Bug#1134372: marked as done (trixie-pu: package php-phpseclib3/3.0.43-2+deb13u3)

[Debian Bug Tracking System]

Your message dated Sat, 16 May 2026 10:23:18 +0000
with message-id <e1wocaw-00000000dbw-1...@coccia.debian.org>
and subject line Released with 13.5
has caused the Debian Bug report #1134372,
regarding trixie-pu: package php-phpseclib3/3.0.43-2+deb13u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1134372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134372
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: php-phpsecl...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-phpseclib3
User: release.debian....@packages.debian.org
Usertags: pu

[ This is the first of six similar bug reports, for the php-phpseclib3,
  php-phpseclib and phpseclib packages, for both trixie and bookworm. ]

I’d like to get CVE-2026-40194 fixed in an upcoming point release. This
is a variable-time comparison tagged as no-dsa, so I assume the
security-team, X-D-CCed, do not wish to release a DSA for it.

The change is pretty trivial.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards,

taffit

diff -Nru php-phpseclib3-3.0.43/debian/changelog php-phpseclib3-3.0.43/debian/changelog
--- php-phpseclib3-3.0.43/debian/changelog	2026-03-24 08:15:58.000000000 +0100
+++ php-phpseclib3-3.0.43/debian/changelog	2026-04-19 11:32:40.000000000 +0200
@@ -1,3 +1,10 @@
+php-phpseclib3 (3.0.43-2+deb13u2) trixie; urgency=medium
+
+  * SSH2: use constant time string comparison in get_binary_packet()
+    [CVE-2026-40194]
+
+ -- David Prévot <taf...@debian.org>  Sun, 19 Apr 2026 11:32:40 +0200
+
 php-phpseclib3 (3.0.43-2+deb13u1) trixie-security; urgency=medium
 
   * make unpadding constant time [CVE-2026-32935] (Closes: #1131482)
diff -Nru php-phpseclib3-3.0.43/debian/patches/0009-Merge-branch-2.0-into-3.0.patch php-phpseclib3-3.0.43/debian/patches/0009-Merge-branch-2.0-into-3.0.patch
--- php-phpseclib3-3.0.43/debian/patches/0009-Merge-branch-2.0-into-3.0.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-phpseclib3-3.0.43/debian/patches/0009-Merge-branch-2.0-into-3.0.patch	2026-04-19 11:32:03.000000000 +0200
@@ -0,0 +1,32 @@
+From: terrafrost <terrafr...@php.net>
+Date: Thu, 9 Apr 2026 19:59:48 -0500
+Subject: Merge branch '2.0' into 3.0
+
+SSH2: use constant time string comparison in get_binary_packet():
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/254140b34b8d738c53686f0362b22e2153d893ea
+Bug: https://github.com/phpseclib/phpseclib/security/advisories/GHSA-r854-jrxh-36qx
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-40194
+---
+ phpseclib/Net/SSH2.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/phpseclib/Net/SSH2.php b/phpseclib/Net/SSH2.php
+index 4f1a849..5946740 100644
+--- a/phpseclib/Net/SSH2.php
++++ b/phpseclib/Net/SSH2.php
+@@ -3709,12 +3709,12 @@ class SSH2
+                 substr($packet->raw, 0, -$this->hmac_size);
+             if (($this->hmac_check->getHash() & "\xFF\xFF\xFF\xFF") == 'umac') {
+                 $this->hmac_check->setNonce("\0\0\0\0" . pack('N', $this->get_seq_no));
+-                if ($hmac != $this->hmac_check->hash($reconstructed)) {
++                if (!hash_equals($hmac, $this->hmac_check->hash($reconstructed))) {
+                     $this->disconnect_helper(NET_SSH2_DISCONNECT_MAC_ERROR);
+                     throw new ConnectionClosedException('Invalid UMAC');
+                 }
+             } else {
+-                if ($hmac != $this->hmac_check->hash(pack('Na*', $this->get_seq_no, $reconstructed))) {
++                if (!hash_equals($hmac, $this->hmac_check->hash(pack('Na*', $this->get_seq_no, $reconstructed)))) {
+                     $this->disconnect_helper(NET_SSH2_DISCONNECT_MAC_ERROR);
+                     throw new ConnectionClosedException('Invalid HMAC');
+                 }
diff -Nru php-phpseclib3-3.0.43/debian/patches/series php-phpseclib3-3.0.43/debian/patches/series
--- php-phpseclib3-3.0.43/debian/patches/series	2026-03-24 08:15:58.000000000 +0100
+++ php-phpseclib3-3.0.43/debian/patches/series	2026-04-19 11:32:03.000000000 +0200
@@ -6,3 +6,4 @@
 0006-Drop-PHPUnit-compatibility-code.patch
 0007-Modernize-PHPUnit-syntax.patch
 0008-make-unpadding-constant-time.patch
+0009-Merge-branch-2.0-into-3.0.patch

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 13.5

This update has been released as part of Debian 13.5.

--- End Message ---