Control: retitle: -1 uscan: CVE-2025-8454: uscan must not skip OpenPGP check after failed check in previous run
Hi Uwe, On Mon, Jul 14, 2025 at 09:52:41AM +0200, Uwe Kleine-König wrote: > Package: devscripts > Version: 2.25.15 > Severity: serious > File: /usr/bin/uscan > X-Debbugs-Cc: [email protected], [email protected] > > Hello, > > the linux-kernel packages suffer from upstream still relying on SHA-1 in > their OpenPGP keys. This makes uscan fail to provide the orig.tar.xz > (as expected) when sopv is used to verify the download: > > uwe@taurus:~/debpkg/linux$ uscan --download-current-version > uscan warn: Using stable remote origin > Newest version of linux on remote site is 6.16~rc5, specified download > version is 6.16~rc5 > No acceptable signatures found > uscan: error: sopv verify /tmp/tmp.YLvUuQ1SxZ/sig > debian/upstream/signing-key.asc subprocess returned exit status 3 > > However uscan keeps ../linux-6.16~rc5.tar.xz after that which makes the > next uscan run succeed even though the signature check didn't pass: > > uwe@taurus:~/debpkg/linux$ uscan --download-current-version > uscan warn: Using stable remote origin > Newest version of linux on remote site is 6.16~rc5, specified download > version is 6.16~rc5 > uscan warn: File already downloaded, skipping OpenPGP verification > Successfully repacked ../linux-6.16~rc5.tar.xz as > ../linux_6.16~rc5.orig.tar.xz, deleting 28 files from it. > > Without `--skip-signature` this must not happen and the warning isn't > enough. > > The obvious fixes would be to either put linux-6.16~rc5.tar.xz into a > tmpfile only (i.e. under a different name) until signature verification > passed; or to not skip the verification in the 2nd run. CVE-2025-8454 is assigned for this issue. Regards, Salvatore

