Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.bugs.dist > #1097258
| From | Julien Cristau <jcristau@debian.org> |
|---|---|
| Newsgroups | linux.debian.bugs.dist, linux.debian.devel.release |
| Subject | Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2 |
| Date | 2022-03-18 16:40 +0100 |
| Message-ID | <E2mRP-2AzM-9@gated-at.bofh.it> (permalink) |
| References | <E29KV-2sCO-1@gated-at.bofh.it> <E29KV-2sCO-1@gated-at.bofh.it> |
| Organization | linux.* mail to news gateway |
Cross-posted to 2 groups.
Control: severity -1 normal
Control: retitle -1 bullseye-pu: package glewlwyd/2.5.2-2+deb11u3
Control: tag -1 moreinfo
On Thu, Mar 17, 2022 at 09:17:12PM -0400, Nicolas Mora wrote:
> [ Reason ]
> Possible buffer overflow on signature verification during webauthn assertion
>
> [ Impact ]
> Possibility of denial of service
>
> [ Checklist ]
> [X] *all* changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in (old)stable
The below is not a debdiff, and doesn't include a changelog entry. :(
> [X] the issue is verified as fixed in unstable
>
> [ Changes ]
> Check the length of the signature before verifying it
>
What's the change of o_base64url_decode to o_base64_decode about?
Cheers,
Julien
> [ Other info ]
> CVE ID request pending
> Description: Fix buffer overflow
> Author: Nicolas Mora <babelouest@debian.org>
> Forwarded: not-needed
> --- a/src/scheme/webauthn.c
> +++ b/src/scheme/webauthn.c
> @@ -2336,12 +2336,24 @@
> break;
> }
>
> - if (!o_base64url_decode((const unsigned char *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), sig, &sig_len)) {
> - y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error o_base64url_decode signature");
> + if (!o_base64_decode((const unsigned char *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), NULL, &sig_len)) {
> + y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid signature format");
> ret = G_ERROR_PARAM;
> break;
> }
>
> + if (sig_len > 128) {
> + y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid signature");
> + ret = G_ERROR_PARAM;
> + break;
> + }
> +
> + if (!o_base64_decode((const unsigned char *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), sig, &sig_len)) {
> + y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error o_base64_decode signature");
> + ret = G_ERROR;
> + break;
> + }
> +
> memcpy(data_signed, auth_data, auth_data_len);
> memcpy(data_signed+auth_data_len, cdata_hash, cdata_hash_len);
>
Back to linux.debian.bugs.dist | Previous | Next — Previous in thread | Next in thread | Find similar
Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2 Nicolas Mora <babelouest@debian.org> - 2022-03-18 02:40 +0100
Bug#1007884: Acknowledgement (bullseye-pu: package glewlwyd/2.5.2-2+deb11u2) Nicolas Mora <babelouest@debian.org> - 2022-03-18 14:40 +0100
Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2 Julien Cristau <jcristau@debian.org> - 2022-03-18 16:40 +0100
Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2 Nicolas Mora <babelouest@debian.org> - 2022-03-18 17:10 +0100
csiph-web