Bug#1013893: bullseye-pu: package rhonabwy/0.9.13-3+deb11u1

2023-07-24 Thread Jonathan Wiltshire 
Control: tag -1 confirmed

On Sun, Jun 26, 2022 at 05:36:42PM -0400, Nicolas Mora wrote:
> [ Reason ]
> Fix possible buffer overflow when decrypting forged jwe with invalid iv or
> cypherkey

Please go ahead, mentioning the CVE number in the changelog.

Thanks,


-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1013893: bullseye-pu: package rhonabwy/0.9.13-3+deb11u1

2022-07-15 Thread Salvatore Bonaccorso 
Hi,

On Sun, Jun 26, 2022 at 05:36:42PM -0400, Nicolas Mora wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> [ Reason ]
> Fix possible buffer overflow when decrypting forged jwe with invalid iv or
> cypherkey
> 
> [ Impact ]
> program might crash or execute arbitrary code
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> [ Changes ]
> Check iv and cypherkey len before decoding them
> 
> [ Other info ]
> CVE id pending

Looks the CVE is CVE-2022-32096 now:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32096

Regards,
Salvatore

Bug#1013893: bullseye-pu: package rhonabwy/0.9.13-3+deb11u1

2022-06-26 Thread Nicolas Mora 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
Fix possible buffer overflow when decrypting forged jwe with invalid iv or
cypherkey

[ Impact ]
program might crash or execute arbitrary code

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Check iv and cypherkey len before decoding them

[ Other info ]
CVE id pending
diff -Nru rhonabwy-0.9.13/debian/changelog rhonabwy-0.9.13/debian/changelog
--- rhonabwy-0.9.13/debian/changelog2021-09-22 07:29:46.0 -0400
+++ rhonabwy-0.9.13/debian/changelog2022-06-26 17:27:39.0 -0400
@@ -1,3 +1,9 @@
+rhonabwy (0.9.13-3+deb11u2) bullseye; urgency=medium
+
+  * d/patches/aesgcm.patch: Fix aesgcm buffer overflow
+
+ -- Nicolas Mora   Sun, 26 Jun 2022 17:27:39 -0400
+
 rhonabwy (0.9.13-3+deb11u1) bullseye; urgency=medium
 
   * d/patches/bugfixes: apply upstream bugfixes
diff -Nru rhonabwy-0.9.13/debian/patches/aesgcm.patch 
rhonabwy-0.9.13/debian/patches/aesgcm.patch
--- rhonabwy-0.9.13/debian/patches/aesgcm.patch 1969-12-31 19:00:00.0 
-0500
+++ rhonabwy-0.9.13/debian/patches/aesgcm.patch 2022-06-26 17:26:58.0 
-0400
@@ -0,0 +1,32 @@
+Description: Fix aesgcm buffer overflow
+Author: Nicolas Mora 
+Forwarded: not-needed
+--- a/src/jwe.c
 b/src/jwe.c
+@@ -226,14 +226,24 @@
+ ret = RHN_ERROR;
+ break;
+   }
++  if (!o_base64url_decode((const unsigned char 
*)r_jwe_get_header_str_value(jwe, "iv"), 
o_strlen(r_jwe_get_header_str_value(jwe, "iv")), NULL, _len) || iv_len > 96) 
{
++y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Invalid 
header iv");
++ret = RHN_ERROR_INVALID;
++break;
++  }
+   if (!o_base64url_decode((const unsigned char 
*)r_jwe_get_header_str_value(jwe, "iv"), 
o_strlen(r_jwe_get_header_str_value(jwe, "iv")), iv, _len)) {
+ y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Error 
o_base64url_decode iv");
+-ret = RHN_ERROR;
++ret = RHN_ERROR_INVALID;
++break;
++  }
++  if (!o_base64url_decode((const unsigned char 
*)jwe->encrypted_key_b64url, o_strlen((const char *)jwe->encrypted_key_b64url), 
NULL, _len) || cipherkey_len > 64) {
++y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Invalid 
cipherkey");
++ret = RHN_ERROR_INVALID;
+ break;
+   }
+   if (!o_base64url_decode((const unsigned char 
*)jwe->encrypted_key_b64url, o_strlen((const char *)jwe->encrypted_key_b64url), 
cipherkey, _len)) {
+ y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Error 
o_base64url_decode cipherkey");
+-ret = RHN_ERROR;
++ret = RHN_ERROR_INVALID;
+ break;
+   }
+   key_g.data = key;
diff -Nru rhonabwy-0.9.13/debian/patches/series 
rhonabwy-0.9.13/debian/patches/series
--- rhonabwy-0.9.13/debian/patches/series   2021-09-22 07:29:46.0 
-0400
+++ rhonabwy-0.9.13/debian/patches/series   2022-06-26 17:25:31.0 
-0400
@@ -1,3 +1,4 @@
 library_info.patch
 disable_test_rhonabwy_generate_key_pair.patch
 bugfixes.patch
+aesgcm.patch