Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
Package: release.debian.org
Severity: important
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)
[ Reason ]
Possible buffer overflow on signature verification during webauthn assertion
[ Impact ]
Possibility of denial of service
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Check the length of the signature before verifying it
[ Other info ]
CVE ID request pending
Description: Fix buffer overflow
Author: Nicolas Mora <babelouest@debian.org>
Forwarded: not-needed
--- a/src/scheme/webauthn.c
+++ b/src/scheme/webauthn.c
@@ -2336,12 +2336,24 @@
break;
}
- if (!o_base64url_decode((const unsigned char *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), sig, &sig_len)) {
- y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error o_base64url_decode signature");
+ if (!o_base64_decode((const unsigned char *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), NULL, &sig_len)) {
+ y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid signature format");
ret = G_ERROR_PARAM;
break;
}
+ if (sig_len > 128) {
+ y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid signature");
+ ret = G_ERROR_PARAM;
+ break;
+ }
+
+ if (!o_base64_decode((const unsigned char *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), sig, &sig_len)) {
+ y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error o_base64_decode signature");
+ ret = G_ERROR;
+ break;
+ }
+
memcpy(data_signed, auth_data, auth_data_len);
memcpy(data_signed+auth_data_len, cdata_hash, cdata_hash_len);
Reply to: