[Debian-med-packaging] Bug#1112133: biosig: CVE-2025-54494 CVE-2025-54493 CVE-2025-54492 CVE-2025-54491 CVE-2025-54490 CVE-2025-54489 CVE-2025-54488 CVE-2025-54487 CVE-2025-54486 CVE-2025-54485 CVE-2025-54484 CVE-2025-54483 CVE-2025-54482 CVE-2025-54481 CVE-2025-54480 CVE-2025-54462 CVE-2025-53853 CVE-2025-53557 CVE-2025-53518 CVE-2025-53511 CVE-2025-52581 CVE-2025-52461 CVE-2025-48005 CVE-2025-46411
Alois Schlögl
alois.schloegl at gmail.com
Sun Aug 31 22:27:12 BST 2025
Attached are patches to fix a number of security vulnerabilities on
biosig 3.9.0 [1,2]. The numbers indicate the last 20 patches from
upstream [3,4]. Only those patches relevant for these CVE's are
discussed here:
The patches 0005 - 0009 are fixing:
CVE-2025-48005 <https://security-tracker.debian.org/tracker/CVE-2025-48005>
CVE-2025-52461 <https://security-tracker.debian.org/tracker/CVE-2025-52461>
CVE-2025-52581 <https://security-tracker.debian.org/tracker/CVE-2025-52581>
CVE-2025-53518 <https://security-tracker.debian.org/tracker/CVE-2025-53518>
CVE-2025-53853 <https://security-tracker.debian.org/tracker/CVE-2025-53853>
CVE-2025-54462 <https://security-tracker.debian.org/tracker/CVE-2025-54462>
Moreover, patches 0010 and 0020 are trying to address all issues in the
MFER implementation, namely
CVE-2025-46411 <https://security-tracker.debian.org/tracker/CVE-2025-46411>
CVE-2025-53511 <https://security-tracker.debian.org/tracker/CVE-2025-53511>
CVE-2025-53557 <https://security-tracker.debian.org/tracker/CVE-2025-53557>
CVE-2025-54480
<https://security-tracker.debian.org/tracker/CVE-2025-54480> -
CVE-2025-54494
<https://security-tracker.debian.org/tracker/CVE-2025-54494> (15 CVEs)
However, because of the (large) number of security issues in the
implementation of the support for MFER format, further checks might be
in order.
So, patch 0019 is guarding against unintended use of MFER. It disables
support for reading MFER and disable a possible attack vector from
malicious MFER data.
MFER files can be read only when environment variable
BIOSIG_MFER_TRUST_INPUT=1
is set. Those who rely on Biosig supporting MFER, can set that flag.
However, this should only be done when the file comes from a trusted
source, and it is safe to assume that there is no malicious intend. I'm
aware that the need to set this flag will come at the cost for those
users who rely on MFER support. If that is affecting you in a negative
way, please get in contact with me, so that we can discuss an action
plan how to address this best and guarantee that the implementation for
MFER support is safe to use under all conditions.
Cheers, and stay safe,
Alois
P.S.: The attached patches should be sufficient to address debian bug
#1112133 , and should be sufficient for patching biosig 3.9.0.
If you use biosig 3.9.1, only patch 0019 (and optionally 0020) are needed.
[1] https://security-tracker.debian.org/tracker/source-package/biosig
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112133.
[3] https://git.code.sf.net/p/biosig/code
[4] https://git.ista.ac.at/alois.schloegl/biosig/-/commits/master?search=CVE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-b4c-fix-reading-ISHNE-data.patch
Type: text/x-patch
Size: 1948 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20250831/a746b51e/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-b4c-GDF-better-sanity-check-of-reading-event-table.patch
Type: text/x-patch
Size: 1531 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20250831/a746b51e/attachment-0009.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-b4c-ABF-better-sanity-checks.patch
Type: text/x-patch
Size: 1285 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20250831/a746b51e/attachment-0010.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0008-b4c-NEX-improve-sanity-check-fix-event-counting.patch
Type: text/x-patch
Size: 2233 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20250831/a746b51e/attachment-0011.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0009-b4c-RHD2000-fix-case-when-all-channels-are-disabled.patch
Type: text/x-patch
Size: 994 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20250831/a746b51e/attachment-0012.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0010-b4c-MFER-improve-sanity-checks.patch
Type: text/x-patch
Size: 8469 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20250831/a746b51e/attachment-0013.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0019-b4c-MFER-add-guard-against-unintended-and-potentiall.patch
Type: text/x-patch
Size: 1389 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20250831/a746b51e/attachment-0014.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0020-b4c-MFER-several-improvements-fixing-some-potential-.patch
Type: text/x-patch
Size: 7332 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20250831/a746b51e/attachment-0015.bin>
More information about the Debian-med-packaging
mailing list