[Debian-med-packaging] Bug#1112133: biosig: CVE-2025-54494 CVE-2025-54493 CVE-2025-54492 CVE-2025-54491 CVE-2025-54490 CVE-2025-54489 CVE-2025-54488 CVE-2025-54487 CVE-2025-54486 CVE-2025-54485 CVE-2025-54484 CVE-2025-54483 CVE-2025-54482 CVE-2025-54481 CVE-2025-54480 CVE-2025-54462 CVE-2025-53853 CVE-2025-53557 CVE-2025-53518 CVE-2025-53511 CVE-2025-52581 CVE-2025-52461 CVE-2025-48005 CVE-2025-46411

Salvatore Bonaccorso carnil at debian.org
Mon Sep 1 04:54:25 BST 2025 

Hi,

On Sun, Aug 31, 2025 at 11:27:12PM +0200, Alois Schlögl wrote:
> 
> 
> Attached are patches to fix a number of security vulnerabilities on biosig
> 3.9.0 [1,2]. The numbers indicate the last 20 patches from upstream [3,4]. 
> Only those patches relevant for these CVE's are discussed here:
> 
> The patches 0005 - 0009 are fixing:
> CVE-2025-48005 <https://security-tracker.debian.org/tracker/CVE-2025-48005>
> CVE-2025-52461 <https://security-tracker.debian.org/tracker/CVE-2025-52461>
> CVE-2025-52581 <https://security-tracker.debian.org/tracker/CVE-2025-52581>
> CVE-2025-53518 <https://security-tracker.debian.org/tracker/CVE-2025-53518>
> CVE-2025-53853 <https://security-tracker.debian.org/tracker/CVE-2025-53853>
> CVE-2025-54462 <https://security-tracker.debian.org/tracker/CVE-2025-54462>
> 
> Moreover, patches 0010 and 0020 are trying to address all issues in the MFER
> implementation, namely
> CVE-2025-46411 <https://security-tracker.debian.org/tracker/CVE-2025-46411>
> CVE-2025-53511 <https://security-tracker.debian.org/tracker/CVE-2025-53511>
> CVE-2025-53557 <https://security-tracker.debian.org/tracker/CVE-2025-53557>
> CVE-2025-54480 <https://security-tracker.debian.org/tracker/CVE-2025-54480>
> - CVE-2025-54494
> <https://security-tracker.debian.org/tracker/CVE-2025-54494> (15 CVEs)
> 
> However, because of the (large) number of security issues in the
> implementation of the support for MFER format, further checks might be in
> order.
> 
> So, patch 0019 is guarding against unintended use of MFER. It disables
> support for reading MFER and disable a possible attack vector from malicious
> MFER data.
> 
> MFER files can be read only when environment variable
>    BIOSIG_MFER_TRUST_INPUT=1
> is set.  Those who rely on Biosig supporting MFER, can set that flag.
> However, this should only be done when the file comes from a trusted source,
> and it is safe to assume that there is no malicious intend.  I'm aware that
> the need to set this flag will come at the cost for those users who rely on
> MFER support. If that is affecting you in a negative way, please get in
> contact with me, so that we can discuss an action plan how to address this
> best and guarantee that the implementation for MFER support is safe to use
> under all conditions.
> 
> Cheers, and stay safe,
> 
>    Alois
> 
> 
> P.S.: The attached patches should be sufficient to address debian bug
> #1112133 , and should be sufficient for patching biosig 3.9.0.
> If you use biosig 3.9.1, only patch 0019 (and optionally 0020) are needed.

In my opinion it would be best for unstable/forky to just go to the
3.9.1 + patches variant.

For trixie and older we marked those issues no-dsa, and if we are
confident enough batching them in a future point release would be
great. But I think priority should go top-down so get issues first
addressed in unstable/forky, then down to trixie and bookworm. Do you
agree?

Regards,
Salvatore

More information about the Debian-med-packaging mailing list