#1100088 node-public-encrypt: FTBFS: dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test returned exit code 1 #1100088
- Package:
- src:node-public-encrypt
- Source:
- src:node-public-encrypt
- Submitter:
- Naaz, Syeda Shagufta
- Date:
- 2025-04-05 09:09:04 UTC
- Severity:
- normal
- Tags:
(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)
[ Reason ]
(Explain what the reason for the (old-)stable update is. I.e.
what is the bug, when was it introduced, is this a regression
with respect to the previous (old-)stable.)
The bug is introduced in Nodejs v18.20.4+dfsg-1~deb12u1 by the security fix for CVE-2023-46809<https://security-tracker.debian.org/tracker/CVE-2023-46809>, which removed support for RSA_PKCS1_PADDING for private decryption.
This is a regression compared to the previous Nodejs v18.19.0+dfsg-6~deb12u2, where the padding was allowed.
Node-public-encrypt is failing to build with the newer nodejs version.
Log:
```
node:internal/crypto/cipher:80
return method(data, format, type, passphrase, buffer, padding, oaepHash,
^
TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
at Object.privateDecrypt (node:internal/crypto/cipher:80:12)
at Test.<anonymous> (/<<PKGBUILDDIR>>/test/index.js:56:25)
at Test.bound [as _cb] (/usr/share/nodejs/tape/lib/test.js:95:17)
at Test.run (/usr/share/nodejs/tape/lib/test.js:115:28)
at Test.bound [as run] (/usr/share/nodejs/tape/lib/test.js:95:17)
at Test._end (/usr/share/nodejs/tape/lib/test.js:218:5)
at Test.bound [as _end] (/usr/share/nodejs/tape/lib/test.js:95:17)
at Test.<anonymous> (/usr/share/nodejs/tape/lib/test.js:217:34)
at Test.emit (node:events:517:28)
at Test.bound [as emit] (/usr/share/nodejs/tape/lib/test.js:95:17) {
code: 'ERR_INVALID_ARG_VALUE'
}
Node.js v18.20.4
dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test returned exit code 1
make: *** [debian/rules:8: binary] Error 25
```
[ Impact ]
(What is the impact for the user if the update isn't approved?)
The ratt test fails to build node‑public-encrypt, it indicates that the changes to RSA_PKCS1_PADDING in newer Nodejs version are causing failures.
In our case, the failure isn’t just about decryption errors at runtime, it prevents the entire test suite (and thus the build process) from completing.
[ Tests ]
(What automated or manual tests cover the affected code?)
In node‑public-encrypt, the automated test suite (invoked via npm run test or through autopkgtest) is affected, the test causing failure is test/index.js.
In Nodejs, the ratt test to build node‑public-encrypt is impacted.
[ Risks ]
(Discussion of the risks involved. E.g. code is trivial or
complex, alternatives available.)
Without this update, our test would fail in Nodejs versions that no longer support RSA_PKCS1_PADDING padding for private decryption.
This inconsistency can lead to build failures (e.g., ratt test failures) and runtime errors.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[ ] attach debdiff against the package in (old)stable
[ ] the issue is verified as fixed in unstable
[ Changes ]
(Explain *all* the changes)
I have submitted my proposed changes for your review. Please take a moment to look them over,
https://salsa.debian.org/js-team/node-public-encrypt/-/merge_requests/1
The try/catch block now checks for PKCS1 padding when private decryption is attempted. This prevents the test from failing on Nodejs newer versions where this behavior has been removed due to security fix for CVE-2023-46809<https://security-tracker.debian.org/tracker/CVE-2023-46809>.
[ Other info ]
(Anything else the release team should know.)
The npm run test and autopkgtest are passing successfully for node-public-encrypt on both older(18.19.0+dfsg-6~deb12u2) and newer(18.20.4+dfsg-1~deb12u1) Nodejs versions.
Syeda Shagufta Naaz
Hello, Bug #1100088 in node-public-encrypt reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/js-team/node-public-encrypt/-/commit/a6bedfec3cce55cc1067b48270d4179cdec825a1 ------------------------------------------------------------------------ handle unsupported RSA_PKCS1_PADDING error for private decryption Nodejs v18.20.4 and later versions have removed support for RSA_PKCS1_PADDING in private decryption to address the Marvin Attack vulnerability (CVE-2023-46809). Closes: #1100088 Signed-off-by: Syeda Shagufta Naaz <syedashagufta.naaz@siemens.com> ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1100088
We believe that the bug you reported is fixed in the latest version of
node-public-encrypt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1100088@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jérémy Lal <kapouer@melix.org> (supplier of updated node-public-encrypt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 05 Apr 2025 10:21:34 +0200
Source: node-public-encrypt
Architecture: source
Version: 4.0.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Jérémy Lal <kapouer@melix.org>
Closes: 1064712 1100088
Changes:
node-public-encrypt (4.0.3-2) unstable; urgency=medium
.
[ Syeda Shagufta Naaz ]
* Closes: #1100088, #1064712
+ fix unsupported RSA_PKCS1_PADDING error in decrypt tests
Checksums-Sha1:
7a90add242d90a4417bffd8bba4f40279a4581a0 2295 node-public-encrypt_4.0.3-2.dsc
b5c8a268f6e7863b75da22b7026daf8fff5ab55d 3456 node-public-encrypt_4.0.3-2.debian.tar.xz
e0ef061fa81042939eda7f69e4be85778bc3cfed 17030 node-public-encrypt_4.0.3-2_source.buildinfo
Checksums-Sha256:
d45b0516e98d72ea1aea35f3c186cf0a05b583f7e77c1ef5fb228962f803809d 2295 node-public-encrypt_4.0.3-2.dsc
1eddf7cac349bebb1da5589636ef905612e8a8118a12b741a63317fd53735708 3456 node-public-encrypt_4.0.3-2.debian.tar.xz
07edfc839ec91d462d57616be714a98655bd844b86b30a48d9c5b140193168e1 17030 node-public-encrypt_4.0.3-2_source.buildinfo
Files:
2729cfad4193a32f96d283f91a7937bd 2295 javascript optional node-public-encrypt_4.0.3-2.dsc
03c0e5348db99f87250615092b3cbe06 3456 javascript optional node-public-encrypt_4.0.3-2.debian.tar.xz
1cb9674901086e2bd2ef1b2110091cd0 17030 javascript optional node-public-encrypt_4.0.3-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmfw6zwSHGthcG91ZXJA
bWVsaXgub3JnAAoJEGYRwF7dOfN0ER8QAId58J04FLwVYcWWn6RT+QLihsxwjZrb
6cFhYg64LWvEF7wQiIb/eAhFAl/8gP4shmh+anwEwR5vziyB2AhN77rk/I19A69/
/umBZ+1viajrZY/b5QXVKfXwr9uL6wWgdisiVRjDKIDreUlBigQW2A+U71cyIE8d
aYYdeybj7175ZOuB22zYM0vduUNh3A6OJBl5RRxgw7CPW5FK3wWSswhUI1qSU5Ei
ZQFccUuV6NDQqGhJr2REURGCO46IA4NmMROFhBuiOoYGPeUusJPEYSrK0dbtwL2/
h1e96jh8/EJ7E/MCvUe4oPXGD2wHw3OMRdErhO/gUTrILAStSU+YvonEKpc4hmzj
R+gHfSZwemgKLs6P+Mo/LFVMpcNxgsIt0je1aANb4/jvRyfIKCnryKxN9KAkRkFS
65P6Ycbho8/wmfJecVpT5SSSpITNvks1PRNtEnh1jDfv5bjoxXaIjYZ+NzelcK+Y
0cpghilOv1DFfnLAFdkV3c2M0BLlQlypj2v5uh3GF9wwjfLEcz7cLGi6hVXIbM2N
jpSgH/YU7Ja8zYjcb09pB9mP+oJoE/MNKnXJDDvO0E92n7FxhpuletV8ny9srgzu
bjySNdj3EAF/eiy909EoDEXZqGo4imNo4NCZbsTOLhj8wbCsdxaplPA6QihaJuBr
RsS0pR4yYPKR
=KTKF
-----END PGP SIGNATURE-----