &lm->slots[i];
+ uint32_t e = s->offset + s->length;
+@@ -90,8 +94,13 @@
+ {
+ size = ALIGN(size, true);
+
++ /* Make sure the data is not larger than the total available
++ * area in the gap. */
++ if (length < size)
++ return 0;
++
+ for (uint32_t off = ALIGN(1, true); off < length; off += ALIGN(1, true)) {
+- if (!overlap(lm, off, off + size))
++ if (!overlap(lm, off, off + size, lm->slots[0].offset + length))
+ return off;
+ }
+
+--- a/test-luksmeta
++++ b/test-luksmeta
+@@ -3,9 +3,12 @@
+ trap 'exit' ERR
+
+ export tmp=`mktemp /tmp/luksmeta.XXXXXXXXXX`
++export tmpdata=`mktemp /tmp/luksmeta.XXXXXXXXXX`
++
+
+ function onexit() {
+ rm -f $tmp
++ rm -f "${tmpdata}"
+ }
+
+ trap 'onexit' EXIT
+@@ -56,3 +59,16 @@
+ test "`./luksmeta load -s 0 -d $tmp`" == "hi"
+ ./luksmeta init -n -f -d $tmp
+ ! ./luksmeta load -s 0 -d $tmp
++
++# CVE-2025-11568 - test attempt to store extremely large amount of data in a
slot.
++./luksmeta init -f -d "${tmp}"
++dd bs=1024k count=1 </dev/zero >"${tmpdata}"
++! ./luksmeta save -s 1 -u 23149359-1b61-4803-b818-774ab730fbec -d "${tmp}" <
"${tmpdata}"
++
++# Additional test for CVE-2025-11568 boundary conditions.
++# Verify overflow protection with multiple existing slots at various offsets.
++./luksmeta init -f -d "${tmp}"
++echo "a" | ./luksmeta save -s 0 -u 11111111-1111-1111-1111-111111111111 -d
"${tmp}"
++echo "b" | ./luksmeta save -s 1 -u 22222222-2222-2222-2222-222222222222 -d
"${tmp}"
++dd bs=1024 count=900 </dev/zero >"${tmpdata}"
++! ./luksmeta save -s 2 -u 33333333-3333-3333-3333-333333333333 -d "${tmp}" <
"${tmpdata}"
diff -Nru luksmeta-9/debian/patches/series luksmeta-9/debian/patches/series
--- luksmeta-9/debian/patches/series 2022-12-25 21:30:44.000000000 +0100
+++ luksmeta-9/debian/patches/series 2025-11-01 19:07:35.000000000 +0100
@@ -6,3 +6,4 @@
local.test-luksmeta.patch
local.dont-fail-tests-for-disabled-module-load.patch
local.use-asciidoctor-to-build-manpages.patch
+1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Package: release.debian.org\nVersion: 12.13\n\nThis update has been released as
part of Debian 12.13.
--- End Message ---
