<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-IN" link="#467886" vlink="#96607D" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Source: node-node-rsa<o:p></o:p></p>
<p class="MsoNormal">Version: 1.1.1-4<o:p></o:p></p>
<p class="MsoNormal">Severity: serious<o:p></o:p></p>
<p class="MsoNormal">Justification: FTBFS<o:p></o:p></p>
<p class="MsoNormal">Tags: bookworm ftbfs<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">(Please provide enough information to help the release team<o:p></o:p></p>
<p class="MsoNormal">to judge the request efficiently. E.g. by filling in the<o:p></o:p></p>
<p class="MsoNormal">sections below.)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[ Reason ]<o:p></o:p></p>
<p class="MsoNormal">(Explain what the reason for the (old-)stable update is. I.e.<o:p></o:p></p>
<p class="MsoNormal">what is the bug, when was it introduced, is this a regression<o:p></o:p></p>
<p class="MsoNormal">with respect to the previous (old-)stable.)<o:p></o:p></p>
<p class="MsoNormal">The bug is introduced in Nodejs v18.20.4+dfsg-1~deb12u1 by the security fix for CVE-2023-46809, which removed support for RSA_PKCS1_PADDING for private decryption.
<o:p></o:p></p>
<p class="MsoNormal">This is a regression compared to the previous Nodejs v18.19.0+dfsg-6~deb12u2, where the padding was allowed.<o:p></o:p></p>
<p class="MsoNormal">Node-node-rsa is failing to build with the newer nodejs version.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[ Impact ]<o:p></o:p></p>
<p class="MsoNormal">(What is the impact for the user if the update isn't approved?)<o:p></o:p></p>
<p class="MsoNormal">The ratt test fails to build node‑node‑rsa, it indicates that the changes to RSA_PKCS1_PADDING in newer Nodejs version are causing failures.
<o:p></o:p></p>
<p class="MsoNormal">In our case, the failure isn’t just about decryption errors at runtime, it prevents the entire test suite (and thus the build process) from completing.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[ Tests ]<o:p></o:p></p>
<p class="MsoNormal">(What automated or manual tests cover the affected code?)<o:p></o:p></p>
<p class="MsoNormal">In node‑node‑rsa, the automated test suite (invoked via npm run test or through autopkgtest) is affected.
<o:p></o:p></p>
<p class="MsoNormal">In Nodejs, the ratt test to build node‑node‑rsa is impacted.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[ Risks ]<o:p></o:p></p>
<p class="MsoNormal">(Discussion of the risks involved. E.g. code is trivial or<o:p></o:p></p>
<p class="MsoNormal">complex, alternatives available.)<o:p></o:p></p>
<p class="MsoNormal">Without this update, our test would fail in Nodejs versions that no longer support RSA_PKCS1_PADDING padding for private decryption.
<o:p></o:p></p>
<p class="MsoNormal">This inconsistency can lead to build failures (e.g., ratt test failures) and runtime errors.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[ Checklist ]<o:p></o:p></p>
<p class="MsoNormal"> [*] *all* changes are documented in the d/changelog<o:p></o:p></p>
<p class="MsoNormal"> [*] I reviewed all changes and I approve them<o:p></o:p></p>
<p class="MsoNormal"> [ ] attach debdiff against the package in (old)stable<o:p></o:p></p>
<p class="MsoNormal"> [ ] the issue is verified as fixed in unstable<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[ Changes ]<o:p></o:p></p>
<p class="MsoNormal">(Explain *all* the changes)<o:p></o:p></p>
<p class="MsoNormal">I have submitted my proposed changes for your review. Please take a moment to look them over,<o:p></o:p></p>
<p class="MsoNormal"><a href="https://salsa.debian.org/snaaz/node-node-rsa/-/commit/b3a7ee66e2982eed84d9fb980040dd9f088a7266">https://salsa.debian.org/snaaz/node-node-rsa/-/commit/b3a7ee66e2982eed84d9fb980040dd9f088a7266</a><o:p></o:p></p>
<p class="MsoNormal">The try/catch blocks in the decrypt tests now properly catch the specific error ("RSA_PKCS1_PADDING is no longer supported") when private decryption using RSA_PKCS1_PADDING is attempted. This prevents the test suite from failing unexpectedly
on Nodejs versions where this behavior has been removed due to security fix for CVE-2023-46809.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[ Other info ]<o:p></o:p></p>
<p class="MsoNormal">(Anything else the release team should know.)<o:p></o:p></p>
<p class="MsoNormal">The npm run test and autopkgtest are passing successfully for node-node-rsa on both older(18.19.0+dfsg-6~deb12u2) and newer(18.20.4+dfsg-1~deb12u1) Nodejs versions.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Times New Roman",serif;color:black;mso-fareast-language:EN-IN">Syeda Shagufta Naaz<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>