[Pkg-javascript-devel] Bug#1117354: Bug#1117354: node-node-rsa: FTBFS: Error during decryption (probably incorrect key). Original error: Error: error:1C880004:Provider routines::RSA lib
Santiago Vila
sanvila at debian.org
Tue Oct 7 12:00:12 BST 2025
Yadd wrote:
> Help welcome here ;-)
Ok, I did a debbisect and this is what I found:
bisection finished successfully
last good timestamp: 20250917T143544Z
first bad timestamp: 20250918T024011Z
the following packages differ between the last good and first bad timestamp:
libssl3t64:amd64 3.5.2-1 -> 3.5.3-1
libsystemd0:amd64 258~rc4-1 -> 258-1
libudev1:amd64 258~rc4-1 -> 258-1
openssl-provider-legacy 3.5.2-1 -> 3.5.3-1
Looks like the switch of src:openssl from 3.5.2-1 to 3.5.3-1 is
what triggered this error. Maybe this paragraph is relevant:
* Hardened the provider implementation of the RSA public key "encrypt"
operation to add a missing check that the caller-indicated output buffer
size is at least as large as the byte count of the RSA modulus. The issue
was reported by Arash Ale Ebrahim from SYSPWN.
This operation is typically invoked via `EVP_PKEY_encrypt(3)`. Callers that
in fact provide a sufficiently large buffer, but fail to correctly indicate
its size may now encounter unexpected errors. In applications that attempt
RSA public encryption into a buffer that is too small, an out-of-bounds
write is now avoided and an error is reported instead.
My advice is to forward this upstream.
Thanks.
More information about the Pkg-javascript-devel
mailing list