Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:wolfssl User: [email protected] Usertags: pu
[ Reason ] Fix for CVE-2025-7394. The Security Team does not support wolfssl officially. [ Impact ] Users are vulnerable for CVE-2025-7394. [ Tests ] None. [ Risks ] Trivial codechange by upstream. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in oldstable [x] the issue is verified as fixed in unstable [ Changes ] Additional random reseed. [ Other info ] I have NMUed the package to fix this.
diff -Nru wolfssl-5.5.4/debian/changelog wolfssl-5.5.4/debian/changelog --- wolfssl-5.5.4/debian/changelog 2023-10-23 19:46:16.000000000 +0200 +++ wolfssl-5.5.4/debian/changelog 2025-08-11 10:16:46.000000000 +0200 @@ -1,3 +1,10 @@ +wolfssl (5.5.4-2+deb12u2) bookworm; urgency=medium + + * Stable update to address the following vulnerabilities: + - Fix CVE-2025-7394. (Closes: #1109549) + + -- Bastian Germann <[email protected]> Mon, 11 Aug 2025 10:16:46 +0200 + wolfssl (5.5.4-2+deb12u1) bookworm; urgency=medium * Stable update to address the following vulnerabilities: diff -Nru wolfssl-5.5.4/debian/patches/CVE-2025-7394.patch wolfssl-5.5.4/debian/patches/CVE-2025-7394.patch --- wolfssl-5.5.4/debian/patches/CVE-2025-7394.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.5.4/debian/patches/CVE-2025-7394.patch 2025-08-04 17:57:05.000000000 +0200 @@ -0,0 +1,42 @@ +From 0c12337194ee6dd082f082f0ccaed27fc4ee44f5 Mon Sep 17 00:00:00 2001 +From: Josh Holtrop <[email protected]> +Date: Thu, 5 Jun 2025 19:48:34 -0400 +Subject: [PATCH] Reseed DRBG in RAND_poll() + +--- + src/ssl.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/src/ssl.c b/src/ssl.c +index 80e55cf865..26c6c9fe67 100644 +--- a/src/ssl.c ++++ b/src/ssl.c +@@ -26041,11 +26041,25 @@ int wolfSSL_RAND_poll(void) + return WOLFSSL_FAILURE; + } + ret = wc_GenerateSeed(&globalRNG.seed, entropy, entropy_sz); +- if (ret != 0){ ++ if (ret != 0) { + WOLFSSL_MSG("Bad wc_RNG_GenerateBlock"); + ret = WOLFSSL_FAILURE; +- }else +- ret = WOLFSSL_SUCCESS; ++ } ++ else { ++#ifdef HAVE_HASHDRBG ++ ret = wc_RNG_DRBG_Reseed(&globalRNG, entropy, entropy_sz); ++ if (ret != 0) { ++ WOLFSSL_MSG("Error reseeding DRBG"); ++ ret = WOLFSSL_FAILURE; ++ } ++ else { ++ ret = WOLFSSL_SUCCESS; ++ } ++#else ++ WOLFSSL_MSG("RAND_poll called with HAVE_HASHDRBG not set"); ++ ret = WOLFSSL_FAILURE; ++#endif ++ } + + return ret; + } diff -Nru wolfssl-5.5.4/debian/patches/series wolfssl-5.5.4/debian/patches/series --- wolfssl-5.5.4/debian/patches/series 2023-10-23 19:46:16.000000000 +0200 +++ wolfssl-5.5.4/debian/patches/series 2025-08-11 10:15:23.000000000 +0200 @@ -5,3 +5,4 @@ disable-crl-monitor.patch disable-jobserver.patch cve-2023-3724.patch +CVE-2025-7394.patch
