Hello,
Le 2022-03-18 à 11 h 29, Julien Cristau a écrit :
The below is not a debdiff, and doesn't include a changelog entry. :(
Sorry, added the debdiff here
What's the change of o_base64url_decode to o_base64_decode about?
This is why I found the issue in the first place, by refactoring
o_base64* functions.
o_base64_decode should be used because the data is in base64, not
base64url, but in this case, a conversion happens before decoding the
data. So I switched back to o_base64url_decode in the debdiff
/Nicolas
diff -Nru glewlwyd-2.5.2/debian/changelog glewlwyd-2.5.2/debian/changelog
--- glewlwyd-2.5.2/debian/changelog 2021-12-17 07:51:46.000000000 -0500
+++ glewlwyd-2.5.2/debian/changelog 2022-03-17 21:13:09.000000000 -0400
@@ -1,3 +1,10 @@
+glewlwyd (2.5.2-2+deb11u3) bullseye; urgency=medium
+
+ * d/patches: Fix CVE-2022-27240
+ possible buffer overflow during webauthn signature assertion
+
+ -- Nicolas Mora <babelou...@debian.org> Thu, 17 Mar 2022 21:13:09 -0400
+
glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium
* d/patches: Fix possible privilege escalation (Closes: #1001849)
diff -Nru glewlwyd-2.5.2/debian/patches/series
glewlwyd-2.5.2/debian/patches/series
--- glewlwyd-2.5.2/debian/patches/series 2021-12-17 07:51:46.000000000
-0500
+++ glewlwyd-2.5.2/debian/patches/series 2022-03-17 21:13:09.000000000
-0400
@@ -1,3 +1,4 @@
#webpack.patch
+webauthn-2.patch
webauthn.patch
auth.patch
diff -Nru glewlwyd-2.5.2/debian/patches/webauthn-2.patch
glewlwyd-2.5.2/debian/patches/webauthn-2.patch
--- glewlwyd-2.5.2/debian/patches/webauthn-2.patch 1969-12-31
19:00:00.000000000 -0500
+++ glewlwyd-2.5.2/debian/patches/webauthn-2.patch 2022-03-17
21:13:09.000000000 -0400
@@ -0,0 +1,32 @@
+Description: Fix buffer overflow
+Author: Nicolas Mora <babelou...@debian.org>
+Forwarded: not-needed
+--- a/src/scheme/webauthn.c
++++ b/src/scheme/webauthn.c
+@@ -2336,12 +2336,24 @@
+ break;
+ }
+
+- if (!o_base64url_decode((const unsigned char
*)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")),
json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")), sig, &sig_len)) {
+- y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error
o_base64url_decode signature");
++ if (!o_base64url_decode((const unsigned char
*)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")),
json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")), NULL, &sig_len)) {
++ y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid signature
format");
+ ret = G_ERROR_PARAM;
+ break;
+ }
+
++ if (sig_len > 128) {
++ y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid
signature");
++ ret = G_ERROR_PARAM;
++ break;
++ }
++
++ if (!o_base64url_decode((const unsigned char
*)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")),
json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")), sig, &sig_len)) {
++ y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error
o_base64url_decode signature");
++ ret = G_ERROR;
++ break;
++ }
++
+ memcpy(data_signed, auth_data, auth_data_len);
+ memcpy(data_signed+auth_data_len, cdata_hash, cdata_hash_len);
+
