Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2

Fri, 18 Mar 2022 08:33:24 -0700 

Control: severity -1 normal
Control: retitle -1 bullseye-pu: package glewlwyd/2.5.2-2+deb11u3
Control: tag -1 moreinfo

On Thu, Mar 17, 2022 at 09:17:12PM -0400, Nicolas Mora wrote:
> [ Reason ]
> Possible buffer overflow on signature verification during webauthn assertion
> 
> [ Impact ]
> Possibility of denial of service
> 
> [ Checklist ]
>   [X] *all* changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in (old)stable

The below is not a debdiff, and doesn't include a changelog entry. :(

>   [X] the issue is verified as fixed in unstable
> 
> [ Changes ]
> Check the length of the signature before verifying it
> 
What's the change of o_base64url_decode to o_base64_decode about?

Cheers,
Julien

> [ Other info ]
> CVE ID request pending

> Description: Fix buffer overflow
> Author: Nicolas Mora <babelou...@debian.org>
> Forwarded: not-needed
> --- a/src/scheme/webauthn.c
> +++ b/src/scheme/webauthn.c
> @@ -2336,12 +2336,24 @@
>          break;
>        }
>        
> -      if (!o_base64url_decode((const unsigned char 
> *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data,
>  "credential"), "response"), "signature")), 
> json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data,
>  "credential"), "response"), "signature")), sig, &sig_len)) {
> -        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error 
> o_base64url_decode signature");
> +      if (!o_base64_decode((const unsigned char 
> *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data,
>  "credential"), "response"), "signature")), 
> json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data,
>  "credential"), "response"), "signature")), NULL, &sig_len)) {
> +        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid 
> signature format");
>          ret = G_ERROR_PARAM;
>          break;
>        }
>        
> +      if (sig_len > 128) {
> +        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid 
> signature");
> +        ret = G_ERROR_PARAM;
> +        break;
> +      }
> +
> +      if (!o_base64_decode((const unsigned char 
> *)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data,
>  "credential"), "response"), "signature")), 
> json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data,
>  "credential"), "response"), "signature")), sig, &sig_len)) {
> +        y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error 
> o_base64_decode signature");
> +        ret = G_ERROR;
> +        break;
> +      }
> +
>        memcpy(data_signed, auth_data, auth_data_len);
>        memcpy(data_signed+auth_data_len, cdata_hash, cdata_hash_len);
>

Reply via email to