SOURCES/0001-Define-log-callback-function-to-use-with-libcryptset.patch

@@ -1,4 +1,4 @@
-From 70247ce7e47963bfbd6c4cdc584f35ca38ccf66d Mon Sep 17 00:00:00 2001
+From 785ebee43a8c34be3fa8ec0387892b9e70a169fd Mon Sep 17 00:00:00 2001
 From: Sergio Correia <scorreia@redhat.com>
 Date: Mon, 11 Nov 2019 18:06:13 -0500
 Subject: [PATCH] Define log callback function to use with libcryptsetup
@@ -41,5 +41,5 @@ index a79da82..1c72787 100644
          if (r != 0) {
              fprintf(stderr, "Unable to read LUKSv1 header (%s): %s\n",
 -- 
-2.23.0
+2.18.1
 

SOURCES/0002-Fix-handling-of-large-metadata.patch

@@ -0,0 +1,91 @@
+From 27c2157f4718030b19e2913fc3684268ffc74d11 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Wed, 22 Oct 2025 15:58:01 +0100
+Subject: [PATCH 2/2] Fix handling of large metadata
+
+Prevent metadata from being written beyond the gap between the LUKS
+header and encrypted data. The overflow check now correctly validates
+that the end position of new metadata does not exceed the hard limit,
+preventing corruption of encrypted data.
+
+Also add upfront size validation to reject metadata larger than the
+total available space.
+
+Fix: CVE-2025-11568
+
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+---
+ libluksmeta.c | 13 +++++++++++--
+ test-luksmeta | 16 ++++++++++++++++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/libluksmeta.c b/libluksmeta.c
+index b653223..d2f7e42 100644
+--- a/libluksmeta.c
++++ b/libluksmeta.c
+@@ -69,8 +69,12 @@ checksum(lm_t lm)
+ }
+ 
+ static inline bool
+-overlap(const lm_t *lm, uint32_t start, size_t end)
++overlap(const lm_t *lm, uint32_t start, size_t end, uint32_t hard_limit)
+ {
++    /* Make sure the data fits the available area in the gap. */
++    if (end > hard_limit)
++        return true;
++
+     for (int i = 0; i < LUKS_NSLOTS; i++) {
+         const lm_slot_t *s = &lm->slots[i];
+         uint32_t e = s->offset + s->length;
+@@ -90,8 +94,13 @@ find_gap(const lm_t *lm, uint32_t length, size_t size)
+ {
+     size = ALIGN(size, true);
+ 
++    /* Make sure the data is not larger than the total available
++     * area in the gap. */
++    if (length < size)
++        return 0;
++
+     for (uint32_t off = ALIGN(1, true); off < length; off += ALIGN(1, true)) {
+-        if (!overlap(lm, off, off + size))
++        if (!overlap(lm, off, off + size, lm->slots[0].offset + length))
+             return off;
+     }
+ 
+diff --git a/test-luksmeta b/test-luksmeta
+index f1e8b2e..884a33a 100755
+--- a/test-luksmeta
++++ b/test-luksmeta
+@@ -3,9 +3,12 @@
+ trap 'exit' ERR
+ 
+ export tmp=`mktemp /tmp/luksmeta.XXXXXXXXXX`
++export tmpdata=`mktemp /tmp/luksmeta.XXXXXXXXXX`
++
+ 
+ function onexit() {
+     rm -f $tmp
++    rm -f "${tmpdata}"
+ }
+ 
+ trap 'onexit' EXIT
+@@ -50,3 +53,16 @@ echo hi | ./luksmeta save -s 0 -u 23149359-1b61-4803-b818-774ab730fbec -d $tmp
+ test "`./luksmeta load -s 0 -d $tmp`" == "hi"
+ ./luksmeta init -n -f -d $tmp
+ ! ./luksmeta load -s 0 -d $tmp
++
++# CVE-2025-11568 - test attempt to store extremely large amount of data in a slot.
++./luksmeta init -f -d "${tmp}"
++dd bs=1024k count=1 </dev/zero >"${tmpdata}"
++! ./luksmeta save -s 1 -u 23149359-1b61-4803-b818-774ab730fbec -d "${tmp}" < "${tmpdata}"
++
++# Additional test for CVE-2025-11568 boundary conditions.
++# Verify overflow protection with multiple existing slots at various offsets.
++./luksmeta init -f -d "${tmp}"
++echo "a" | ./luksmeta save -s 0 -u 11111111-1111-1111-1111-111111111111 -d "${tmp}"
++echo "b" | ./luksmeta save -s 1 -u 22222222-2222-2222-2222-222222222222 -d "${tmp}"
++dd bs=1024 count=900 </dev/zero >"${tmpdata}"
++! ./luksmeta save -s 2 -u 33333333-3333-3333-3333-333333333333 -d "${tmp}" < "${tmpdata}"
+-- 
+2.43.7
+

SOURCES/Relax-content-tests-in-test-suite.patch

@@ -1,4 +1,4 @@
-From 9c550e0675f9fa8fe58c996660c61eca11b424d1 Mon Sep 17 00:00:00 2001
+From e48ec659ca813f233769ff0752087c76a14442a9 Mon Sep 17 00:00:00 2001
 From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
 Date: Mon, 10 Dec 2018 14:25:33 +0100
 Subject: [PATCH] Relax content tests in test suite
@@ -146,3 +146,6 @@ index 78fea5b..9f0b1c5 100644
          { offset, 4096 },              /* luksmeta header */
          END(offset + 4096),            /* Rest of the file */
      }));
+-- 
+2.19.2
+

SPECS/luksmeta.spec

@@ -1,22 +1,21 @@
 Name:           luksmeta
 Version:        9
-Release:        12%{?dist}
+Release:        4%{?dist}.1
 Summary:        Utility for storing small metadata in the LUKSv1 header
 
 License:        LGPLv2+
 URL:            https://github.com/latchset/%{name}
 Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
-
-Patch01: luksmeta-9-tests.patch
-Patch02: luksmeta-9-relax-layout-assumptions.patch
-Patch03: Define-log-callback-function-to-use-with-libcryptset.patch
+Patch0:         luksmeta-9-tests.patch
+Patch1:         Relax-content-tests-in-test-suite.patch
+Patch2:         0001-Define-log-callback-function-to-use-with-libcryptset.patch
+Patch3:         0002-Fix-handling-of-large-metadata.patch
 
 BuildRequires:  gcc
 BuildRequires:  asciidoc
 BuildRequires:  pkgconfig
-BuildRequires:  cryptsetup-devel
 BuildRequires:  cryptsetup
-BuildRequires: make
+BuildRequires:  cryptsetup-devel
 Requires: lib%{name}%{?_isa} = %{version}-%{release}
 
 %description
@@ -53,7 +52,8 @@ rm -rf %{buildroot}/%{_libdir}/libluksmeta.la
 %check
 make %{?_smp_mflags} check
 
-%ldconfig_scriptlets -n lib%{name}
+%post -n lib%{name} -p /sbin/ldconfig
+%postun -n lib%{name} -p /sbin/ldconfig
 
 %files
 %{_bindir}/luksmeta
@@ -69,38 +69,19 @@ make %{?_smp_mflags} check
 %{_libdir}/pkgconfig/luksmeta.pc
 
 %changelog
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 9-12
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
+* Fri Nov 28 2025 Sergio Correia <scorreia@redhat.com> - 9-4.1
+- Fix handling of large metadata
+  Resolves: RHEL-122138
 
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 9-11
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 9-4
+- LUKSMeta now sets error level from libcryptsetup to CRYPT_LOG_ERROR, and
+  this output is logged to stderr
+  Resolves: rhbz#1770395
 
-* Mon Apr 05 2021 Sergio Correia <scorreia@redhat.com> - 9-10
-- Add cryptsetup as a package required during build time.
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 9-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 9-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 9-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Tue Dec 31 2019 Sergio Correia <scorreia@redhat.com> - 9-6
-- Define log callback function to use with libcryptsetup
-  Logs from libcryptsetup now go to stderr and this prevents issues like
-  the one reported in https://bugzilla.redhat.com/show_bug.cgi?id=1770395
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 9-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Mon Jun 03 2019 Daniel Kopecek <dkopecek@redhat.com> - 9-4
-- Add patch to fix tests on newer kernels 
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 9-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+* Mon Dec 10 2018 Daniel Kopecek <dkopecek@redhat.com> - 9-3
+- Enabled build gating
+- Synced layout test assumtions with recent cryptsetup changes
+  Resolves: rhbz#1625683
 
 * Thu Aug 09 2018 Nathaniel McCallum <npmccallum@redhat.com> - 9-2
 - Add (upstream) patch to fix tests on LUKSv2-default cryptsetup