Bug#1070249: bookworm-pu: package python-jwcrypto/1.1.0-1+deb12u1

Steve McIntyre Thu, 02 May 2024 10:57:15 -0700

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: steve.mcint...@pexip.com, Timo Aaltonen <tjaal...@debian.org>


Hi,

[ Reason ]
I've backported the upstream fix for CVE-2024-28102 (#1065688) to
bookworm. It's not considered critical as a security fix by the
security team, but would still be good to have in bookworm.

Ready to upload if you're happy.

Timo is happy for me to upload this - see the conversation in
#1065688.

[ Impact ]
Minor security issue.

[ Tests ]
The patch comes from upstream, and includes a unit test.

[ Risks ]
The changes are straightforward, cherry-picked from current upstream
and just massaged to fit the older version in bookworm.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

The debdiff here just contains trivial metadata changes from my
initial debdiff in #1065688

python-jwcrypto (1.1.0-1+deb12u1) bookworm; urgency=medium

  * Apply and tweak upstream security fix for CVE-2024-28102
    Address potential DoS with high compression ratio

diff -Nru python-jwcrypto-1.1.0/debian/changelog 
python-jwcrypto-1.1.0/debian/changelog
--- python-jwcrypto-1.1.0/debian/changelog      2022-03-29 08:33:50.000000000 
+0100
+++ python-jwcrypto-1.1.0/debian/changelog      2024-04-26 17:18:31.000000000 
+0100
@@ -1,3 +1,10 @@
+python-jwcrypto (1.1.0-1+deb12u1) bookworm; urgency=medium
+
+  * Apply and tweak upstream security fix for CVE-2024-28102
+    Address potential DoS with high compression ratio
+
+ -- Steve McIntyre <93...@debian.org>  Fri, 26 Apr 2024 17:18:31 +0100
+
 python-jwcrypto (1.1.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru python-jwcrypto-1.1.0/debian/patches/CVE-2024-28102.patch 
python-jwcrypto-1.1.0/debian/patches/CVE-2024-28102.patch
--- python-jwcrypto-1.1.0/debian/patches/CVE-2024-28102.patch   1970-01-01 
01:00:00.000000000 +0100
+++ python-jwcrypto-1.1.0/debian/patches/CVE-2024-28102.patch   2024-04-26 
17:18:31.000000000 +0100
@@ -0,0 +1,72 @@
+commit 90477a3b6e73da69740e00b8161f53fea19b831f
+Author: Simo Sorce <s...@redhat.com>
+Date:   Tue Mar 5 16:57:17 2024 -0500
+
+    Address potential DoS with high compression ratio
+    
+    Fixes CVE-2024-28102
+    
+    Signed-off-by: Simo Sorce <s...@redhat.com>
+
+Index: os-python-jwcrypto/jwcrypto/jwe.py
+===================================================================
+--- os-python-jwcrypto.orig/jwcrypto/jwe.py
++++ os-python-jwcrypto/jwcrypto/jwe.py
+@@ -9,6 +9,9 @@ from jwcrypto.common import base64url_de
+ from jwcrypto.common import json_decode, json_encode
+ from jwcrypto.jwa import JWA
+ 
++# Limit the amount of data we are willing to decompress by default.
++default_max_compressed_size = 256 * 1024
++
+ 
+ # RFC 7516 - 4.1
+ # name: (description, supported?)
+@@ -387,6 +390,10 @@ class JWE:
+ 
+         compress = jh.get('zip', None)
+         if compress == 'DEF':
++            if len(data) > default_max_compressed_size:
++                raise InvalidJWEData(
++                    'Compressed data exceeds maximum allowed'
++                    'size' + f' ({default_max_compressed_size})')
+             self.plaintext = zlib.decompress(data, -zlib.MAX_WBITS)
+         elif compress is None:
+             self.plaintext = data
+Index: os-python-jwcrypto/jwcrypto/tests.py
+===================================================================
+--- os-python-jwcrypto.orig/jwcrypto/tests.py
++++ os-python-jwcrypto/jwcrypto/tests.py
+@@ -1716,6 +1716,32 @@ class ConformanceTests(unittest.TestCase
+         check.decrypt(key)
+         self.assertEqual(check.payload, b'plain')
+ 
++    def test_jwe_decompression_max(self):
++        key = jwk.JWK(kty='oct', k=base64url_encode(b'A' * (128 // 8)))
++        payload = '{"u": "' + "u" * 400000000 + '", "uu":"' \
++            + "u" * 400000000 + '"}'
++        protected_header = {
++            "alg": "A128KW",
++            "enc": "A128GCM",
++            "typ": "JWE",
++            "zip": "DEF",
++        }
++        enc = jwe.JWE(payload.encode('utf-8'),
++                      recipient=key,
++                      protected=protected_header).serialize(compact=True)
++        with self.assertRaises(jwe.InvalidJWEData):
++            check = jwe.JWE()
++            check.deserialize(enc)
++            check.decrypt(key)
++
++        defmax = jwe.default_max_compressed_size
++        jwe.default_max_compressed_size = 1000000000
++        # ensure we can eraise the limit and decrypt
++        check = jwe.JWE()
++        check.deserialize(enc)
++        check.decrypt(key)
++        jwe.default_max_compressed_size = defmax
++
+ 
+ class JWATests(unittest.TestCase):
+     def test_jwa_create(self):
diff -Nru python-jwcrypto-1.1.0/debian/patches/series 
python-jwcrypto-1.1.0/debian/patches/series
--- python-jwcrypto-1.1.0/debian/patches/series 1970-01-01 01:00:00.000000000 
+0100
+++ python-jwcrypto-1.1.0/debian/patches/series 2024-04-26 17:18:31.000000000 
+0100
@@ -0,0 +1 @@
+CVE-2024-28102.patch

Bug#1070249: bookworm-pu: package python-jwcrypto/1.1.0-1+deb12u1

Reply via email to