1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109251: /usr/bin/uscan: uscan must not skip OpenPGP check after fa

    From =?utf-8?q?Uwe_Kleine-K=C3=B6nig?=@21:1/5 to All on Mon Jul 14 10:00:01 2025
    Package: devscripts
    Version: 2.25.15
    Severity: serious
    File: /usr/bin/uscan
    X-Debbugs-Cc: [email protected], [email protected]

    Hello,

    the linux-kernel packages suffer from upstream still relying on SHA-1 in
    their OpenPGP keys. This makes uscan fail to provide the orig.tar.xz
    (as expected) when sopv is used to verify the download:

    uwe@taurus:~/debpkg/linux$ uscan --download-current-version
    uscan warn: Using stable remote origin
    Newest version of linux on remote site is 6.16~rc5, specified download version is 6.16~rc5
    No acceptable signatures found
    uscan: error: sopv verify /tmp/tmp.YLvUuQ1SxZ/sig debian/upstream/signing-key.asc subprocess returned exit status 3

    However uscan keeps ../linux-6.16~rc5.tar.xz after that which makes the
    next uscan run succeed even though the signature check didn't pass:

    uwe@taurus:~/debpkg/linux$ uscan --download-current-version
    uscan warn: Using stable remote origin
    Newest version of linux on remote site is 6.16~rc5, specified download version is 6.16~rc5
    uscan warn: File already downloaded, skipping OpenPGP verification
    Successfully repacked ../linux-6.16~rc5.tar.xz as ../linux_6.16~rc5.orig.tar.xz, deleting 28 files from it.

    Without `--skip-signature` this must not happen and the warning isn't
    enough.

    The obvious fixes would be to either put linux-6.16~rc5.tar.xz into a
    tmpfile only (i.e. under a different name) until signature verification
    passed; or to not skip the verification in the 2nd run.

    Best regards
    Uwe

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Holger Levsen@21:1/5 to All on Mon Jul 14 10:50:01 2025
    control: severity -1 important
    thanks

    On Mon, Jul 14, 2025 at 09:52:41AM +0200, Uwe Kleine-König wrote:
    However uscan keeps ../linux-6.16~rc5.tar.xz after that which makes the
    next uscan run succeed even though the signature check didn't pass:
    \
    that's obviously very bad but it doesnt make the whole devscripts package seriously
    buggy.


    --
    cheers,
    Holger

    ⢀⣴⠾⠻⢶⣦⠀
    ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
    ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
    ⠈⠳⣄

    Hope isn't a plan, but it's a hell of a drug.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmh0w8sACgkQCRq4Vgaa qhw70BAAr6KwdRLQ5iO+PfR35jfGj6xnGjex1Pym/cRpO2xiivCnxlbnRAhHsNrF 7+7M6nZsRSN4EGSAtXsEY/T4aLEaChjI3KuJPQezHN9lSMW2zpYzu1IY8FQvbRWg 34Al9jWC1OthROv55jn4+ojxCih6mksW+rbfyxLXuTCPcm3G+MLJlqjLmNmi3nem BrXu3ES2E2qPJZfgNWvhfDBKCTYJZdns6eu3HoNFMrpns0OTwRv63l8970mHBWLA Y3cyP67K3rngwp02uVZvCLFvVs31V/O2roJYO5QkCLHsO1HzezR3puv7nDqcHIWc ESQyB8cdbnvi4VnDHNiRN4IYfTJ8THNaquA+q7cXlu0JxWWQt3I+4K3xcti6q157 Sb2yJGEodjflLN2fQflq/mNQqKc8K2XP4cYd2jxWB+FP/4l8e68uNVla+wYJSmuV UDwEFbSSgIEQQXWurklFusXcUc+YW2j7rnq3FV3kK2Zm/hiXlXNYWWoSFQj5JdfL 0e1vBbYfoUs1xDKgyWLCPUEx2RsYbSwHkyGNT+GF9M245ehiPWhHZT4lR+tFKnC8 Nn4C7MFlfCUOgGjp3eij68cM8N7vzxaSCLV9gUH8kJE2N2c4jp4C4jp4Goy5+V3m
    s
  • From Salvatore Bonaccorso@21:1/5 to All on Fri Aug 1 07:50:01 2025
    Control: retitle: -1 uscan: CVE-2025-8454: uscan must not skip OpenPGP check after failed check in previous run

    Hi Uwe,

    On Mon, Jul 14, 2025 at 09:52:41AM +0200, Uwe Kleine-K�nig wrote:
    Package: devscripts
    Version: 2.25.15
    Severity: serious
    File: /usr/bin/uscan
    X-Debbugs-Cc: [email protected], [email protected]

    Hello,

    the linux-kernel packages suffer from upstream still relying on SHA-1 in their OpenPGP keys. This makes uscan fail to provide the orig.tar.xz
    (as expected) when sopv is used to verify the download:

    uwe@taurus:~/debpkg/linux$ uscan --download-current-version
    uscan warn: Using stable remote origin
    Newest version of linux on remote site is 6.16~rc5, specified download version is 6.16~rc5
    No acceptable signatures found
    uscan: error: sopv verify /tmp/tmp.YLvUuQ1SxZ/sig debian/upstream/signing-key.asc subprocess returned exit status 3

    However uscan keeps ../linux-6.16~rc5.tar.xz after that which makes the
    next uscan run succeed even though the signature check didn't pass:

    uwe@taurus:~/debpkg/linux$ uscan --download-current-version
    uscan warn: Using stable remote origin
    Newest version of linux on remote site is 6.16~rc5, specified download version is 6.16~rc5
    uscan warn: File already downloaded, skipping OpenPGP verification
    Successfully repacked ../linux-6.16~rc5.tar.xz as ../linux_6.16~rc5.orig.tar.xz, deleting 28 files from it.

    Without `--skip-signature` this must not happen and the warning isn't
    enough.

    The obvious fixes would be to either put linux-6.16~rc5.tar.xz into a
    tmpfile only (i.e. under a different name) until signature verification passed; or to not skip the verification in the 2nd run.

    CVE-2025-8454 is assigned for this issue.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)