Source: node-public-encrypt Version: 4.0.3-1 Severity: serious Justification: FTBFS Tags: bookworm ftbfs
(Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] (Explain what the reason for the (old-)stable update is. I.e. what is the bug, when was it introduced, is this a regression with respect to the previous (old-)stable.) The bug is introduced in Nodejs v18.20.4+dfsg-1~deb12u1 by the security fix for CVE-2023-46809<https://security-tracker.debian.org/tracker/CVE-2023-46809>, which removed support for RSA_PKCS1_PADDING for private decryption. This is a regression compared to the previous Nodejs v18.19.0+dfsg-6~deb12u2, where the padding was allowed. Node-public-encrypt is failing to build with the newer nodejs version. Log: ``` node:internal/crypto/cipher:80 return method(data, format, type, passphrase, buffer, padding, oaepHash, ^ TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809 at Object.privateDecrypt (node:internal/crypto/cipher:80:12) at Test.<anonymous> (/<<PKGBUILDDIR>>/test/index.js:56:25) at Test.bound [as _cb] (/usr/share/nodejs/tape/lib/test.js:95:17) at Test.run (/usr/share/nodejs/tape/lib/test.js:115:28) at Test.bound [as run] (/usr/share/nodejs/tape/lib/test.js:95:17) at Test._end (/usr/share/nodejs/tape/lib/test.js:218:5) at Test.bound [as _end] (/usr/share/nodejs/tape/lib/test.js:95:17) at Test.<anonymous> (/usr/share/nodejs/tape/lib/test.js:217:34) at Test.emit (node:events:517:28) at Test.bound [as emit] (/usr/share/nodejs/tape/lib/test.js:95:17) { code: 'ERR_INVALID_ARG_VALUE' } Node.js v18.20.4 dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test returned exit code 1 make: *** [debian/rules:8: binary] Error 25 ``` [ Impact ] (What is the impact for the user if the update isn't approved?) The ratt test fails to build node‑public-encrypt, it indicates that the changes to RSA_PKCS1_PADDING in newer Nodejs version are causing failures. In our case, the failure isn’t just about decryption errors at runtime, it prevents the entire test suite (and thus the build process) from completing. [ Tests ] (What automated or manual tests cover the affected code?) In node‑public-encrypt, the automated test suite (invoked via npm run test or through autopkgtest) is affected, the test causing failure is test/index.js. In Nodejs, the ratt test to build node‑public-encrypt is impacted. [ Risks ] (Discussion of the risks involved. E.g. code is trivial or complex, alternatives available.) Without this update, our test would fail in Nodejs versions that no longer support RSA_PKCS1_PADDING padding for private decryption. This inconsistency can lead to build failures (e.g., ratt test failures) and runtime errors. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [ ] attach debdiff against the package in (old)stable [ ] the issue is verified as fixed in unstable [ Changes ] (Explain *all* the changes) I have submitted my proposed changes for your review. Please take a moment to look them over, https://salsa.debian.org/js-team/node-public-encrypt/-/merge_requests/1 The try/catch block now checks for PKCS1 padding when private decryption is attempted. This prevents the test from failing on Nodejs newer versions where this behavior has been removed due to security fix for CVE-2023-46809<https://security-tracker.debian.org/tracker/CVE-2023-46809>. [ Other info ] (Anything else the release team should know.) The npm run test and autopkgtest are passing successfully for node-public-encrypt on both older(18.19.0+dfsg-6~deb12u2) and newer(18.20.4+dfsg-1~deb12u1) Nodejs versions. Syeda Shagufta Naaz
