34940 – sodium new security issue CVE-2025-69277

Bug 34940 - sodium new security issue CVE-2025-69277

Summary: sodium new security issue CVE-2025-69277

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-01-06 15:20 CET by Nicolas Salguero
Modified:	2026-01-10 06:08 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	sodium-1.0.18-3.mga9.src.rpm
CVE:	CVE-2025-69277
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-01-06 15:20:26 CET

Debian has issued an advisory on January 5:
https://lists.debian.org/debian-security-announce/2026/msg00002.html

Fixed by: https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae

Nicolas Salguero 2026-01-06 15:21:28 CET

Flags: (none) => affects_mga9+
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-69277
Source RPM: (none) => sodium-1.0.20-2.mga10.src.rpm, sodium-1.0.18-3.mga9.src.rpm
Status comment: (none) => Patch available from upstream and Debian

Comment 1 Nicolas Salguero 2026-01-07 14:07:07 CET

For Cauldron, sodium-1.0.21-2.mga10 solves that issue.

Whiteboard: MGA9TOO => (none)
Flags: affects_mga9+ => (none)
Version: Cauldron => 9
Source RPM: sodium-1.0.20-2.mga10.src.rpm, sodium-1.0.18-3.mga9.src.rpm => sodium-1.0.18-3.mga9.src.rpm

Comment 2 Nicolas Salguero 2026-01-08 16:22:07 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. (CVE-2025-69277)

References:
https://lists.debian.org/debian-security-announce/2026/msg00002.html
========================

Updated packages in core/updates_testing:
========================
lib(64)sodium23-1.0.18-3.1.mga9
lib(64)sodium-devel-1.0.18-3.1.mga9

from SRPM:
sodium-1.0.18-3.1.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs
Status comment: Patch available from upstream and Debian => (none)

katnatek 2026-01-09 01:49:38 CET

Keywords: (none) => advisory

Comment 3 katnatek 2026-01-09 02:17:03 CET

RH

installing lib64sodium23-1.0.18-3.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     #####################################################################################
      1/1: lib64sodium23         #####################################################################################
      1/1: removing lib64sodium23-1.0.18-3.mga9.x86_64
                                 #####################################################################################

0ad say it requires sodium but the strace not fin evidence of lib, start one game, I'm not fan of these games :P , but not issues.

Try with the megasync package in blodrake's repository, I get luck, the strace shows
openat(AT_FDCWD, "/usr/lib64/libsodium.so.23", O_RDONLY|O_CLOEXEC) = 3

Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2026-01-10 01:47:44 CET

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2026-01-10 06:08:54 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0004.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.