Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
From: Nicolas Mora <babelouest@debian.org>
Date: Thu, 17 Mar 2022 21:17:12 -0400
Message-id: <[🔎] 164756623222.275379.7652117026350063714.reportbug@galahad>
Reply-to: Nicolas Mora <babelouest@debian.org>, 1007884@bugs.debian.org

Package: release.debian.org
Severity: important
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
Possible buffer overflow on signature verification during webauthn assertion

[ Impact ]
Possibility of denial of service

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Check the length of the signature before verifying it

[ Other info ]
CVE ID request pending

Description: Fix buffer overflow
Author: Nicolas Mora <babelouest@debian.org>
Forwarded: not-needed
--- a/src/scheme/webauthn.c
+++ b/src/scheme/webauthn.c
@@ -2336,12 +2336,24 @@
         break;
       }
       
-      if (!o_base64url_decode((const unsigned char *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), sig, &sig_len)) {
-        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error o_base64url_decode signature");
+      if (!o_base64_decode((const unsigned char *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), NULL, &sig_len)) {
+        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid signature format");
         ret = G_ERROR_PARAM;
         break;
       }
       
+      if (sig_len > 128) {
+        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid signature");
+        ret = G_ERROR_PARAM;
+        break;
+      }
+
+      if (!o_base64_decode((const unsigned char *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), sig, &sig_len)) {
+        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error o_base64_decode signature");
+        ret = G_ERROR;
+        break;
+      }
+
       memcpy(data_signed, auth_data, auth_data_len);
       memcpy(data_signed+auth_data_len, cdata_hash, cdata_hash_len);

Reply to:

Follow-Ups:
- Processed: Re: Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: Bug#1007882: marked as done (RM: rust-weedle/0.12.0-2 rust-wasm-bindgen-webidl/0.2.75-1)
Next by thread: Bug#1007884: Acknowledgement (bullseye-pu: package glewlwyd/2.5.2-2+deb11u2)
Index(es):
- Date
- Thread