Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2

To: Nicolas Mora <babelouest@debian.org>, 1007884@bugs.debian.org
Subject: Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
From: Julien Cristau <jcristau@debian.org>
Date: Fri, 18 Mar 2022 16:29:17 +0100
Message-id: <[🔎] YjSlTUlnkQDyjQk2@jcristau-z4>
Reply-to: Julien Cristau <jcristau@debian.org>, 1007884@bugs.debian.org
In-reply-to: <[🔎] 164756623222.275379.7652117026350063714.reportbug@galahad>
References: <[🔎] 164756623222.275379.7652117026350063714.reportbug@galahad> <[🔎] 164756623222.275379.7652117026350063714.reportbug@galahad>

Control: severity -1 normal
Control: retitle -1 bullseye-pu: package glewlwyd/2.5.2-2+deb11u3
Control: tag -1 moreinfo

On Thu, Mar 17, 2022 at 09:17:12PM -0400, Nicolas Mora wrote:
> [ Reason ]
> Possible buffer overflow on signature verification during webauthn assertion
> 
> [ Impact ]
> Possibility of denial of service
> 
> [ Checklist ]
>   [X] *all* changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in (old)stable

The below is not a debdiff, and doesn't include a changelog entry. :(

>   [X] the issue is verified as fixed in unstable
> 
> [ Changes ]
> Check the length of the signature before verifying it
> 
What's the change of o_base64url_decode to o_base64_decode about?

Cheers,
Julien

> [ Other info ]
> CVE ID request pending

> Description: Fix buffer overflow
> Author: Nicolas Mora <babelouest@debian.org>
> Forwarded: not-needed
> --- a/src/scheme/webauthn.c
> +++ b/src/scheme/webauthn.c
> @@ -2336,12 +2336,24 @@
>          break;
>        }
>        
> -      if (!o_base64url_decode((const unsigned char *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), sig, &sig_len)) {
> -        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error o_base64url_decode signature");
> +      if (!o_base64_decode((const unsigned char *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), NULL, &sig_len)) {
> +        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid signature format");
>          ret = G_ERROR_PARAM;
>          break;
>        }
>        
> +      if (sig_len > 128) {
> +        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid signature");
> +        ret = G_ERROR_PARAM;
> +        break;
> +      }
> +
> +      if (!o_base64_decode((const unsigned char *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), sig, &sig_len)) {
> +        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error o_base64_decode signature");
> +        ret = G_ERROR;
> +        break;
> +      }
> +
>        memcpy(data_signed, auth_data, auth_data_len);
>        memcpy(data_signed+auth_data_len, cdata_hash, cdata_hash_len);
>

Reply to:

Follow-Ups:
- Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
  - From: Nicolas Mora <babelouest@debian.org>

References:
- Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
  - From: Nicolas Mora <babelouest@debian.org>

Prev by Date: Processed: Re: Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
Next by Date: Bug#994622: bullseye-pu: package network-manager/1.30.6-1~deb11u1
Previous by thread: Processed: Re: Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
Next by thread: Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
Index(es):
- Date
- Thread