Bug#1055525: cryptojs: CVE-2023-46233

Yadd Wed, 15 Nov 2023 23:00:15 -0800

Hi,

this bug is still unfixed even if patch is trivial. Here is a templatefor an update

diff --git a/debian/changelog b/debian/changelog
index 558cbac..849d0f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+cryptojs (3.1.2+dfsg-3+deb12u1) bookworm-security; urgency=medium
+
+  * Change default hash algorithm and iteration's for PBKDF2
+    (Closes: #1055525)
+
+ -- Yadd <y...@debian.org>  Thu, 16 Nov 2023 10:53:45 +0400
+
 cryptojs (3.1.2+dfsg-3) unstable; urgency=medium
 
   * Add upstream metadata.
diff --git a/debian/patches/CVE-2023-46233.patch 
b/debian/patches/CVE-2023-46233.patch
new file mode 100644
index 0000000..c321f49
--- /dev/null
+++ b/debian/patches/CVE-2023-46233.patch
@@ -0,0 +1,38 @@
+Description: Change default hash algorithm and iteration's for PBKDF2
+ to prevent weak security by using the default configuration
+Author: evanvosberg <evanvosb...@urban.to>
+Origin: upstream, https://github.com/brix/crypto-js/commit/421dd538
+Bug: https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf
+Bug-Debian: https://bugs.debian.org/1055525
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2023-11-16
+
+--- a/components/pbkdf2.js
++++ b/components/pbkdf2.js
+@@ -11,7 +11,7 @@
+     var Base = C_lib.Base;
+     var WordArray = C_lib.WordArray;
+     var C_algo = C.algo;
+-    var SHA1 = C_algo.SHA1;
++    var SHA256 = C_algo.SHA256;
+     var HMAC = C_algo.HMAC;
+ 
+     /**
+@@ -22,13 +22,13 @@
+          * Configuration options.
+          *
+          * @property {number} keySize The key size in words to generate. 
Default: 4 (128 bits)
+-         * @property {Hasher} hasher The hasher to use. Default: SHA1
++         * @property {Hasher} hasher The hasher to use. Default: SHA256
+          * @property {number} iterations The number of iterations to perform. 
Default: 1
+          */
+         cfg: Base.extend({
+             keySize: 128/32,
+-            hasher: SHA1,
+-            iterations: 1
++            hasher: SHA256,
++            iterations: 250000
+         }),
+ 
+         /**
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4fdeacb
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-46233.patch

Bug#1055525: cryptojs: CVE-2023-46233

Reply via email to