Bug#1073966: bullseye-pu: package jose/10-3+deb11u1

Christoph Biedl Thu, 20 Jun 2024 13:21:19 -0700

Christoph Biedl wrote...

>   [x] attach debdiff against the package in (old)stable

diff -Nru jose-10/debian/changelog jose-10/debian/changelog
--- jose-10/debian/changelog    2020-05-25 22:11:30.000000000 +0200
+++ jose-10/debian/changelog    2024-04-04 15:54:12.000000000 +0200
@@ -1,3 +1,10 @@
+jose (10-3+deb11u1) bullseye; urgency=high
+
+  * Cherry-pick "Fix potential DoS issue with p2c header". Closes:
+    #1067457 [CVE-2023-50967]
+
+ -- Christoph Biedl <debian.a...@manchmal.in-ulm.de>  Thu, 04 Apr 2024 
18:11:00 +0200
+
 jose (10-3) unstable; urgency=medium
 
   * Cherry-pick commits:
diff -Nru 
jose-10/debian/patches/1711969854.v12-3-g4ee7708.fix-potential-dos-issue-with-p2c-header.patch
 
jose-10/debian/patches/1711969854.v12-3-g4ee7708.fix-potential-dos-issue-with-p2c-header.patch
--- 
jose-10/debian/patches/1711969854.v12-3-g4ee7708.fix-potential-dos-issue-with-p2c-header.patch
      1970-01-01 01:00:00.000000000 +0100
+++ 
jose-10/debian/patches/1711969854.v12-3-g4ee7708.fix-potential-dos-issue-with-p2c-header.patch
      2024-04-04 13:50:48.000000000 +0200
@@ -0,0 +1,86 @@
+Subject: Fix potential DoS issue with p2c header
+ID: CVE-2023-50967
+Origin: v12-3-g4ee7708 <https://github.com/latchset/jose/commit/v12-3-g4ee7708>
+Upstream-Author: Sergio Correia <scorr...@redhat.com>
+Date: Mon Apr 1 12:10:54 2024 +0100
+
+    Unbounded p2c headers may be used to cause an application that accept
+    PBES algorithms to spend a lot of resources running PBKDF2 with a very
+    high number of iterations.
+
+    Limit the maximum number of iterations to to 32768.
+
+    Fixes: CVE-2023-50967
+
+    Signed-off-by: Sergio Correia <scorr...@redhat.com>
+
+--- a/lib/openssl/pbes2.c
++++ b/lib/openssl/pbes2.c
+@@ -25,6 +25,8 @@
+ #include <string.h>
+ 
+ #define NAMES "PBES2-HS256+A128KW", "PBES2-HS384+A192KW", "PBES2-HS512+A256KW"
++#define P2C_MIN_ITERATIONS 1000
++#define P2C_MAX_ITERATIONS 32768
+ 
+ static json_t *
+ pbkdf2(const char *alg, jose_cfg_t *cfg, const json_t *jwk, int iter,
+@@ -170,7 +172,7 @@
+     json_auto_t *hdr = NULL;
+     const char *aes = NULL;
+     json_t *h = NULL;
+-    int p2c = 10000;
++    int p2c = P2C_MAX_ITERATIONS;
+     size_t stl = 0;
+ 
+     if (!json_object_get(cek, "k") && !jose_jwk_gen(cfg, cek))
+@@ -203,7 +205,7 @@
+         json_object_set_new(h, "p2c", json_integer(p2c)) < 0)
+         return false;
+ 
+-    if (p2c < 1000)
++    if (p2c < P2C_MIN_ITERATIONS || p2c > P2C_MAX_ITERATIONS)
+         return false;
+ 
+     if (json_object_set_new(h, "p2s", jose_b64_enc(st, stl)) == -1)
+@@ -245,6 +247,9 @@
+     if (json_unpack(hdr, "{s:I}", "p2c", &p2c) == -1)
+         return false;
+ 
++    if (p2c > P2C_MAX_ITERATIONS)
++        return false;
++
+     stl = jose_b64_dec(json_object_get(hdr, "p2s"), NULL, 0);
+     if (stl < 8 || stl > sizeof(st))
+         return false;
+--- /dev/null
++++ b/tests/cve-2023-50967/cve-2023-50967.jwe
+@@ -0,0 +1 @@
++{"ciphertext":"aaPb-JYGACs-loPwJkZewg","encrypted_key":"P1h8q8wLVxqYsZUuw6iEQTzgXVZHCsu8Eik-oqbE4AJGIDto3gb3SA","header":{"alg":"PBES2-HS256+A128KW","p2c":1000000000,"p2s":"qUQQWWkyyIqculSiC93mlg"},"iv":"Clg3JX9oNl_ck3sLSGrlgg","protected":"eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0","tag":"i7vga9tJkwRswFd7HlyD_A"}
+--- /dev/null
++++ b/tests/cve-2023-50967/cve-2023-50967.jwk
+@@ -0,0 +1 @@
++{"alg":"PBES2-HS256+A128KW","k":"VHBLJ4-PmnqELoKbQoXuRA","key_ops":["wrapKey","unwrapKey"],"kty":"oct"}
+--- a/tests/jose-jwe-dec
++++ b/tests/jose-jwe-dec
+@@ -53,3 +53,8 @@
+ test "`jose jwe dec -i $prfx.13.jweg -k $prfx.13.1.jwk`" == "`cat 
$prfx.13.pt`"
+ test "`jose jwe dec -i $prfx.13.jweg -k $prfx.13.2.jwk`" == "`cat 
$prfx.13.pt`"
+ test "`jose jwe dec -i $prfx.13.jweg -k $prfx.13.3.jwk`" == "`cat 
$prfx.13.pt`"
++
++# CVE-2023-50967 - test originally from 
https://github.com/P3ngu1nW/CVE_Request/blob/main/latch-jose.md
++# This test is expected to fail quickly on patched systems.
++prfx="${CVE_2023_50967}/cve-2023-50967"
++! test "$(jose jwe dec -i $prfx.jwe -k $prfx.jwk)"
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -2,7 +2,8 @@
+ LDFLAGS += $(top_builddir)/lib/libjose.la @jansson_LIBS@
+ EXTRA_DIST = vectors
+ 
+-AM_TESTS_ENVIRONMENT=PATH=$(top_builddir)/cmd:$(PATH) 
VECTORS=$(top_srcdir)/tests/vectors
++AM_TESTS_ENVIRONMENT=PATH=$(top_builddir)/cmd:$(PATH) 
VECTORS=$(top_srcdir)/tests/vectors 
CVE_2023_50967=$(top_srcdir)/tests/cve-2023-50967
++
+ TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS)
+ 
+ check_PROGRAMS = \
diff -Nru jose-10/debian/patches/series jose-10/debian/patches/series
--- jose-10/debian/patches/series       2020-05-25 22:11:30.000000000 +0200
+++ jose-10/debian/patches/series       2024-04-04 12:38:22.000000000 +0200
@@ -2,6 +2,7 @@
 # cherry-picked commits. Keep in upstream's chronological order
 cherry-pick.v10-1-g198f720.fix-minor-file-leak.patch
 
cherry-pick.v10-4-g9ec5bf7.add-support-for-rsa-oaep-224-rsa-oaep-384-and-rsa-oaep-512.patch
+1711969854.v12-3-g4ee7708.fix-potential-dos-issue-with-p2c-header.patch
 
 # patches for upstream
 upstream.typo-fixes.patch

signature.asc
Description: PGP signature

Bug#1073966: bullseye-pu: package jose/10-3+deb11u1

Reply via email to