Bug#1070249: bookworm-pu: package python-jwcrypto/1.1.0-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: steve.mcintyre@pexip.com, Timo Aaltonen <tjaalton@debian.org>
Hi,
[ Reason ]
I've backported the upstream fix for CVE-2024-28102 (#1065688) to
bookworm. It's not considered critical as a security fix by the
security team, but would still be good to have in bookworm.
Ready to upload if you're happy.
Timo is happy for me to upload this - see the conversation in
#1065688.
[ Impact ]
Minor security issue.
[ Tests ]
The patch comes from upstream, and includes a unit test.
[ Risks ]
The changes are straightforward, cherry-picked from current upstream
and just massaged to fit the older version in bookworm.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The debdiff here just contains trivial metadata changes from my
initial debdiff in #1065688
python-jwcrypto (1.1.0-1+deb12u1) bookworm; urgency=medium
* Apply and tweak upstream security fix for CVE-2024-28102
Address potential DoS with high compression ratio
diff -Nru python-jwcrypto-1.1.0/debian/changelog python-jwcrypto-1.1.0/debian/changelog
--- python-jwcrypto-1.1.0/debian/changelog 2022-03-29 08:33:50.000000000 +0100
+++ python-jwcrypto-1.1.0/debian/changelog 2024-04-26 17:18:31.000000000 +0100
@@ -1,3 +1,10 @@
+python-jwcrypto (1.1.0-1+deb12u1) bookworm; urgency=medium
+
+ * Apply and tweak upstream security fix for CVE-2024-28102
+ Address potential DoS with high compression ratio
+
+ -- Steve McIntyre <93sam@debian.org> Fri, 26 Apr 2024 17:18:31 +0100
+
python-jwcrypto (1.1.0-1) unstable; urgency=medium
* New upstream release.
diff -Nru python-jwcrypto-1.1.0/debian/patches/CVE-2024-28102.patch python-jwcrypto-1.1.0/debian/patches/CVE-2024-28102.patch
--- python-jwcrypto-1.1.0/debian/patches/CVE-2024-28102.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-jwcrypto-1.1.0/debian/patches/CVE-2024-28102.patch 2024-04-26 17:18:31.000000000 +0100
@@ -0,0 +1,72 @@
+commit 90477a3b6e73da69740e00b8161f53fea19b831f
+Author: Simo Sorce <simo@redhat.com>
+Date: Tue Mar 5 16:57:17 2024 -0500
+
+ Address potential DoS with high compression ratio
+
+ Fixes CVE-2024-28102
+
+ Signed-off-by: Simo Sorce <simo@redhat.com>
+
+Index: os-python-jwcrypto/jwcrypto/jwe.py
+===================================================================
+--- os-python-jwcrypto.orig/jwcrypto/jwe.py
++++ os-python-jwcrypto/jwcrypto/jwe.py
+@@ -9,6 +9,9 @@ from jwcrypto.common import base64url_de
+ from jwcrypto.common import json_decode, json_encode
+ from jwcrypto.jwa import JWA
+
++# Limit the amount of data we are willing to decompress by default.
++default_max_compressed_size = 256 * 1024
++
+
+ # RFC 7516 - 4.1
+ # name: (description, supported?)
+@@ -387,6 +390,10 @@ class JWE:
+
+ compress = jh.get('zip', None)
+ if compress == 'DEF':
++ if len(data) > default_max_compressed_size:
++ raise InvalidJWEData(
++ 'Compressed data exceeds maximum allowed'
++ 'size' + f' ({default_max_compressed_size})')
+ self.plaintext = zlib.decompress(data, -zlib.MAX_WBITS)
+ elif compress is None:
+ self.plaintext = data
+Index: os-python-jwcrypto/jwcrypto/tests.py
+===================================================================
+--- os-python-jwcrypto.orig/jwcrypto/tests.py
++++ os-python-jwcrypto/jwcrypto/tests.py
+@@ -1716,6 +1716,32 @@ class ConformanceTests(unittest.TestCase
+ check.decrypt(key)
+ self.assertEqual(check.payload, b'plain')
+
++ def test_jwe_decompression_max(self):
++ key = jwk.JWK(kty='oct', k=base64url_encode(b'A' * (128 // 8)))
++ payload = '{"u": "' + "u" * 400000000 + '", "uu":"' \
++ + "u" * 400000000 + '"}'
++ protected_header = {
++ "alg": "A128KW",
++ "enc": "A128GCM",
++ "typ": "JWE",
++ "zip": "DEF",
++ }
++ enc = jwe.JWE(payload.encode('utf-8'),
++ recipient=key,
++ protected=protected_header).serialize(compact=True)
++ with self.assertRaises(jwe.InvalidJWEData):
++ check = jwe.JWE()
++ check.deserialize(enc)
++ check.decrypt(key)
++
++ defmax = jwe.default_max_compressed_size
++ jwe.default_max_compressed_size = 1000000000
++ # ensure we can eraise the limit and decrypt
++ check = jwe.JWE()
++ check.deserialize(enc)
++ check.decrypt(key)
++ jwe.default_max_compressed_size = defmax
++
+
+ class JWATests(unittest.TestCase):
+ def test_jwa_create(self):
diff -Nru python-jwcrypto-1.1.0/debian/patches/series python-jwcrypto-1.1.0/debian/patches/series
--- python-jwcrypto-1.1.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ python-jwcrypto-1.1.0/debian/patches/series 2024-04-26 17:18:31.000000000 +0100
@@ -0,0 +1 @@
+CVE-2024-28102.patch
Reply to: