On Tue, Apr 07, 2026 at 09:48:12AM +0200, Greg Kroah-Hartman wrote: > Subject: [PATCH 07/10] BUG: jwt: fix heap overflow in ECDSA signature DER > conversion > convert_ecdsa_sig() calls i2d_ECDSA_SIG(ecdsa_sig, &p) where p > points into signature->area, a trash chunk of tune.bufsize bytes > (default 16384). i2d writes with no output bound. > > The raw R||S input can be up to bufsize bytes (filled by > base64urldec at jwt.c:520-527), giving bignum_len up to 8192. The > DER encoding adds a SEQUENCE header (2-4 bytes), two INTEGER headers > (2-4 bytes each), and up to two leading-zero sign-padding bytes when > the bignum high bit is set. With two 8192-byte bignums having the > high bit set, the encoding is ~16398 bytes, overflowing the 16384- > byte buffer by ~14 bytes. > > Triggered by any JWT with alg=ES256/384/512 and a ~21830-character > base64url signature. The signature does not need to verify > successfully; the overflow happens before verification. Reachable > from any config using jwt_verify with an EC algorithm. > > Also fixes the existing wrong check: i2d returns -1 on error which > became SIZE_MAX in the size_t signature->data, defeating the > "== 0" test. > > This must be backported as far as JWT support exists.
Merged as a BUG/MEDIUM, thanks! -- William Lallemand
