Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2

Thu, 17 Mar 2022 18:30:26 -0700 

Package: release.debian.org
Severity: important
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
Possible buffer overflow on signature verification during webauthn assertion

[ Impact ]
Possibility of denial of service

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Check the length of the signature before verifying it

[ Other info ]
CVE ID request pending

Description: Fix buffer overflow
Author: Nicolas Mora <babelou...@debian.org>
Forwarded: not-needed
--- a/src/scheme/webauthn.c
+++ b/src/scheme/webauthn.c
@@ -2336,12 +2336,24 @@
         break;
       }
       
-      if (!o_base64url_decode((const unsigned char 
*)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data,
 "credential"), "response"), "signature")), 
json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data,
 "credential"), "response"), "signature")), sig, &sig_len)) {
-        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error 
o_base64url_decode signature");
+      if (!o_base64_decode((const unsigned char 
*)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data,
 "credential"), "response"), "signature")), 
json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data,
 "credential"), "response"), "signature")), NULL, &sig_len)) {
+        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid signature 
format");
         ret = G_ERROR_PARAM;
         break;
       }
       
+      if (sig_len > 128) {
+        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid 
signature");
+        ret = G_ERROR_PARAM;
+        break;
+      }
+
+      if (!o_base64_decode((const unsigned char 
*)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data,
 "credential"), "response"), "signature")), 
json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data,
 "credential"), "response"), "signature")), sig, &sig_len)) {
+        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error 
o_base64_decode signature");
+        ret = G_ERROR;
+        break;
+      }
+
       memcpy(data_signed, auth_data, auth_data_len);
       memcpy(data_signed+auth_data_len, cdata_hash, cdata_hash_len);

Reply via email to