[Pkg-javascript-devel] Bug#1099640: node-node-rsa: FTBFS: make[1]: *** [debian/rules:19: override_dh_auto_test] Error 14
Naaz, Syeda Shagufta
syedashagufta.naaz at siemens.com
Fri Mar 7 06:53:38 GMT 2025
Source: node-node-rsa
Version: 1.1.1-4
Severity: serious
Justification: FTBFS
Tags: bookworm ftbfs
(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)
[ Reason ]
(Explain what the reason for the (old-)stable update is. I.e.
what is the bug, when was it introduced, is this a regression
with respect to the previous (old-)stable.)
The bug is introduced in Nodejs v18.20.4+dfsg-1~deb12u1 by the security fix for CVE-2023-46809, which removed support for RSA_PKCS1_PADDING for private decryption.
This is a regression compared to the previous Nodejs v18.19.0+dfsg-6~deb12u2, where the padding was allowed.
Node-node-rsa is failing to build with the newer nodejs version.
[ Impact ]
(What is the impact for the user if the update isn't approved?)
The ratt test fails to build node‑node‑rsa, it indicates that the changes to RSA_PKCS1_PADDING in newer Nodejs version are causing failures.
In our case, the failure isn’t just about decryption errors at runtime, it prevents the entire test suite (and thus the build process) from completing.
[ Tests ]
(What automated or manual tests cover the affected code?)
In node‑node‑rsa, the automated test suite (invoked via npm run test or through autopkgtest) is affected.
In Nodejs, the ratt test to build node‑node‑rsa is impacted.
[ Risks ]
(Discussion of the risks involved. E.g. code is trivial or
complex, alternatives available.)
Without this update, our test would fail in Nodejs versions that no longer support RSA_PKCS1_PADDING padding for private decryption.
This inconsistency can lead to build failures (e.g., ratt test failures) and runtime errors.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[ ] attach debdiff against the package in (old)stable
[ ] the issue is verified as fixed in unstable
[ Changes ]
(Explain *all* the changes)
I have submitted my proposed changes for your review. Please take a moment to look them over,
https://salsa.debian.org/snaaz/node-node-rsa/-/commit/b3a7ee66e2982eed84d9fb980040dd9f088a7266
The try/catch blocks in the decrypt tests now properly catch the specific error ("RSA_PKCS1_PADDING is no longer supported") when private decryption using RSA_PKCS1_PADDING is attempted. This prevents the test suite from failing unexpectedly on Nodejs versions where this behavior has been removed due to security fix for CVE-2023-46809.
[ Other info ]
(Anything else the release team should know.)
The npm run test and autopkgtest are passing successfully for node-node-rsa on both older(18.19.0+dfsg-6~deb12u2) and newer(18.20.4+dfsg-1~deb12u1) Nodejs versions.
Syeda Shagufta Naaz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250307/a6edf822/attachment.htm>
More information about the Pkg-javascript-devel
mailing list