Version in base suite: 1.7+dfsg-2

Base version: direwolf_1.7+dfsg-2
Target version: direwolf_1.7+dfsg-2+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/d/direwolf/direwolf_1.7+dfsg-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/d/direwolf/direwolf_1.7+dfsg-2+deb13u1.dsc

 changelog                                 |    8 +++
 patches/0004-Resolve-CVE-2025-34457.patch |   74 ++++++++++++++++++++++++++++++
 patches/series                            |    1 
 3 files changed, 83 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpd5caiga2/direwolf_1.7+dfsg-2.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpd5caiga2/direwolf_1.7+dfsg-2+deb13u1.dsc: no acceptable signature found
diff -Nru direwolf-1.7+dfsg/debian/changelog direwolf-1.7+dfsg/debian/changelog
--- direwolf-1.7+dfsg/debian/changelog	2023-11-23 15:19:26.000000000 +0000
+++ direwolf-1.7+dfsg/debian/changelog	2025-12-29 15:58:09.000000000 +0000
@@ -1,3 +1,11 @@
+direwolf (1.7+dfsg-2+deb13u1) trixie; urgency=medium
+
+  * Backport patch 0004-Resolve-CVE-2025-34457.patch from unstable
+    - Fixes CVE-2025-34457 KISS Stack Buffer Overflow
+  * Closes: #1123925
+
+ -- Dave Hibberd <hibby@debian.org>  Mon, 29 Dec 2025 15:58:09 +0000
+
 direwolf (1.7+dfsg-2) unstable; urgency=medium
 
   * Move 99-direwolf-cmedia.rules to /usr/lib/udev/rules.d/.
diff -Nru direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch
--- direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch	1970-01-01 00:00:00.000000000 +0000
+++ direwolf-1.7+dfsg/debian/patches/0004-Resolve-CVE-2025-34457.patch	2025-12-29 15:51:46.000000000 +0000
@@ -0,0 +1,74 @@
+From: Dave Hibberd <hibby@debian.org>
+Date: Wed, 24 Dec 2025 17:33:03 +0000
+Subject: Resolve CVE-2025-34457
+
+---
+
+diff --git a/src/kiss_frame.c b/src/kiss_frame.c
+index 65a0942..d644ff2 100644
+--- a/src/kiss_frame.c
++++ b/src/kiss_frame.c
+@@ -251,10 +251,12 @@ int kiss_encapsulate (unsigned char *in, int ilen, unsigned char *out)
+  *
+  * Inputs:	out	- Where to put the resulting frame without
+  *			  the escapes or FEND.
++ *			  Storage must be at least as long as input.
++ *			  Output can never be longer than input.
+  *			  First byte is the "type indicator" with type and 
+  *			  channel but we don't care about that here.
+  *			  We treat it like any other byte with special handling
+- *			  if it happens to be FESC.
++ *			  if it happens to be one of the escaped characters.
+  *			  Note that this is "binary" data and can contain
+  *			  nul (0x00) values.   Don't treat it like a text string!
+  *
+@@ -280,7 +282,7 @@ int kiss_unwrap (unsigned char *in, int ilen, unsigned char *out)
+ 	}
+ 
+ 	if (in[ilen-1] == FEND) {
+-	  ilen--;	/* Don't try to process below. */
++	  ilen--;	/* Remove FEND from he end. */
+ 	}
+ 	else {
+ 	  text_color_set(DW_COLOR_ERROR);
+@@ -342,6 +344,8 @@ int kiss_unwrap (unsigned char *in, int ilen, unsigned char *out)
+  *
+  * Inputs:	kf	- Current state of building a frame.
+  *		ch	- A byte from the input stream.
++ *			  Note that it can be any value 0-255.
++ *			  This is binary data, not a nul terminated string.
+  *		debug	- Activates debug output.
+  *		kps	- KISS TCP port status block.
+  *			  NULL for pseudo terminal and serial port.
+@@ -442,8 +446,9 @@ void kiss_rec_byte (kiss_frame_t *kf, unsigned char ch, int debug,
+ 
+      
+ 	    if (ch == FEND) {
+-	      
+-	      unsigned char unwrapped[AX25_MAX_PACKET_LEN];
++	      // Unwrapped result can't be longer than received encoded KISS.
++	      //  kf->kiss_msg is MAX_KISS_LEN so that is enough for here.    
++	      unsigned char unwrapped[MAX_KISS_LEN];
+ 	      int ulen;
+ 
+ 	      /* End of frame. */
+@@ -482,12 +487,17 @@ void kiss_rec_byte (kiss_frame_t *kf, unsigned char ch, int debug,
+ 	      return;
+ 	    }
+ 
+-	    if (kf->kiss_len < MAX_KISS_LEN) {
++	    // Issue 617.
++	    // In the KS_COLLECTING state, non-FEND bytes were being collected up until
++	    // the MAX_KISS_LEN limit, leaving no room for appending the final FEND byte
++	    // at the end. By reducing the collection limit by one, there is room for
++	    // that final byte. 
++	    if (kf->kiss_len < MAX_KISS_LEN - 1) {
+ 	      kf->kiss_msg[kf->kiss_len++] = ch;
+ 	    }
+ 	    else {	    
+ 	      text_color_set(DW_COLOR_ERROR);
+-	      dw_printf ("KISS message exceeded maximum length.\n");
++	      dw_printf ("KISS message exceeded maximum length.  Discarding excess.\n");
+ 	    }	      
+ 	    return;
+ 	    break;
diff -Nru direwolf-1.7+dfsg/debian/patches/series direwolf-1.7+dfsg/debian/patches/series
--- direwolf-1.7+dfsg/debian/patches/series	2023-11-23 13:53:33.000000000 +0000
+++ direwolf-1.7+dfsg/debian/patches/series	2025-12-29 15:35:24.000000000 +0000
@@ -2,3 +2,4 @@
 no-install-pdf
 desktop-main-category
 lib-udev-rules
+0004-Resolve-CVE-2025-34457.patch