CVE-2025-8454: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-8454 affects uscan, a tool included in devscripts package that scans/watches upstream sources for new releases of software. The vulnerability was discovered in August 2025 and affects the OpenPGP verification functionality. The issue exists in devscripts versions up to 2.25.15, affecting multiple Debian distributions including bullseye, bookworm, and trixie (Debian Tracker).

The vulnerability occurs when uscan skips OpenPGP verification if the upstream source is already downloaded from a previous run, even if the verification failed in the previous attempt. This behavior persists even without the --skip-signature option. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and is classified as CWE-347 (Improper Verification of Cryptographic Signature) (NVD).

The vulnerability allows an attacker to bypass cryptographic verification of downloaded source packages. This could potentially lead to the use of maliciously modified source code in package builds, as the tool accepts previously downloaded files without re-verifying their signatures, even if the initial verification failed (Debian Bug).

Two potential fixes have been proposed: 1) Store downloaded files under a temporary name until signature verification passes, or 2) Remove the verification skip for previously downloaded files. A patch has been submitted that implements the second approach by modifying the WatchSource.pm file in the devscripts package (Debian Bug).