Bug#1008154: buster-pu: package node-node-forge/0.8.1~dfsg-1+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Wed, 2022-03-23 at 11:29 +0100, Yadd wrote:
> node-node-forge signature verification code is lenient in checking
> the digest
> algorithm structure. This can allow a crafted structure that steals
> padding
> bytes and uses unchecked portion of the PKCS#1 encoded message to
> forge a
> signature when a low public exponent is being used. The issue has
> been
> addressed in `node-forge` version 1.3.0.
> 

Please go ahead; sorry for the delay.

Regards,

Adam

Bug#1008154: buster-pu: package node-node-forge/0.8.1~dfsg-1+deb10u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-node-forge signature verification code is lenient in checking the digest
algorithm structure. This can allow a crafted structure that steals padding
bytes and uses unchecked portion of the PKCS#1 encoded message to forge a
signature when a low public exponent is being used. The issue has been
addressed in `node-forge` version 1.3.0.

[ Impact ]
medium vulnerability

[ Tests ]
New test added

[ Risks ]
Low risk, test passed

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Better checks

[ Other info ]
Upstream patch applied without any change except indentation

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index bd1ee3d..a11ea65 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-node-forge (0.8.1~dfsg-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Fix signature verification
+(Closes: CVE-2022-24771, CVE-2022-24772, CVE-2022-24773)
+
+ -- Yadd   Wed, 23 Mar 2022 11:28:00 +0100
+
 node-node-forge (0.8.1~dfsg-1) unstable; urgency=medium
 
   [ upstream ]
diff --git a/debian/patches/CVE-2022-24773.patch 
b/debian/patches/CVE-2022-24773.patch
new file mode 100644
index 000..9f36228
--- /dev/null
+++ b/debian/patches/CVE-2022-24773.patch
@@ -0,0 +1,658 @@
+Description: fix signature verification issues (CVE-2022-24771, 
CVE-2022-24772, CVE-2022-24773)
+ **SECURITY**: Three RSA PKCS#1 v1.5 signature verification issues were
+ reported by Moosa Yahyazadeh (moosa-yahyaza...@uiowa.edu):
+ .
+ - Leniency in checking `digestAlgorithm` structure can lead to signature
+   forgery.
+   - The code is lenient in checking the digest algorithm structure. This can
+ allow a crafted structure that steals padding bytes and uses unchecked
+ portion of the PKCS#1 encoded message to forge a signature when a low
+ public exponent is being used.
+ - Failing to check tailing garbage bytes can lead to signature forgery.
+   - The code does not check for tailing garbage bytes after decoding a
+ `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed
+ and garbage data added to forge a signature when a low public exponent is
+ being used.
+ - Leniency in checking type octet.
+   - `DigestInfo` is not properly checked for proper ASN.1 structure. This can
+ lead to successful verification with signatures that contain invalid
+ structures but a valid digest.
+ .
+ For more information, please see "Bleichenbacher's RSA signature forgery based
+ on implementation error" by Hal Finney:
+ https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/
+ .
+ Fixed with the following:
+ .
+ - [asn1] `fromDer` is now more strict and will default to ensuring all
+   input bytes are parsed or throw an error. A new option `parseAllBytes`
+   can disable this behavior.
+   - **NOTE**: The previous behavior is being changed since it can lead
+ to security issues with crafted inputs. It is possible that code
+ doing custom DER parsing may need to adapt to this new behavior and
+ optional flag.
+ - [rsa] Add and use a validator to check for proper structure of parsed
+   ASN.1 `RSASSA-PKCS-v1_5` `DigestInfo` data. Additionally check that
+   the hash algorithm identifier is a known value. An invalid
+   `DigestInfo` or algorithm identifier will now cause an error to be
+   thrown.
+ - [oid] Added `1.2.840.113549.2.2` / `md2` for hash algorithm checking.
+ - [tests] Tests were added for all of the reported issues. A private
+   verify option was added to assist in checking multiple possible
+   failures in the test data.
+Author: David I. Lehn 
+Origin: upstream, https://github.com/digitalbazaar/forge/commit/3f0b49a0
+Bug:
+ https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765
+ https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g
+ https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2022-03-23
+
+--- a/lib/asn1.js
 b/lib/asn1.js
+@@ -411,6 +411,8 @@
+  * @param [options] object with options or boolean strict flag
+  *  [strict] true to be strict when checking value lengths, false to
+  *allow truncated values (default: true).
++ *  [parseAllBytes] true to ensure all bytes are parsed
++ *(default: true)
+  *  [decodeBitStrings] true to attempt to decode the content of
+  *BIT STRINGs (not OCTET STRINGs) using strict mode. Note that
+  *without schema support to understand the data context this can
+@@ -418,24 +420,31 @@
+  *flag will be deprecated or removed as soon as schema support is
+  *