Bug#1082674: bookworm-pu: package booth/1.0-283-g9d4029a-2+deb12u1

Tue, 24 Sep 2024 09:06:38 -0700 

Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Debian HA Maintainers 
<debian-ha-maintain...@alioth-lists.debian.net>, secur...@debian.org

  * CVE-2024-3049: wrong hmac might be accepted (Closes: #1073249)

Tagged moreinfo, as question to the security team it they want this
fix in -pu or as DSA.

diffstat for booth-1.0-283-g9d4029a booth-1.0-283-g9d4029a

 changelog                                                            |    7 +
 patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch |   65 
++++++++++
 patches/0002-attr-Fix-reading-of-server_reply.patch                  |   37 
+++++
 patches/series                                                       |    2 
 4 files changed, 111 insertions(+)

diff -Nru booth-1.0-283-g9d4029a/debian/changelog 
booth-1.0-283-g9d4029a/debian/changelog
--- booth-1.0-283-g9d4029a/debian/changelog     2023-04-12 23:58:53.000000000 
+0300
+++ booth-1.0-283-g9d4029a/debian/changelog     2024-09-24 17:03:44.000000000 
+0300
@@ -1,3 +1,10 @@
+booth (1.0-283-g9d4029a-2+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2024-3049: wrong hmac might be accepted (Closes: #1073249)
+
+ -- Adrian Bunk <b...@debian.org>  Tue, 24 Sep 2024 17:03:44 +0300
+
 booth (1.0-283-g9d4029a-2) unstable; urgency=medium
 
   * d/install: place files in /lib/systemd/system (Closes: #1034211)
diff -Nru 
booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
 
booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
--- 
booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
  1970-01-01 02:00:00.000000000 +0200
+++ 
booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
  2024-09-24 17:02:31.000000000 +0300
@@ -0,0 +1,65 @@
+From e14c1d167f95053b13d56cd1b2e897168418373a Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfrie...@redhat.com>
+Date: Wed, 21 Feb 2024 18:12:28 +0100
+Subject: auth: Check result of gcrypt gcry_md_get_algo_dlen
+
+When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This
+value is then used for memcmp so wrong hmac might be accepted as
+correct.
+
+Signed-off-by: Jan Friesse <jfrie...@redhat.com>
+---
+ src/auth.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/src/auth.c b/src/auth.c
+index 8f86b9a..a3b3d20 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen,
+ {
+       static gcry_md_hd_t digest;
+       gcry_error_t err;
++      int hlen;
++
++      hlen = gcry_md_get_algo_dlen(hid);
++      if (!hlen)
++              return -1;
+ 
+       if (!digest) {
+               err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC);
+@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen,
+               }
+       }
+       gcry_md_write(digest, data, datalen);
+-      memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid));
++      memcpy(result, gcry_md_read(digest, 0), hlen);
+       gcry_md_reset(digest);
+       return 0;
+ }
+@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen,
+ {
+       unsigned char *our_hmac;
+       int rc;
++      int hlen;
++
++      hlen = gcry_md_get_algo_dlen(hid);
++      if (!hlen)
++              return -1;
+ 
+-      our_hmac = malloc(gcry_md_get_algo_dlen(hid));
++      our_hmac = malloc(hlen);
+       if (!our_hmac)
+               return -1;
+ 
+       rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen);
+       if (rc)
+               goto out_free;
+-      rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid));
++      rc = memcmp(our_hmac, hmac, hlen);
+ 
+ out_free:
+       if (our_hmac)
+-- 
+2.30.2
+
diff -Nru 
booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch
 
booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch
--- 
booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch
   1970-01-01 02:00:00.000000000 +0200
+++ 
booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch
   2024-09-24 17:02:31.000000000 +0300
@@ -0,0 +1,37 @@
+From d4541f2845553843b7db852ea8e0c334d56c2a01 Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfrie...@redhat.com>
+Date: Wed, 21 Feb 2024 17:40:11 +0100
+Subject: attr: Fix reading of server_reply
+
+read_server_reply first reads boothc header and then rest of packet
+which contains hmac info. This should go in memory right after
+boothc_header and not after full length of packet, because full length
+of packet already contains hmac info.
+
+Solution is to simply use length of header and not length of packet.
+
+Longer term and better solution would be to drop read_server_reply
+completely and use recv_auth which is used for everything else but attr
+set and delete.
+
+Signed-off-by: Jan Friesse <jfrie...@redhat.com>
+---
+ src/attr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/attr.c b/src/attr.c
+index 09c15bc..e615c33 100644
+--- a/src/attr.c
++++ b/src/attr.c
+@@ -142,7 +142,7 @@ static int read_server_reply(
+               return -2;
+       }
+       len = ntohl(header->length);
+-      rv = tpt->recv(site, msg+len, len-sizeof(*header));
++      rv = tpt->recv(site, msg+sizeof(*header), len-sizeof(*header));
+       if (rv < 0) {
+               return -1;
+       }
+-- 
+2.30.2
+
diff -Nru booth-1.0-283-g9d4029a/debian/patches/series 
booth-1.0-283-g9d4029a/debian/patches/series
--- booth-1.0-283-g9d4029a/debian/patches/series        1970-01-01 
02:00:00.000000000 +0200
+++ booth-1.0-283-g9d4029a/debian/patches/series        2024-09-24 
17:03:44.000000000 +0300
@@ -0,0 +1,2 @@
+0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
+0002-attr-Fix-reading-of-server_reply.patch

Reply via email to