Version in base suite: 9-4

Base version: luksmeta_9-4
Target version: luksmeta_9-4+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/luksmeta/luksmeta_9-4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/l/luksmeta/luksmeta_9-4+deb13u1.dsc

 changelog                                                                            |    7 
 patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch |   82 ++++++++++
 patches/series                                                                       |    1 
 3 files changed, 90 insertions(+)

gpgv: Signature made Sun Dec 25 22:28:53 2022 UTC
gpgv:                using RSA key 597308FBBDBA035D8C7C95DDC42C58EB591492FD
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: Bad public key
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpj70ffdxg/luksmeta_9-4.dsc: no acceptable signature found
gpgv: Signature made Sat Nov  1 20:44:59 2025 UTC
gpgv:                using RSA key 597308FBBDBA035D8C7C95DDC42C58EB591492FD
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: Bad public key
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpj70ffdxg/luksmeta_9-4+deb13u1.dsc: no acceptable signature found
diff -Nru luksmeta-9/debian/changelog luksmeta-9/debian/changelog
--- luksmeta-9/debian/changelog	2022-12-25 20:30:44.000000000 +0000
+++ luksmeta-9/debian/changelog	2025-11-01 18:15:26.000000000 +0000
@@ -1,3 +1,10 @@
+luksmeta (9-4+deb13u1) trixie; urgency=high
+
+  * Cherry-pick "Fix handling of large metadata". Closes: #111828
+    [CVE-2025-11568]
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de>  Sat, 01 Nov 2025 19:15:26 +0100
+
 luksmeta (9-4) unstable; urgency=medium
 
   * Replace patches with version from upstream
diff -Nru luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch
--- luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch	1970-01-01 00:00:00.000000000 +0000
+++ luksmeta-9/debian/patches/1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch	2025-11-01 18:08:41.000000000 +0000
@@ -0,0 +1,82 @@
+Subject: Fix handling of large metadata
+ID: CVE-2025-11568
+Origin: upstream, commit v9-9-g0179988 <https://github.com/latchset/luksmeta/commit/v9-9-g0179988>
+Author: Sergio Correia <scorreia@redhat.com>
+Date: Wed Oct 22 15:58:01 2025 +0100
+Bug-Debian: https://bugs.debian.org/111828
+
+    Prevent metadata from being written beyond the gap between the LUKS
+    header and encrypted data. The overflow check now correctly validates
+    that the end position of new metadata does not exceed the hard limit,
+    preventing corruption of encrypted data.
+
+    Also add upfront size validation to reject metadata larger than the
+    total available space.
+
+    Fix: CVE-2025-11568
+
+    Signed-off-by: Sergio Correia <scorreia@redhat.com>
+
+--- a/libluksmeta.c
++++ b/libluksmeta.c
+@@ -69,8 +69,12 @@
+ }
+ 
+ static inline bool
+-overlap(const lm_t *lm, uint32_t start, size_t end)
++overlap(const lm_t *lm, uint32_t start, size_t end, uint32_t hard_limit)
+ {
++    /* Make sure the data fits the available area in the gap. */
++    if (end > hard_limit)
++        return true;
++
+     for (int i = 0; i < LUKS_NSLOTS; i++) {
+         const lm_slot_t *s = &lm->slots[i];
+         uint32_t e = s->offset + s->length;
+@@ -90,8 +94,13 @@
+ {
+     size = ALIGN(size, true);
+ 
++    /* Make sure the data is not larger than the total available
++     * area in the gap. */
++    if (length < size)
++        return 0;
++
+     for (uint32_t off = ALIGN(1, true); off < length; off += ALIGN(1, true)) {
+-        if (!overlap(lm, off, off + size))
++        if (!overlap(lm, off, off + size, lm->slots[0].offset + length))
+             return off;
+     }
+ 
+--- a/test-luksmeta
++++ b/test-luksmeta
+@@ -3,9 +3,12 @@
+ trap 'exit' ERR
+ 
+ export tmp=`mktemp /tmp/luksmeta.XXXXXXXXXX`
++export tmpdata=`mktemp /tmp/luksmeta.XXXXXXXXXX`
++
+ 
+ function onexit() {
+     rm -f $tmp
++    rm -f "${tmpdata}"
+ }
+ 
+ trap 'onexit' EXIT
+@@ -56,3 +59,16 @@
+ test "`./luksmeta load -s 0 -d $tmp`" == "hi"
+ ./luksmeta init -n -f -d $tmp
+ ! ./luksmeta load -s 0 -d $tmp
++
++# CVE-2025-11568 - test attempt to store extremely large amount of data in a slot.
++./luksmeta init -f -d "${tmp}"
++dd bs=1024k count=1 </dev/zero >"${tmpdata}"
++! ./luksmeta save -s 1 -u 23149359-1b61-4803-b818-774ab730fbec -d "${tmp}" < "${tmpdata}"
++
++# Additional test for CVE-2025-11568 boundary conditions.
++# Verify overflow protection with multiple existing slots at various offsets.
++./luksmeta init -f -d "${tmp}"
++echo "a" | ./luksmeta save -s 0 -u 11111111-1111-1111-1111-111111111111 -d "${tmp}"
++echo "b" | ./luksmeta save -s 1 -u 22222222-2222-2222-2222-222222222222 -d "${tmp}"
++dd bs=1024 count=900 </dev/zero >"${tmpdata}"
++! ./luksmeta save -s 2 -u 33333333-3333-3333-3333-333333333333 -d "${tmp}" < "${tmpdata}"
diff -Nru luksmeta-9/debian/patches/series luksmeta-9/debian/patches/series
--- luksmeta-9/debian/patches/series	2022-12-25 20:30:44.000000000 +0000
+++ luksmeta-9/debian/patches/series	2025-11-01 18:07:35.000000000 +0000
@@ -6,3 +6,4 @@
 local.test-luksmeta.patch
 local.dont-fail-tests-for-disabled-module-load.patch
 local.use-asciidoctor-to-build-manpages.patch
+1761145081.v9-9-g0179988.CVE-2025-11568.fix-handling-of-large-metadata.patch