Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
Fix possible buffer overflow when decrypting forged jwe with invalid iv or
cypherkey
[ Impact ]
program might crash or execute arbitrary code
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Check iv and cypherkey len before decoding them
[ Other info ]
CVE id pending
diff -Nru rhonabwy-0.9.13/debian/changelog rhonabwy-0.9.13/debian/changelog
--- rhonabwy-0.9.13/debian/changelog2021-09-22 07:29:46.0 -0400
+++ rhonabwy-0.9.13/debian/changelog2022-06-26 17:27:39.0 -0400
@@ -1,3 +1,9 @@
+rhonabwy (0.9.13-3+deb11u2) bullseye; urgency=medium
+
+ * d/patches/aesgcm.patch: Fix aesgcm buffer overflow
+
+ -- Nicolas Mora Sun, 26 Jun 2022 17:27:39 -0400
+
rhonabwy (0.9.13-3+deb11u1) bullseye; urgency=medium
* d/patches/bugfixes: apply upstream bugfixes
diff -Nru rhonabwy-0.9.13/debian/patches/aesgcm.patch
rhonabwy-0.9.13/debian/patches/aesgcm.patch
--- rhonabwy-0.9.13/debian/patches/aesgcm.patch 1969-12-31 19:00:00.0
-0500
+++ rhonabwy-0.9.13/debian/patches/aesgcm.patch 2022-06-26 17:26:58.0
-0400
@@ -0,0 +1,32 @@
+Description: Fix aesgcm buffer overflow
+Author: Nicolas Mora
+Forwarded: not-needed
+--- a/src/jwe.c
b/src/jwe.c
+@@ -226,14 +226,24 @@
+ ret = RHN_ERROR;
+ break;
+ }
++ if (!o_base64url_decode((const unsigned char
*)r_jwe_get_header_str_value(jwe, "iv"),
o_strlen(r_jwe_get_header_str_value(jwe, "iv")), NULL, _len) || iv_len > 96)
{
++y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Invalid
header iv");
++ret = RHN_ERROR_INVALID;
++break;
++ }
+ if (!o_base64url_decode((const unsigned char
*)r_jwe_get_header_str_value(jwe, "iv"),
o_strlen(r_jwe_get_header_str_value(jwe, "iv")), iv, _len)) {
+ y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Error
o_base64url_decode iv");
+-ret = RHN_ERROR;
++ret = RHN_ERROR_INVALID;
++break;
++ }
++ if (!o_base64url_decode((const unsigned char
*)jwe->encrypted_key_b64url, o_strlen((const char *)jwe->encrypted_key_b64url),
NULL, _len) || cipherkey_len > 64) {
++y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Invalid
cipherkey");
++ret = RHN_ERROR_INVALID;
+ break;
+ }
+ if (!o_base64url_decode((const unsigned char
*)jwe->encrypted_key_b64url, o_strlen((const char *)jwe->encrypted_key_b64url),
cipherkey, _len)) {
+ y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Error
o_base64url_decode cipherkey");
+-ret = RHN_ERROR;
++ret = RHN_ERROR_INVALID;
+ break;
+ }
+ key_g.data = key;
diff -Nru rhonabwy-0.9.13/debian/patches/series
rhonabwy-0.9.13/debian/patches/series
--- rhonabwy-0.9.13/debian/patches/series 2021-09-22 07:29:46.0
-0400
+++ rhonabwy-0.9.13/debian/patches/series 2022-06-26 17:25:31.0
-0400
@@ -1,3 +1,4 @@
library_info.patch
disable_test_rhonabwy_generate_key_pair.patch
bugfixes.patch
+aesgcm.patch