Your message dated Sat, 29 Jun 2024 10:46:19 +0000 with message-id <e1snvb1-002bgs...@coccia.debian.org> and subject line Released with 12.6 has caused the Debian Bug report #1070249, regarding bookworm-pu: package python-jwcrypto/1.1.0-1+deb12u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1070249: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070249 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: steve.mcint...@pexip.com, Timo Aaltonen <tjaal...@debian.org> Hi, [ Reason ] I've backported the upstream fix for CVE-2024-28102 (#1065688) to bookworm. It's not considered critical as a security fix by the security team, but would still be good to have in bookworm. Ready to upload if you're happy. Timo is happy for me to upload this - see the conversation in #1065688. [ Impact ] Minor security issue. [ Tests ] The patch comes from upstream, and includes a unit test. [ Risks ] The changes are straightforward, cherry-picked from current upstream and just massaged to fit the older version in bookworm. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The debdiff here just contains trivial metadata changes from my initial debdiff in #1065688 python-jwcrypto (1.1.0-1+deb12u1) bookworm; urgency=medium * Apply and tweak upstream security fix for CVE-2024-28102 Address potential DoS with high compression ratiodiff -Nru python-jwcrypto-1.1.0/debian/changelog python-jwcrypto-1.1.0/debian/changelog --- python-jwcrypto-1.1.0/debian/changelog 2022-03-29 08:33:50.000000000 +0100 +++ python-jwcrypto-1.1.0/debian/changelog 2024-04-26 17:18:31.000000000 +0100 @@ -1,3 +1,10 @@ +python-jwcrypto (1.1.0-1+deb12u1) bookworm; urgency=medium + + * Apply and tweak upstream security fix for CVE-2024-28102 + Address potential DoS with high compression ratio + + -- Steve McIntyre <93...@debian.org> Fri, 26 Apr 2024 17:18:31 +0100 + python-jwcrypto (1.1.0-1) unstable; urgency=medium * New upstream release. diff -Nru python-jwcrypto-1.1.0/debian/patches/CVE-2024-28102.patch python-jwcrypto-1.1.0/debian/patches/CVE-2024-28102.patch --- python-jwcrypto-1.1.0/debian/patches/CVE-2024-28102.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-jwcrypto-1.1.0/debian/patches/CVE-2024-28102.patch 2024-04-26 17:18:31.000000000 +0100 @@ -0,0 +1,72 @@ +commit 90477a3b6e73da69740e00b8161f53fea19b831f +Author: Simo Sorce <s...@redhat.com> +Date: Tue Mar 5 16:57:17 2024 -0500 + + Address potential DoS with high compression ratio + + Fixes CVE-2024-28102 + + Signed-off-by: Simo Sorce <s...@redhat.com> + +Index: os-python-jwcrypto/jwcrypto/jwe.py +=================================================================== +--- os-python-jwcrypto.orig/jwcrypto/jwe.py ++++ os-python-jwcrypto/jwcrypto/jwe.py +@@ -9,6 +9,9 @@ from jwcrypto.common import base64url_de + from jwcrypto.common import json_decode, json_encode + from jwcrypto.jwa import JWA + ++# Limit the amount of data we are willing to decompress by default. ++default_max_compressed_size = 256 * 1024 ++ + + # RFC 7516 - 4.1 + # name: (description, supported?) +@@ -387,6 +390,10 @@ class JWE: + + compress = jh.get('zip', None) + if compress == 'DEF': ++ if len(data) > default_max_compressed_size: ++ raise InvalidJWEData( ++ 'Compressed data exceeds maximum allowed' ++ 'size' + f' ({default_max_compressed_size})') + self.plaintext = zlib.decompress(data, -zlib.MAX_WBITS) + elif compress is None: + self.plaintext = data +Index: os-python-jwcrypto/jwcrypto/tests.py +=================================================================== +--- os-python-jwcrypto.orig/jwcrypto/tests.py ++++ os-python-jwcrypto/jwcrypto/tests.py +@@ -1716,6 +1716,32 @@ class ConformanceTests(unittest.TestCase + check.decrypt(key) + self.assertEqual(check.payload, b'plain') + ++ def test_jwe_decompression_max(self): ++ key = jwk.JWK(kty='oct', k=base64url_encode(b'A' * (128 // 8))) ++ payload = '{"u": "' + "u" * 400000000 + '", "uu":"' \ ++ + "u" * 400000000 + '"}' ++ protected_header = { ++ "alg": "A128KW", ++ "enc": "A128GCM", ++ "typ": "JWE", ++ "zip": "DEF", ++ } ++ enc = jwe.JWE(payload.encode('utf-8'), ++ recipient=key, ++ protected=protected_header).serialize(compact=True) ++ with self.assertRaises(jwe.InvalidJWEData): ++ check = jwe.JWE() ++ check.deserialize(enc) ++ check.decrypt(key) ++ ++ defmax = jwe.default_max_compressed_size ++ jwe.default_max_compressed_size = 1000000000 ++ # ensure we can eraise the limit and decrypt ++ check = jwe.JWE() ++ check.deserialize(enc) ++ check.decrypt(key) ++ jwe.default_max_compressed_size = defmax ++ + + class JWATests(unittest.TestCase): + def test_jwa_create(self): diff -Nru python-jwcrypto-1.1.0/debian/patches/series python-jwcrypto-1.1.0/debian/patches/series --- python-jwcrypto-1.1.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ python-jwcrypto-1.1.0/debian/patches/series 2024-04-26 17:18:31.000000000 +0100 @@ -0,0 +1 @@ +CVE-2024-28102.patch
--- End Message ---
--- Begin Message ---Version: 12.6 The upload requested in this bug has been released as part of 12.6.
--- End Message ---
