[Pkg-javascript-devel] node-public-encrypt: FTBFS: dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test returned exit code 1

Naaz, Syeda Shagufta syedashagufta.naaz at siemens.com
Tue Mar 11 08:41:22 GMT 2025 

Source: node-public-encrypt
Version: 4.0.3-1
Severity: serious
Justification: FTBFS
Tags: bookworm ftbfs

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
(Explain what the reason for the (old-)stable update is. I.e.
what is the bug, when was it introduced, is this a regression
with respect to the previous (old-)stable.)
The bug is introduced in Nodejs v18.20.4+dfsg-1~deb12u1 by the security fix for CVE-2023-46809<https://security-tracker.debian.org/tracker/CVE-2023-46809>, which removed support for RSA_PKCS1_PADDING for private decryption.
This is a regression compared to the previous Nodejs v18.19.0+dfsg-6~deb12u2, where the padding was allowed.
Node-public-encrypt is failing to build with the newer nodejs version.
Log:
```
node:internal/crypto/cipher:80
    return method(data, format, type, passphrase, buffer, padding, oaepHash,
           ^

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
    at Object.privateDecrypt (node:internal/crypto/cipher:80:12)
    at Test.<anonymous> (/<<PKGBUILDDIR>>/test/index.js:56:25)
    at Test.bound [as _cb] (/usr/share/nodejs/tape/lib/test.js:95:17)
    at Test.run (/usr/share/nodejs/tape/lib/test.js:115:28)
    at Test.bound [as run] (/usr/share/nodejs/tape/lib/test.js:95:17)
    at Test._end (/usr/share/nodejs/tape/lib/test.js:218:5)
    at Test.bound [as _end] (/usr/share/nodejs/tape/lib/test.js:95:17)
    at Test.<anonymous> (/usr/share/nodejs/tape/lib/test.js:217:34)
    at Test.emit (node:events:517:28)
    at Test.bound [as emit] (/usr/share/nodejs/tape/lib/test.js:95:17) {
  code: 'ERR_INVALID_ARG_VALUE'
}

Node.js v18.20.4
dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test returned exit code 1
make: *** [debian/rules:8: binary] Error 25
```

[ Impact ]
(What is the impact for the user if the update isn't approved?)
The ratt test fails to build node‑public-encrypt, it indicates that the changes to RSA_PKCS1_PADDING in newer Nodejs version are causing failures.
In our case, the failure isn’t just about decryption errors at runtime, it prevents the entire test suite (and thus the build process) from completing.

[ Tests ]
(What automated or manual tests cover the affected code?)
In node‑public-encrypt, the automated test suite (invoked via npm run test or through autopkgtest) is affected, the test causing failure is test/index.js.
In Nodejs, the ratt test to build node‑public-encrypt is impacted.

[ Risks ]
(Discussion of the risks involved. E.g. code is trivial or
complex, alternatives available.)
Without this update, our test would fail in Nodejs versions that no longer support RSA_PKCS1_PADDING padding for private decryption.
This inconsistency can lead to build failures (e.g., ratt test failures) and runtime errors.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [ ] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable

[ Changes ]
(Explain *all* the changes)
I have submitted my proposed changes for your review. Please take a moment to look them over,
https://salsa.debian.org/js-team/node-public-encrypt/-/merge_requests/1
The try/catch block now checks for PKCS1 padding when private decryption is attempted. This prevents the test from failing on Nodejs newer versions where this behavior has been removed due to security fix for CVE-2023-46809<https://security-tracker.debian.org/tracker/CVE-2023-46809>.

[ Other info ]
(Anything else the release team should know.)
The npm run test and autopkgtest are passing successfully for node-public-encrypt on both older(18.19.0+dfsg-6~deb12u2) and newer(18.20.4+dfsg-1~deb12u1) Nodejs versions.

Syeda Shagufta Naaz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250311/4bbd4ae6/attachment-0001.htm>

More information about the Pkg-javascript-devel mailing list