Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:direwolf User: [email protected] Usertags: pu
Hello! Please allow direwolf/1.7+dfsg-2+deb13u1 to be uploaded. [ Reason ] This version of Direwolf has one CVE filed against it currently, CVE-2025-34457. Due to the relatively niche nature of the software, this is not worthy of a DSA but fixing it is desirable nonetheless. [ Impact ] Users are currently vulnerable to a DOS through this software. [ Tests ] On my Trixie workstation, the package has shown no regressions with this patch. [ Risks ] I don't expect anything to break, the code changes are minor and only truncate incoming data to lengths defined in specification. Valid communication is unaffected [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in stable [X] the issue is verified as fixed in unstable [ Changes ] The commit containing specific changes from upstream has been backported to unstable as 1.8.1+dfsg-2 and this stable release. [ Other info ] As this is my first stable update, I have not uploaded to stable yet. Lintian shows it as NMU as I have used my debian.org email which was not in the stable upload.
diff -Nru direwolf-1.7+dfsg/debian/changelog direwolf-1.7+dfsg/debian/changelog --- direwolf-1.7+dfsg/debian/changelog 2023-11-23 15:19:26.000000000 +0000 +++ direwolf-1.7+dfsg/debian/changelog 2025-12-29 15:58:09.000000000 +0000 @@ -1,3 +1,10 @@ +direwolf (1.7+dfsg-2+deb13u1) trixie; urgency=medium + + * Backport patch 0004-Resolve-CVE-2025-34457.patch from unstable + - Fixes CVE-2025-34457 KISS Stack Buffer Overflow + + -- Dave Hibberd <[email protected]> Mon, 29 Dec 2025 15:58:09 +0000 + direwolf (1.7+dfsg-2) unstable; urgency=medium * Move 99-direwolf-cmedia.rules to /usr/lib/udev/rules.d/. diff -Nru direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch --- direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch 1970-01-01 01:00:00.000000000 +0100 +++ direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch 2025-12-29 15:51:46.000000000 +0000 @@ -0,0 +1,74 @@ +From: Dave Hibberd <[email protected]> +Date: Wed, 24 Dec 2025 17:33:03 +0000 +Subject: Resolve CVE-2025-34457 + +--- + +diff --git a/src/kiss_frame.c b/src/kiss_frame.c +index 65a0942..d644ff2 100644 +--- a/src/kiss_frame.c ++++ b/src/kiss_frame.c +@@ -251,10 +251,12 @@ int kiss_encapsulate (unsigned char *in, int ilen, unsigned char *out) + * + * Inputs: out - Where to put the resulting frame without + * the escapes or FEND. ++ * Storage must be at least as long as input. ++ * Output can never be longer than input. + * First byte is the "type indicator" with type and + * channel but we don't care about that here. + * We treat it like any other byte with special handling +- * if it happens to be FESC. ++ * if it happens to be one of the escaped characters. + * Note that this is "binary" data and can contain + * nul (0x00) values. Don't treat it like a text string! + * +@@ -280,7 +282,7 @@ int kiss_unwrap (unsigned char *in, int ilen, unsigned char *out) + } + + if (in[ilen-1] == FEND) { +- ilen--; /* Don't try to process below. */ ++ ilen--; /* Remove FEND from he end. */ + } + else { + text_color_set(DW_COLOR_ERROR); +@@ -342,6 +344,8 @@ int kiss_unwrap (unsigned char *in, int ilen, unsigned char *out) + * + * Inputs: kf - Current state of building a frame. + * ch - A byte from the input stream. ++ * Note that it can be any value 0-255. ++ * This is binary data, not a nul terminated string. + * debug - Activates debug output. + * kps - KISS TCP port status block. + * NULL for pseudo terminal and serial port. +@@ -442,8 +446,9 @@ void kiss_rec_byte (kiss_frame_t *kf, unsigned char ch, int debug, + + + if (ch == FEND) { +- +- unsigned char unwrapped[AX25_MAX_PACKET_LEN]; ++ // Unwrapped result can't be longer than received encoded KISS. ++ // kf->kiss_msg is MAX_KISS_LEN so that is enough for here. ++ unsigned char unwrapped[MAX_KISS_LEN]; + int ulen; + + /* End of frame. */ +@@ -482,12 +487,17 @@ void kiss_rec_byte (kiss_frame_t *kf, unsigned char ch, int debug, + return; + } + +- if (kf->kiss_len < MAX_KISS_LEN) { ++ // Issue 617. ++ // In the KS_COLLECTING state, non-FEND bytes were being collected up until ++ // the MAX_KISS_LEN limit, leaving no room for appending the final FEND byte ++ // at the end. By reducing the collection limit by one, there is room for ++ // that final byte. ++ if (kf->kiss_len < MAX_KISS_LEN - 1) { + kf->kiss_msg[kf->kiss_len++] = ch; + } + else { + text_color_set(DW_COLOR_ERROR); +- dw_printf ("KISS message exceeded maximum length.\n"); ++ dw_printf ("KISS message exceeded maximum length. Discarding excess.\n"); + } + return; + break; diff -Nru direwolf-1.7+dfsg/debian/patches/series direwolf-1.7+dfsg/debian/patches/series --- direwolf-1.7+dfsg/debian/patches/series 2023-11-23 13:53:33.000000000 +0000 +++ direwolf-1.7+dfsg/debian/patches/series 2025-12-29 15:35:24.000000000 +0000 @@ -2,3 +2,4 @@ no-install-pdf desktop-main-category lib-udev-rules +0004-Resolve-CVE-2025-34457.patch
diff -Nru direwolf-1.7+dfsg/debian/changelog direwolf-1.7+dfsg/debian/changelog --- direwolf-1.7+dfsg/debian/changelog 2023-11-23 15:19:26.000000000 +0000 +++ direwolf-1.7+dfsg/debian/changelog 2025-12-29 15:58:09.000000000 +0000 @@ -1,3 +1,10 @@ +direwolf (1.7+dfsg-2+deb13u1) trixie; urgency=medium + + * Backport patch 0004-Resolve-CVE-2025-34457.patch from unstable + - Fixes CVE-2025-34457 KISS Stack Buffer Overflow + + -- Dave Hibberd <[email protected]> Mon, 29 Dec 2025 15:58:09 +0000 + direwolf (1.7+dfsg-2) unstable; urgency=medium * Move 99-direwolf-cmedia.rules to /usr/lib/udev/rules.d/. diff -Nru direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch --- direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch 1970-01-01 01:00:00.000000000 +0100 +++ direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch 2025-12-29 15:51:46.000000000 +0000 @@ -0,0 +1,74 @@ +From: Dave Hibberd <[email protected]> +Date: Wed, 24 Dec 2025 17:33:03 +0000 +Subject: Resolve CVE-2025-34457 + +--- + +diff --git a/src/kiss_frame.c b/src/kiss_frame.c +index 65a0942..d644ff2 100644 +--- a/src/kiss_frame.c ++++ b/src/kiss_frame.c +@@ -251,10 +251,12 @@ int kiss_encapsulate (unsigned char *in, int ilen, unsigned char *out) + * + * Inputs: out - Where to put the resulting frame without + * the escapes or FEND. ++ * Storage must be at least as long as input. ++ * Output can never be longer than input. + * First byte is the "type indicator" with type and + * channel but we don't care about that here. + * We treat it like any other byte with special handling +- * if it happens to be FESC. ++ * if it happens to be one of the escaped characters. + * Note that this is "binary" data and can contain + * nul (0x00) values. Don't treat it like a text string! + * +@@ -280,7 +282,7 @@ int kiss_unwrap (unsigned char *in, int ilen, unsigned char *out) + } + + if (in[ilen-1] == FEND) { +- ilen--; /* Don't try to process below. */ ++ ilen--; /* Remove FEND from he end. */ + } + else { + text_color_set(DW_COLOR_ERROR); +@@ -342,6 +344,8 @@ int kiss_unwrap (unsigned char *in, int ilen, unsigned char *out) + * + * Inputs: kf - Current state of building a frame. + * ch - A byte from the input stream. ++ * Note that it can be any value 0-255. ++ * This is binary data, not a nul terminated string. + * debug - Activates debug output. + * kps - KISS TCP port status block. + * NULL for pseudo terminal and serial port. +@@ -442,8 +446,9 @@ void kiss_rec_byte (kiss_frame_t *kf, unsigned char ch, int debug, + + + if (ch == FEND) { +- +- unsigned char unwrapped[AX25_MAX_PACKET_LEN]; ++ // Unwrapped result can't be longer than received encoded KISS. ++ // kf->kiss_msg is MAX_KISS_LEN so that is enough for here. ++ unsigned char unwrapped[MAX_KISS_LEN]; + int ulen; + + /* End of frame. */ +@@ -482,12 +487,17 @@ void kiss_rec_byte (kiss_frame_t *kf, unsigned char ch, int debug, + return; + } + +- if (kf->kiss_len < MAX_KISS_LEN) { ++ // Issue 617. ++ // In the KS_COLLECTING state, non-FEND bytes were being collected up until ++ // the MAX_KISS_LEN limit, leaving no room for appending the final FEND byte ++ // at the end. By reducing the collection limit by one, there is room for ++ // that final byte. ++ if (kf->kiss_len < MAX_KISS_LEN - 1) { + kf->kiss_msg[kf->kiss_len++] = ch; + } + else { + text_color_set(DW_COLOR_ERROR); +- dw_printf ("KISS message exceeded maximum length.\n"); ++ dw_printf ("KISS message exceeded maximum length. Discarding excess.\n"); + } + return; + break; diff -Nru direwolf-1.7+dfsg/debian/patches/series direwolf-1.7+dfsg/debian/patches/series --- direwolf-1.7+dfsg/debian/patches/series 2023-11-23 13:53:33.000000000 +0000 +++ direwolf-1.7+dfsg/debian/patches/series 2025-12-29 15:35:24.000000000 +0000 @@ -2,3 +2,4 @@ no-install-pdf desktop-main-category lib-udev-rules +0004-Resolve-CVE-2025-34457.patch
