On 10/27/23 20:20, Moritz Mühlenhoff wrote:
Source: node-browserify-sign X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: securityHi, The following vulnerability was published for node-browserify-sign. CVE-2023-46234[0]: | browserify-sign is a package to duplicate the functionality of | node's crypto public key functions, much of this is based on Fedor | Indutny's work on indutny/tls.js. An upper bound check issue in | `dsaVerify` function allows an attacker to construct signatures that | can be successfully verified by any public key, thus leading to a | signature forgery attack. All places in this project that involve | DSA verification of user-input signatures will be affected by this | vulnerability. This issue has been patched in version 4.2.2. https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46234 https://www.cve.org/CVERecord?id=CVE-2023-46234 Please adjust the affected versions in the BTS as needed.
Hi, please find attached the debdiff for Bookworm Kind regards, Yadd
diff --git a/debian/changelog b/debian/changelog index 5e3404f..c421503 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-browserify-sign (4.2.1-3+deb12u1) bookworm-security; urgency=high + + * Team upload + * Properly check the upper bound for DSA signatures (Closes: #1054667, CVE-2023-46234) + + -- Yadd <y...@debian.org> Sat, 28 Oct 2023 12:03:04 +0400 + node-browserify-sign (4.2.1-3) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2023-46234.patch b/debian/patches/CVE-2023-46234.patch new file mode 100644 index 0000000..152fd72 --- /dev/null +++ b/debian/patches/CVE-2023-46234.patch @@ -0,0 +1,68 @@ +Description: properly check the upper bound for DSA signatures +Author: roadicing <roadic...@gmail.com> +Origin: upstream, https://github.com/browserify/browserify-sign/commit/85994cd6 +Bug: https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw +Bug-Debian: https://bugs.debian.org/1054667 +Forwarded: not-needed +Applied-Upstream: 4.2.2, commit: 85994cd6 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2023-10-28 + +--- a/browser/verify.js ++++ b/browser/verify.js +@@ -78,7 +78,7 @@ + + function checkValue (b, q) { + if (b.cmpn(0) <= 0) throw new Error('invalid sig') +- if (b.cmp(q) >= q) throw new Error('invalid sig') ++ if (b.cmp(q) >= 0) throw new Error('invalid sig') + } + + module.exports = verify +--- a/test/index.js ++++ b/test/index.js +@@ -4,6 +4,8 @@ + var nCrypto = require('crypto') + var bCrypto = require('../browser') + var fixtures = require('./fixtures') ++var BN = require('bn.js') ++var parseKeys = require('parse-asn1') + + function isNode10 () { + return parseInt(process.version.split('.')[1], 10) <= 10 +@@ -100,6 +102,35 @@ + t.end() + }) + } ++ ++ var s = parseKeys(pub).data.q; ++ test( ++ f.message + ' against a fake signature', ++ { skip: !s || '(this test only applies to DSA signatures and not EC signatures, this is ' + f.scheme + ')' }, ++ function (t) { ++ var messageBase64 = Buffer.from(f.message, 'base64'); ++ ++ // forge a fake signature ++ var r = new BN('1'); ++ ++ try { ++ var fakeSig = asn1.signature.encode({ r: r, s: s }, 'der'); ++ } catch (e) { ++ t.ifError(e); ++ t.end(); ++ return; ++ } ++ ++ var bVer = bCrypto.createVerify(f.scheme); ++ t['throws']( ++ function () { bVer.update(messageBase64).verify(pub, fakeSig); }, ++ Error, ++ 'fake signature is invalid' ++ ); ++ ++ t.end(); ++ } ++ ); + }) + + fixtures.valid.kvectors.forEach(function (f) { diff --git a/debian/patches/series b/debian/patches/series index 8aafdeb..86ff972 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ drop-rmd160-support.patch +CVE-2023-46234.patch
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
