[Pkg-javascript-devel] Bug#1117354: Bug#1117354: node-node-rsa: FTBFS: Error during decryption (probably incorrect key). Original error: Error: error:1C880004:Provider routines::RSA lib

Santiago Vila sanvila at debian.org
Tue Oct 7 12:00:12 BST 2025


Yadd wrote:
> Help welcome here ;-)

Ok, I did a debbisect and this is what I found:

bisection finished successfully
  last good timestamp: 20250917T143544Z
  first bad timestamp: 20250918T024011Z
the following packages differ between the last good and first bad timestamp:
  libssl3t64:amd64 3.5.2-1 -> 3.5.3-1
  libsystemd0:amd64 258~rc4-1 -> 258-1
  libudev1:amd64 258~rc4-1 -> 258-1
  openssl-provider-legacy 3.5.2-1 -> 3.5.3-1

Looks like the switch of src:openssl from 3.5.2-1 to 3.5.3-1 is
what triggered this error. Maybe this paragraph is relevant:

 * Hardened the provider implementation of the RSA public key "encrypt"
   operation to add a missing check that the caller-indicated output buffer
   size is at least as large as the byte count of the RSA modulus.  The issue
   was reported by Arash Ale Ebrahim from SYSPWN.

   This operation is typically invoked via `EVP_PKEY_encrypt(3)`.  Callers that
   in fact provide a sufficiently large buffer, but fail to correctly indicate
   its size may now encounter unexpected errors.  In applications that attempt
   RSA public encryption into a buffer that is too small, an out-of-bounds
   write is now avoided and an error is reported instead.

My advice is to forward this upstream.

Thanks.



More information about the Pkg-javascript-devel mailing list