Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
Control: severity -1 normal
Control: retitle -1 bullseye-pu: package glewlwyd/2.5.2-2+deb11u3
Control: tag -1 moreinfo
On Thu, Mar 17, 2022 at 09:17:12PM -0400, Nicolas Mora wrote:
> [ Reason ]
> Possible buffer overflow on signature verification during webauthn assertion
>
> [ Impact ]
> Possibility of denial of service
>
> [ Checklist ]
> [X] *all* changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in (old)stable
The below is not a debdiff, and doesn't include a changelog entry. :(
> [X] the issue is verified as fixed in unstable
>
> [ Changes ]
> Check the length of the signature before verifying it
>
What's the change of o_base64url_decode to o_base64_decode about?
Cheers,
Julien
> [ Other info ]
> CVE ID request pending
> Description: Fix buffer overflow
> Author: Nicolas Mora <babelouest@debian.org>
> Forwarded: not-needed
> --- a/src/scheme/webauthn.c
> +++ b/src/scheme/webauthn.c
> @@ -2336,12 +2336,24 @@
> break;
> }
>
> - if (!o_base64url_decode((const unsigned char *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), sig, &sig_len)) {
> - y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error o_base64url_decode signature");
> + if (!o_base64_decode((const unsigned char *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), NULL, &sig_len)) {
> + y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid signature format");
> ret = G_ERROR_PARAM;
> break;
> }
>
> + if (sig_len > 128) {
> + y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid signature");
> + ret = G_ERROR_PARAM;
> + break;
> + }
> +
> + if (!o_base64_decode((const unsigned char *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data, "credential"), "response"), "signature")), sig, &sig_len)) {
> + y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error o_base64_decode signature");
> + ret = G_ERROR;
> + break;
> + }
> +
> memcpy(data_signed, auth_data, auth_data_len);
> memcpy(data_signed+auth_data_len, cdata_hash, cdata_hash_len);
>
Reply to: