[Pkg-erlang-devel] Bug#1101713: Bug#1101713: erlang: CVE-2025-30211

[Salvatore Bonaccorso]

Hi,

On Mon, Mar 31, 2025 at 12:12:31PM +0300, Sergei Golovan wrote:
> Control: tag 1101713 + pending
> 
> Hi Salvatore,
> 
> On Sun, Mar 30, 2025 at 10:51 PM Salvatore Bonaccorso <carnil at debian.org> wrote:
> >
> > Hi,
> >
> > The following vulnerability was published for erlang.
> >
> > CVE-2025-30211[0]:
> > | Erlang/OTP is a set of libraries for the Erlang programming
> > | language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a
> > | maliciously formed KEX init message can result with high memory
> > | usage. Implementation does not verify RFC specified limits on
> > | algorithm names (64 characters) provided in KEX init message. Big
> > | KEX init packet may lead to inefficient processing of the error
> > | data. As a result, large amount of memory will be allocated for
> > | processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and
> > | OTP-25.3.2.19 fix the issue. Some workarounds are available. One may
> > | set option `parallel_login` to `false` and/or reduce the
> > | `max_sessions` option.
> >
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> I'll upload 27.3.1 in a few days. Does it make sense to backport the fix
> from 25.3.2.19 to erlang in stable?

Thanks. Yes the unstable upload sounds good, and to make sure it will
migrate as well to testing.

For stable, I guess we still need to check if it will be important
enough to release via a DSA or if a point release update will be
enough. Let's check after the unstable upload has been done.

Regards,
Salvatore