Bug#1082674: marked as done (bookworm-pu: package booth/1.0-283-g9d4029a-2+deb12u1)

Debian Bug Tracking System Wed, 25 Sep 2024 14:05:18 -0700

Your message dated Thu, 26 Sep 2024 00:02:03 +0300
with message-id <ZvR6S5XXQNzDaM8O@localhost>
and subject line Re: Bug#1082674: bookworm-pu: package 
booth/1.0-283-g9d4029a-2+deb12u1
has caused the Debian Bug report #1082674,
regarding bookworm-pu: package booth/1.0-283-g9d4029a-2+deb12u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1082674: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082674
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Debian HA Maintainers 
<debian-ha-maintain...@alioth-lists.debian.net>, secur...@debian.org

  * CVE-2024-3049: wrong hmac might be accepted (Closes: #1073249)

Tagged moreinfo, as question to the security team it they want this
fix in -pu or as DSA.

diffstat for booth-1.0-283-g9d4029a booth-1.0-283-g9d4029a

 changelog                                                            |    7 +
 patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch |   65 
++++++++++
 patches/0002-attr-Fix-reading-of-server_reply.patch                  |   37 
+++++
 patches/series                                                       |    2 
 4 files changed, 111 insertions(+)

diff -Nru booth-1.0-283-g9d4029a/debian/changelog 
booth-1.0-283-g9d4029a/debian/changelog
--- booth-1.0-283-g9d4029a/debian/changelog     2023-04-12 23:58:53.000000000 
+0300
+++ booth-1.0-283-g9d4029a/debian/changelog     2024-09-24 17:03:44.000000000 
+0300
@@ -1,3 +1,10 @@
+booth (1.0-283-g9d4029a-2+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2024-3049: wrong hmac might be accepted (Closes: #1073249)
+
+ -- Adrian Bunk <b...@debian.org>  Tue, 24 Sep 2024 17:03:44 +0300
+
 booth (1.0-283-g9d4029a-2) unstable; urgency=medium
 
   * d/install: place files in /lib/systemd/system (Closes: #1034211)
diff -Nru 
booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
 
booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
--- 
booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
  1970-01-01 02:00:00.000000000 +0200
+++ 
booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
  2024-09-24 17:02:31.000000000 +0300
@@ -0,0 +1,65 @@
+From e14c1d167f95053b13d56cd1b2e897168418373a Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfrie...@redhat.com>
+Date: Wed, 21 Feb 2024 18:12:28 +0100
+Subject: auth: Check result of gcrypt gcry_md_get_algo_dlen
+
+When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This
+value is then used for memcmp so wrong hmac might be accepted as
+correct.
+
+Signed-off-by: Jan Friesse <jfrie...@redhat.com>
+---
+ src/auth.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/src/auth.c b/src/auth.c
+index 8f86b9a..a3b3d20 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen,
+ {
+       static gcry_md_hd_t digest;
+       gcry_error_t err;
++      int hlen;
++
++      hlen = gcry_md_get_algo_dlen(hid);
++      if (!hlen)
++              return -1;
+ 
+       if (!digest) {
+               err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC);
+@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen,
+               }
+       }
+       gcry_md_write(digest, data, datalen);
+-      memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid));
++      memcpy(result, gcry_md_read(digest, 0), hlen);
+       gcry_md_reset(digest);
+       return 0;
+ }
+@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen,
+ {
+       unsigned char *our_hmac;
+       int rc;
++      int hlen;
++
++      hlen = gcry_md_get_algo_dlen(hid);
++      if (!hlen)
++              return -1;
+ 
+-      our_hmac = malloc(gcry_md_get_algo_dlen(hid));
++      our_hmac = malloc(hlen);
+       if (!our_hmac)
+               return -1;
+ 
+       rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen);
+       if (rc)
+               goto out_free;
+-      rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid));
++      rc = memcmp(our_hmac, hmac, hlen);
+ 
+ out_free:
+       if (our_hmac)
+-- 
+2.30.2
+
diff -Nru 
booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch
 
booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch
--- 
booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch
   1970-01-01 02:00:00.000000000 +0200
+++ 
booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch
   2024-09-24 17:02:31.000000000 +0300
@@ -0,0 +1,37 @@
+From d4541f2845553843b7db852ea8e0c334d56c2a01 Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfrie...@redhat.com>
+Date: Wed, 21 Feb 2024 17:40:11 +0100
+Subject: attr: Fix reading of server_reply
+
+read_server_reply first reads boothc header and then rest of packet
+which contains hmac info. This should go in memory right after
+boothc_header and not after full length of packet, because full length
+of packet already contains hmac info.
+
+Solution is to simply use length of header and not length of packet.
+
+Longer term and better solution would be to drop read_server_reply
+completely and use recv_auth which is used for everything else but attr
+set and delete.
+
+Signed-off-by: Jan Friesse <jfrie...@redhat.com>
+---
+ src/attr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/attr.c b/src/attr.c
+index 09c15bc..e615c33 100644
+--- a/src/attr.c
++++ b/src/attr.c
+@@ -142,7 +142,7 @@ static int read_server_reply(
+               return -2;
+       }
+       len = ntohl(header->length);
+-      rv = tpt->recv(site, msg+len, len-sizeof(*header));
++      rv = tpt->recv(site, msg+sizeof(*header), len-sizeof(*header));
+       if (rv < 0) {
+               return -1;
+       }
+-- 
+2.30.2
+
diff -Nru booth-1.0-283-g9d4029a/debian/patches/series 
booth-1.0-283-g9d4029a/debian/patches/series
--- booth-1.0-283-g9d4029a/debian/patches/series        1970-01-01 
02:00:00.000000000 +0200
+++ booth-1.0-283-g9d4029a/debian/patches/series        2024-09-24 
17:03:44.000000000 +0300
@@ -0,0 +1,2 @@
+0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
+0002-attr-Fix-reading-of-server_reply.patch

--- End Message ---

--- Begin Message ---

On Wed, Sep 25, 2024 at 08:46:41PM +0000, Moritz Mühlenhoff wrote:
> On Tue, Sep 24, 2024 at 07:02:07PM +0300, Adrian Bunk wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: bookworm moreinfo
> > User: release.debian....@packages.debian.org
> > Usertags: pu
> > X-Debbugs-Cc: Debian HA Maintainers 
> > <debian-ha-maintain...@alioth-lists.debian.net>, secur...@debian.org
> > 
> >   * CVE-2024-3049: wrong hmac might be accepted (Closes: #1073249)
> > 
> > Tagged moreinfo, as question to the security team it they want this
> > fix in -pu or as DSA.
> 
> That's fine for a DSA and the debdiff looks fine, so please upload to 
> security-master. Thanks!

Uploaded.

> Cheers,
>         Moritz

cu
Adrian

--- End Message ---

Bug#1082674: marked as done (bookworm-pu: package booth/1.0-283-g9d4029a-2+deb12u1)

Reply via email to