Control: retitle: -1 uscan: CVE-2025-8454: uscan must not skip OpenPGP check 
after failed check in previous run

Hi Uwe,

On Mon, Jul 14, 2025 at 09:52:41AM +0200, Uwe Kleine-König wrote:
> Package: devscripts
> Version: 2.25.15
> Severity: serious
> File: /usr/bin/uscan
> X-Debbugs-Cc: [email protected], [email protected]
> 
> Hello,
> 
> the linux-kernel packages suffer from upstream still relying on SHA-1 in
> their OpenPGP keys. This makes uscan fail to provide the orig.tar.xz
> (as expected) when sopv is used to verify the download:
> 
>       uwe@taurus:~/debpkg/linux$ uscan --download-current-version
>       uscan warn: Using stable remote origin
>       Newest version of linux on remote site is 6.16~rc5, specified download 
> version is 6.16~rc5
>                  No acceptable signatures found
>       uscan: error: sopv verify /tmp/tmp.YLvUuQ1SxZ/sig 
> debian/upstream/signing-key.asc subprocess returned exit status 3
> 
> However uscan keeps ../linux-6.16~rc5.tar.xz after that which makes the
> next uscan run succeed even though the signature check didn't pass:
> 
>       uwe@taurus:~/debpkg/linux$ uscan --download-current-version 
>       uscan warn: Using stable remote origin
>       Newest version of linux on remote site is 6.16~rc5, specified download 
> version is 6.16~rc5
>       uscan warn: File already downloaded, skipping OpenPGP verification
>       Successfully repacked ../linux-6.16~rc5.tar.xz as 
> ../linux_6.16~rc5.orig.tar.xz, deleting 28 files from it.
> 
> Without `--skip-signature` this must not happen and the warning isn't
> enough.
> 
> The obvious fixes would be to either put linux-6.16~rc5.tar.xz into a
> tmpfile only (i.e. under a different name) until signature verification
> passed; or to not skip the verification in the 2nd run.

CVE-2025-8454 is assigned for this issue.

Regards,
Salvatore

Reply via email to