Version in base suite: 2.0.0-2

Base version: rust-sequoia-openpgp_2.0.0-2
Target version: rust-sequoia-openpgp_2.0.0-2+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/rust-sequoia-openpgp/rust-sequoia-openpgp_2.0.0-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/rust-sequoia-openpgp/rust-sequoia-openpgp_2.0.0-2+deb13u1.dsc

 changelog                                                     |    8 
 patches/0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch |   98 ++++++++++
 patches/series                                                |    1 
 3 files changed, 107 insertions(+)

diff -Nru rust-sequoia-openpgp-2.0.0/debian/changelog rust-sequoia-openpgp-2.0.0/debian/changelog
--- rust-sequoia-openpgp-2.0.0/debian/changelog	2025-04-14 19:49:23.000000000 +0000
+++ rust-sequoia-openpgp-2.0.0/debian/changelog	2025-12-22 15:27:34.000000000 +0000
@@ -1,3 +1,11 @@
+rust-sequoia-openpgp (2.0.0-2+deb13u1) trixie; urgency=medium
+
+  * Add upstream commit b59886e5 (via debian/patches, edited to apply cleanly)
+    to fix an underflow in aes_key_unwrap / CVE-2025-67897 to prevent DOS
+    (crash) via special crafted encrypted messages. Closes: #1122582.
+
+ -- Holger Levsen <holger@debian.org>  Mon, 22 Dec 2025 16:27:34 +0100
+
 rust-sequoia-openpgp (2.0.0-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru rust-sequoia-openpgp-2.0.0/debian/patches/0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch rust-sequoia-openpgp-2.0.0/debian/patches/0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch
--- rust-sequoia-openpgp-2.0.0/debian/patches/0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch	1970-01-01 00:00:00.000000000 +0000
+++ rust-sequoia-openpgp-2.0.0/debian/patches/0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch	2025-12-22 15:27:34.000000000 +0000
@@ -0,0 +1,98 @@
+From b59886e5e7bdf7169ed330f309a6633d131776e5 Mon Sep 17 00:00:00 2001
+From: "Neal H. Walfield" <neal@sequoia-pgp.org>
+Date: Fri, 7 Nov 2025 14:50:42 +0100
+Subject: [PATCH] openpgp: Fix an underflow in aes_key_unwrap.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+  - The `aes_key_unwrap` function would panic if passed a ciphertext
+    that was too short.  In a debug build, it would panic due to a
+    subtraction underflow.  In a release build, it would use the small
+    negative quantity to allocate a vector.  Since the allocator
+    expects an unsigned quantity, the negative value would be
+    interpreted as a huge allocation.  The allocator would then fail
+    to allocate the memory and panic.
+
+    An attacker could trigger this panic by sending a victim an
+    encrypted message whose PKESK or SKESK packet has been specially
+    modified.  When the victim decrypts the message, the program would
+    crash.
+
+  - Fix it.
+
+  - Reported-by: Jan Różański.
+---
+
+diff --git a/src/crypto/ecdh.rs b/src/crypto/ecdh.rs
+index 26404ae9..a7e779fa 100644
+--- a/src/crypto/ecdh.rs
++++ b/src/crypto/ecdh.rs
+@@ -326,6 +326,11 @@ pub fn aes_key_unwrap(algo: SymmetricAlgorithm, key: &Protected,
+     //   Inputs:  Ciphertext, (n+1) 64-bit values {C0, C1, ..., Cn}, and
+     //            Key, K (the KEK).
+     //   Outputs: Plaintext, n 64-bit values {P1, P2, ..., Pn}.
++    if ciphertext.len() < 16 {
++        return Err(Error::InvalidArgument(
++            "Ciphertext must be at least 16 bytes".into()).into());
++    }
++
+     let n = ciphertext.len() / 8 - 1;
+     let mut plaintext = Vec::with_capacity(ciphertext.len() - 8);
+ 
+@@ -590,4 +595,52 @@ mod tests {
+ 
+         Ok(())
+     }
++
++    #[test]
++    fn aes_key_unwrap_underflow() {
++        // The `aes_key_unwrap` function would panic if passed a
++        // ciphertext that was too short.  In a debug build, it would
++        // panic due to a subtraction underflow.  In a release build,
++        // it would use the small negative quantity to allocate a
++        // vector.  Since the allocator expects an unsigned quantity,
++        // the negative value would be interpreted as a huge
++        // allocation.  The allocator would then fail to allocate the
++        // memory and panic.
++        //
++        // The aes_key_unwrap function would panic if passed a
++        // ciphertext that was too short.  In a debug build, it would
++        // panic due to a subtraction underflow.  In a release build,
++        // it would use the wrapped negative quantity to allocate a
++        // vector.  Since the wrapped value is huge, it would fail to
++        // allocate the memory and panic.
++        //
++        // This test checks that short ciphertexts fail with an error
++        // and don't panic.
++
++        use crate::fmt::hex;
++
++        let key = hex::decode("c733a461b6bc6d2d15b3ac95cd02c102")
++            .expect("valid hex");
++        let key = Protected::from(key);
++
++        let ciphertext = hex::decode("\
++54a1b6d2e41fd30b34c83fc384996f7a\
++ca6904149310621e45ad14bd370a6cad\
++72d0a11048adddc856fa57e0240cd2ea")
++            .expect("valid hex");
++
++        let algo = SymmetricAlgorithm::AES128;
++
++        // Yes, this key really decryptes this cipher text.
++        assert!(aes_key_unwrap(algo.clone(), &key, &ciphertext).is_ok());
++
++        for i in 0..ciphertext.len() - 1 {
++            if let Err(err) = aes_key_unwrap(algo.clone(), &key, &ciphertext[..i]) {
++                eprintln!("{}: {}", i, err);
++            } else {
++                panic!("Expected failure for {} bytes of ciphertext, but succeeded",
++                       i);
++            }
++        }
++    }
+ }
+-- 
+2.47.3
+
diff -Nru rust-sequoia-openpgp-2.0.0/debian/patches/series rust-sequoia-openpgp-2.0.0/debian/patches/series
--- rust-sequoia-openpgp-2.0.0/debian/patches/series	2025-04-14 19:49:23.000000000 +0000
+++ rust-sequoia-openpgp-2.0.0/debian/patches/series	2025-12-22 15:27:34.000000000 +0000
@@ -1,3 +1,4 @@
 cleanup-deps.patch
 drop-experimental-and-variable-time-crypto-backends.patch
 simplify-base64.patch
+0001-openpgp-Fix-an-underflow-in-aes_key_unwrap.patch