Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-node-forge signature verification code is lenient in checking the digest
algorithm structure. This can allow a crafted structure that steals padding
bytes and uses unchecked portion of the PKCS#1 encoded message to forge a
signature when a low public exponent is being used. The issue has been
addressed in `node-forge` version 1.3.0.
[ Impact ]
medium vulnerability
[ Tests ]
New test added
[ Risks ]
Low risk, test passed
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Better checks
[ Other info ]
Upstream patch applied without any change except indentation
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index bd1ee3d..a11ea65 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-node-forge (0.8.1~dfsg-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Fix signature verification
+(Closes: CVE-2022-24771, CVE-2022-24772, CVE-2022-24773)
+
+ -- Yadd Wed, 23 Mar 2022 11:28:00 +0100
+
node-node-forge (0.8.1~dfsg-1) unstable; urgency=medium
[ upstream ]
diff --git a/debian/patches/CVE-2022-24773.patch
b/debian/patches/CVE-2022-24773.patch
new file mode 100644
index 000..9f36228
--- /dev/null
+++ b/debian/patches/CVE-2022-24773.patch
@@ -0,0 +1,658 @@
+Description: fix signature verification issues (CVE-2022-24771,
CVE-2022-24772, CVE-2022-24773)
+ **SECURITY**: Three RSA PKCS#1 v1.5 signature verification issues were
+ reported by Moosa Yahyazadeh (moosa-yahyaza...@uiowa.edu):
+ .
+ - Leniency in checking `digestAlgorithm` structure can lead to signature
+ forgery.
+ - The code is lenient in checking the digest algorithm structure. This can
+ allow a crafted structure that steals padding bytes and uses unchecked
+ portion of the PKCS#1 encoded message to forge a signature when a low
+ public exponent is being used.
+ - Failing to check tailing garbage bytes can lead to signature forgery.
+ - The code does not check for tailing garbage bytes after decoding a
+ `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed
+ and garbage data added to forge a signature when a low public exponent is
+ being used.
+ - Leniency in checking type octet.
+ - `DigestInfo` is not properly checked for proper ASN.1 structure. This can
+ lead to successful verification with signatures that contain invalid
+ structures but a valid digest.
+ .
+ For more information, please see "Bleichenbacher's RSA signature forgery based
+ on implementation error" by Hal Finney:
+ https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/
+ .
+ Fixed with the following:
+ .
+ - [asn1] `fromDer` is now more strict and will default to ensuring all
+ input bytes are parsed or throw an error. A new option `parseAllBytes`
+ can disable this behavior.
+ - **NOTE**: The previous behavior is being changed since it can lead
+ to security issues with crafted inputs. It is possible that code
+ doing custom DER parsing may need to adapt to this new behavior and
+ optional flag.
+ - [rsa] Add and use a validator to check for proper structure of parsed
+ ASN.1 `RSASSA-PKCS-v1_5` `DigestInfo` data. Additionally check that
+ the hash algorithm identifier is a known value. An invalid
+ `DigestInfo` or algorithm identifier will now cause an error to be
+ thrown.
+ - [oid] Added `1.2.840.113549.2.2` / `md2` for hash algorithm checking.
+ - [tests] Tests were added for all of the reported issues. A private
+ verify option was added to assist in checking multiple possible
+ failures in the test data.
+Author: David I. Lehn
+Origin: upstream, https://github.com/digitalbazaar/forge/commit/3f0b49a0
+Bug:
+ https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765
+ https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g
+ https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-03-23
+
+--- a/lib/asn1.js
b/lib/asn1.js
+@@ -411,6 +411,8 @@
+ * @param [options] object with options or boolean strict flag
+ * [strict] true to be strict when checking value lengths, false to
+ *allow truncated values (default: true).
++ * [parseAllBytes] true to ensure all bytes are parsed
++ *(default: true)
+ * [decodeBitStrings] true to attempt to decode the content of
+ *BIT STRINGs (not OCTET STRINGs) using strict mode. Note that
+ *without schema support to understand the data context this can
+@@ -418,24 +420,31 @@
+ *flag will be deprecated or removed as soon as schema support is
+ *