XPost: linux.debian.devel.release
From: jspricke@debian.org
This is a multi-part MIME message sent by reportbug.
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: erlang@packages.debian.org, Sergei Golovan , Bastien Roucaries
Control: affects -1 + src:erlang
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
There have been several CVEs published for the erlang programming
language that have been flagged as no DSA affecting the ssh server
implementation.
[ Impact ]
Mostly denial of service attacks.
[ Tests ]
Manually tested.
[ Risks ]
Low risk, given that those implementations are niche and the patches
mostly add safe guards.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Other info ]
@Sergei as with #1127606 (trixie) please write if you disagree.
diff --git a/debian/changelog b/debian/changelog
index 6738cb3c3a..b6b3272c74 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+erlang (1:25.2.3+dfsg-1+deb12u4) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2025-48038: allocation of resources without limits or throttling
+ vulnerability in the ssh_sftp module allows excessive allocation,
+ resource leak exposure (closes: #1115093).
+ * Fix CVE-2025-48039: allocation of resources without limits or throttling
+ vulnerability in the ssh_sftp module allows excessive allocation,
+ resource leak exposure (closes: #1115092).
+ * Fix CVE-2025-48040: uncontrolled resource consumption vulnerability in
+ the ssh_sftp module allows excessive allocation, flooding (closes:
1115091).
+ * Fix CVE-2025-48041: allocation of resources without limits or throttling
+ vulnerability in the ssh_sftp module allows excessive allocation,
+ flooding (closes: #1115090).
+
+ -- Jochen Sprickerhof Thu, 15 Jan 2026 10:56:30 +0100
+
erlang (1:25.2.3+dfsg-1+deb12u3) bookworm-proposed-updates; urgency=medium
* Fix FTBFS with newer xsltproc.
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000000..cec628c744
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+pristine-tar = True
diff --git a/debian/patches/CVE-2025-48038.patch b/debian/patche
/CVE-2025-48038.patch
new file mode 100644
index 0000000000..800160e857
--- /dev/null
+++ b/debian/patches/CVE-2025-48038.patch
@@ -0,0 +1,34 @@
+From: Jakub Witczak
+Date: Wed, 27 Aug 2025 17:49:08 +0200
+Subject: ssh: verify file handle size limit for client data
+
+- reject handles exceeding 256 bytes (as specified for SFTP)
+
+Origin: https://github.com/erlang/otp/commit/f09e0201ff701993dc
4a08f15e524daf72db42f
+Bug-Debian-Security: https://security-tracker.debian.org/tracke
/CVE-2025-48038
+---
+ lib/ssh/src/ssh_sftpd.erl | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/lib/ssh/src/ssh_sftpd.erl b/lib/ssh/src/ssh_sftpd.erl
+index 6bcad0d..cd24c3e 100644
+--- a/lib/ssh/src/ssh_sftpd.erl
++++ b/lib/ssh/src/ssh_sftpd.erl
+@@ -222,6 +222,17 @@ handle_data(Type, ChannelId, Data0, State =
#state{pending = Pending}) ->
+ handle_data(Type, ChannelId, Data, State#state{pending = <<>>})
+ end.
+
++%% From draft-ietf-secsh-filexfer-02 "The file handle strings MUST NOT be
longer than 256 bytes."
++handle_op(Request, ReqId, <>, State = #state{xf =
XF})
++ when (Request == ?SSH_FXP_CLOSE orelse
++ Request == ?SSH_FXP_FSETSTAT orelse
++ Request == ?SSH_FXP_FSTAT orelse
++ Request == ?SSH_FXP_READ orelse
++ Request == ?SSH_FXP_READDIR orelse
++ Request == ?SSH_FXP_WRITE),
++ HLen > 256 ->
++ ssh_xfer:xf_send_status(XF, ReqId, ?SSH_FX_INVALID_HANDLE, "Invalid
handle"),
++ State;
+ handle_op(?SSH_FXP_INIT, Version, B, State) when is_binary(B) ->
+ XF = State#state.xf,
+ Vsn = lists:min([XF#ssh_xfer.vsn, Version]),
diff --git a/debian/patches/CVE-2025-48039.patch b/debian/patche
/CVE-2025-48039.patch
new file mode 100644
index 0000000000..a683c023c0
--- /dev/null
+++ b/debian/patches/CVE-2025-48039.patch
@@ -0,0 +1,239 @@
+From: Jakub Witczak
+Date: Fri, 11 Jul 2025 13:59:41 +0200
+Subject: ssh: ssh_sftpd verify path size for client data
+
+- reject max_path exceeding the 4096 limit or according to other option value
+
+Origin: https://github.com/erlang/otp/commit/043ee3c943e2977c1a
dd740ad13992fd60b6bf0
+Bug-Debian-Security: https://security-tracker.debian.org/tracke
/CVE-2025-48039
+---
+ lib/ssh/doc/src/ssh_sftpd.xml | 8 ++++
+ lib/ssh/src/ssh_sftpd.erl | 32 +++++++++++++-
+ lib/ssh/test/ssh_sftpd_SUITE.erl | 90 ++++++++++++++++++++++++
+--------------
+ 3 files changed, 97 insertions(+), 33 deletions(-)
+
+diff --git a/lib/ssh/doc/src/ssh_sftpd.xml b/lib/ssh/doc/src/ssh_sftpd.xml
+index 49a23f4..efabf3f 100644
+--- a/lib/ssh/doc/src/ssh_sftpd.xml
++++ b/lib/ssh/doc/src/ssh_sftpd.xml
+@@ -65,6 +65,14 @@
+ If supplied, the number of filenames returned to the SFTP client per
READDIR
+ request is limited to at most the given value.
+
++ max_path
++ -
++
The default value is 4096. Positive integer
++ value represents the maximum path length which cannot be
++ exceeded in data provided by the SFTP client. (Note:
++ limitations might be also enforced by underlying operating
++ system)
++
+ root
+ -
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
