Bug#1010657: google-oauth-client-java: CVE-2021-22573 - IdTokenVerifier does not verify the signature of ID Token
Hi Markus, On Mon, May 16, 2022 at 12:52:59AM +0200, Markus Koschany wrote: > Hi tony, > > Am Sonntag, dem 15.05.2022 um 11:17 -0700 schrieb tony mancill: > > > [...] > > Any thoughts? It's a tad messy either way, but using current versions > > simplifies the porting of patches. > > I haven't investigated the CVE closely enough but the current reverse- > dependencies in Bullseye don't seem to be severely affected by it. bazel- > bootstrap and libgoogle-api-client-java are more like leaf packages unless we > take openrefine in bullseye-backports into consideration as well. > > We could also mark the CVE as ignored for Bullseye because of the minor > impact, > or just upload the new google-http-client-java package to bullseye after > approval by the release team and then update google-oauth-java-client as well. > We just have to check if this breaks the two other packages in Bullseye > (bazel- > bootstrap and google-api-client-java). > > So yes, a newer upstream version is fine, if it does not break any existing > packages and there is no other way or the alternative would be way too time > consuming and inconvenient. That is a good suggestion to potentially mark the CVE as ignored. Unless there is a specific need for the updates in bullseye, I don't have a reason to push the issue. I wanted to address the CVE in testing/unstable, and didn't want to just disappear and ignore the issue for the other suites. And if there is a compelling need for the updates to land in bullseye, we can revisit. Thanks! signature.asc Description: PGP signature
Bug#1010657: google-oauth-client-java: CVE-2021-22573 - IdTokenVerifier does not verify the signature of ID Token
Hi tony, Am Sonntag, dem 15.05.2022 um 11:17 -0700 schrieb tony mancill: > [...] > Any thoughts? It's a tad messy either way, but using current versions > simplifies the porting of patches. I haven't investigated the CVE closely enough but the current reverse- dependencies in Bullseye don't seem to be severely affected by it. bazel- bootstrap and libgoogle-api-client-java are more like leaf packages unless we take openrefine in bullseye-backports into consideration as well. We could also mark the CVE as ignored for Bullseye because of the minor impact, or just upload the new google-http-client-java package to bullseye after approval by the release team and then update google-oauth-java-client as well. We just have to check if this breaks the two other packages in Bullseye (bazel- bootstrap and google-api-client-java). So yes, a newer upstream version is fine, if it does not break any existing packages and there is no other way or the alternative would be way too time consuming and inconvenient. Cheers, Markus signature.asc Description: This is a digitally signed message part
Bug#1010657: google-oauth-client-java: CVE-2021-22573 - IdTokenVerifier does not verify the signature of ID Token
On Mon, May 09, 2022 at 09:23:36PM -0700, tony mancill wrote: > On Fri, May 06, 2022 at 09:46:24AM +0100, Neil Williams wrote: > > Source: google-oauth-client-java > > Version: 1.28.0-2 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > Fixed in upstream release 1.33.3 > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2021-22573 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22573 > > > > Please adjust the affected versions in the BTS as needed. > > Upstream version 1.33.3 requires a minor update to the Debian packaging > of google-http-client-java that I am working on now. > > I will upload a package for 1.33.3 in the next day or so. In order to backport this patch for bullseye, we will need a version of google-http-client-java in bullseye that includes google-http-client-gson.jar (as was added in [1]). I'm not sure how this works if a security update for package requires an update to its build-deps. Based on the limited set of reverse-dependencies of libgoogle-oauth-client-java in bullseye - that is: $ reverse-depends --build --list --release=bullseye libgoogle-oauth-client-java google-api-client-java $ reverse-depends --list --release=bullseye libgoogle-oauth-client-java (nothing) $ reverse-depends --list --release=bullseye libgoogle-api-client-java bazel-bootstrap $ reverse-depends --build --list --release=bullseye libgoogle-api-client-java bazel-bootstrap $ reverse-depends --build --list --release=bullseye bazel-bootstrap (nothing) And the chain seems to end there. As I understand it, getting bazel-bootstrap into bullseye was in preparation for bookworm, but there aren't any packages with build-deps on it bullseye. For that reason, I'm wondering whether we wouldn't be better off updating instead backporting to address this CVE. Related to this, Markus has already created a backport of google-http-client-java [2]. (That is, there are other reasons for a newer versions in bullseye.) Any thoughts? It's a tad messy either way, but using current versions simplifies the porting of patches. Thank you, tony [1] https://tracker.debian.org/news/1323863/accepted-google-http-client-java-1418-2-source-into-unstable/ [2] https://tracker.debian.org/news/1292692/accepted-google-http-client-java-1401-1bpo111-source-all-into-bullseye-backports-bullseye-backports/ signature.asc Description: PGP signature
Bug#1010657: google-oauth-client-java: CVE-2021-22573 - IdTokenVerifier does not verify the signature of ID Token
On Fri, May 06, 2022 at 09:46:24AM +0100, Neil Williams wrote: > Source: google-oauth-client-java > Version: 1.28.0-2 > Severity: grave > Tags: security > Justification: user security hole > > Hi, > > The following vulnerability was published for google-oauth-client-java. > > CVE-2021-22573[0]: > > (SNIP) > > Fixed in upstream release 1.33.3 > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2021-22573 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22573 > > Please adjust the affected versions in the BTS as needed. Upstream version 1.33.3 requires a minor update to the Debian packaging of google-http-client-java that I am working on now. I will upload a package for 1.33.3 in the next day or so. Cheers, tony
Bug#1010657: google-oauth-client-java: CVE-2021-22573 - IdTokenVerifier does not verify the signature of ID Token
Source: google-oauth-client-java Version: 1.28.0-2 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: codeh...@debian.org, Debian Security Team Hi, The following vulnerability was published for google-oauth-client-java. CVE-2021-22573[0]: | The vulnerability is that IDToken verifier does not verify if token is | properly signed. Signature verification makes sure that the token's | payload comes from valid provider, not from someone else. An attacker | can provide a compromised token with custom payload. The token will | pass the validation on the client side. We recommend upgrading to | version 1.33.3 or above > The spec requires to validate the signature of ID token for apps that > cannot guarantee TLS communication, which is the case for this library. > This library initiates a local server that can run on any client machine > without TLS support. So, it is critical to validate the signature, > before trusting the claims of an ID token, which can be received from > a malicious service provider. Fixed in upstream release 1.33.3 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-22573 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22573 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
