Bug#1013893: bullseye-pu: package rhonabwy/0.9.13-3+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Fix possible buffer overflow when decrypting forged jwe with invalid iv or
cypherkey
[ Impact ]
program might crash or execute arbitrary code
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Check iv and cypherkey len before decoding them
[ Other info ]
CVE id pending
diff -Nru rhonabwy-0.9.13/debian/changelog rhonabwy-0.9.13/debian/changelog
--- rhonabwy-0.9.13/debian/changelog 2021-09-22 07:29:46.000000000 -0400
+++ rhonabwy-0.9.13/debian/changelog 2022-06-26 17:27:39.000000000 -0400
@@ -1,3 +1,9 @@
+rhonabwy (0.9.13-3+deb11u2) bullseye; urgency=medium
+
+ * d/patches/aesgcm.patch: Fix aesgcm buffer overflow
+
+ -- Nicolas Mora <babelouest@debian.org> Sun, 26 Jun 2022 17:27:39 -0400
+
rhonabwy (0.9.13-3+deb11u1) bullseye; urgency=medium
* d/patches/bugfixes: apply upstream bugfixes
diff -Nru rhonabwy-0.9.13/debian/patches/aesgcm.patch rhonabwy-0.9.13/debian/patches/aesgcm.patch
--- rhonabwy-0.9.13/debian/patches/aesgcm.patch 1969-12-31 19:00:00.000000000 -0500
+++ rhonabwy-0.9.13/debian/patches/aesgcm.patch 2022-06-26 17:26:58.000000000 -0400
@@ -0,0 +1,32 @@
+Description: Fix aesgcm buffer overflow
+Author: Nicolas Mora <babelouest@debian.org>
+Forwarded: not-needed
+--- a/src/jwe.c
++++ b/src/jwe.c
+@@ -226,14 +226,24 @@
+ ret = RHN_ERROR;
+ break;
+ }
++ if (!o_base64url_decode((const unsigned char *)r_jwe_get_header_str_value(jwe, "iv"), o_strlen(r_jwe_get_header_str_value(jwe, "iv")), NULL, &iv_len) || iv_len > 96) {
++ y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Invalid header iv");
++ ret = RHN_ERROR_INVALID;
++ break;
++ }
+ if (!o_base64url_decode((const unsigned char *)r_jwe_get_header_str_value(jwe, "iv"), o_strlen(r_jwe_get_header_str_value(jwe, "iv")), iv, &iv_len)) {
+ y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Error o_base64url_decode iv");
+- ret = RHN_ERROR;
++ ret = RHN_ERROR_INVALID;
++ break;
++ }
++ if (!o_base64url_decode((const unsigned char *)jwe->encrypted_key_b64url, o_strlen((const char *)jwe->encrypted_key_b64url), NULL, &cipherkey_len) || cipherkey_len > 64) {
++ y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Invalid cipherkey");
++ ret = RHN_ERROR_INVALID;
+ break;
+ }
+ if (!o_base64url_decode((const unsigned char *)jwe->encrypted_key_b64url, o_strlen((const char *)jwe->encrypted_key_b64url), cipherkey, &cipherkey_len)) {
+ y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Error o_base64url_decode cipherkey");
+- ret = RHN_ERROR;
++ ret = RHN_ERROR_INVALID;
+ break;
+ }
+ key_g.data = key;
diff -Nru rhonabwy-0.9.13/debian/patches/series rhonabwy-0.9.13/debian/patches/series
--- rhonabwy-0.9.13/debian/patches/series 2021-09-22 07:29:46.000000000 -0400
+++ rhonabwy-0.9.13/debian/patches/series 2022-06-26 17:25:31.000000000 -0400
@@ -1,3 +1,4 @@
library_info.patch
disable_test_rhonabwy_generate_key_pair.patch
bugfixes.patch
+aesgcm.patch
Reply to: