Hi, On Sun, Aug 31, 2025 at 11:27:12PM +0200, Alois Schlögl wrote: > > > Attached are patches to fix a number of security vulnerabilities on biosig > 3.9.0 [1,2]. The numbers indicate the last 20 patches from upstream [3,4]. > Only those patches relevant for these CVE's are discussed here: > > The patches 0005 - 0009 are fixing: > CVE-2025-48005 <https://security-tracker.debian.org/tracker/CVE-2025-48005> > CVE-2025-52461 <https://security-tracker.debian.org/tracker/CVE-2025-52461> > CVE-2025-52581 <https://security-tracker.debian.org/tracker/CVE-2025-52581> > CVE-2025-53518 <https://security-tracker.debian.org/tracker/CVE-2025-53518> > CVE-2025-53853 <https://security-tracker.debian.org/tracker/CVE-2025-53853> > CVE-2025-54462 <https://security-tracker.debian.org/tracker/CVE-2025-54462> > > Moreover, patches 0010 and 0020 are trying to address all issues in the MFER > implementation, namely > CVE-2025-46411 <https://security-tracker.debian.org/tracker/CVE-2025-46411> > CVE-2025-53511 <https://security-tracker.debian.org/tracker/CVE-2025-53511> > CVE-2025-53557 <https://security-tracker.debian.org/tracker/CVE-2025-53557> > CVE-2025-54480 <https://security-tracker.debian.org/tracker/CVE-2025-54480> > - CVE-2025-54494 > <https://security-tracker.debian.org/tracker/CVE-2025-54494> (15 CVEs) > > However, because of the (large) number of security issues in the > implementation of the support for MFER format, further checks might be in > order. > > So, patch 0019 is guarding against unintended use of MFER. It disables > support for reading MFER and disable a possible attack vector from malicious > MFER data. > > MFER files can be read only when environment variable > BIOSIG_MFER_TRUST_INPUT=1 > is set. Those who rely on Biosig supporting MFER, can set that flag. > However, this should only be done when the file comes from a trusted source, > and it is safe to assume that there is no malicious intend. I'm aware that > the need to set this flag will come at the cost for those users who rely on > MFER support. If that is affecting you in a negative way, please get in > contact with me, so that we can discuss an action plan how to address this > best and guarantee that the implementation for MFER support is safe to use > under all conditions. > > Cheers, and stay safe, > > Alois > > > P.S.: The attached patches should be sufficient to address debian bug > #1112133 , and should be sufficient for patching biosig 3.9.0. > If you use biosig 3.9.1, only patch 0019 (and optionally 0020) are needed.
In my opinion it would be best for unstable/forky to just go to the 3.9.1 + patches variant. For trixie and older we marked those issues no-dsa, and if we are confident enough batching them in a future point release would be great. But I think priority should go top-down so get issues first addressed in unstable/forky, then down to trixie and bookworm. Do you agree? Regards, Salvatore
