Christoph Biedl wrote... > [x] attach debdiff against the package in (old)stable
Now for real.
diff -Nru jose-11/debian/changelog jose-11/debian/changelog --- jose-11/debian/changelog 2021-12-01 20:33:13.000000000 +0100 +++ jose-11/debian/changelog 2024-04-04 15:11:36.000000000 +0200 @@ -1,3 +1,10 @@ +jose (11-2+deb12u1) bookworm; urgency=high + + * Cherry-pick "Fix potential DoS issue with p2c header". Closes: + #1067457 [CVE-2023-50967] + + -- Christoph Biedl <debian.a...@manchmal.in-ulm.de> Thu, 04 Apr 2024 18:12:00 +0200 + jose (11-2) unstable; urgency=medium * Replace usage of which(1) diff -Nru jose-11/debian/patches/1711969854.v12-3-g4ee7708.fix-potential-dos-issue-with-p2c-header.patch jose-11/debian/patches/1711969854.v12-3-g4ee7708.fix-potential-dos-issue-with-p2c-header.patch --- jose-11/debian/patches/1711969854.v12-3-g4ee7708.fix-potential-dos-issue-with-p2c-header.patch 1970-01-01 01:00:00.000000000 +0100 +++ jose-11/debian/patches/1711969854.v12-3-g4ee7708.fix-potential-dos-issue-with-p2c-header.patch 2024-04-04 12:36:46.000000000 +0200 @@ -0,0 +1,85 @@ +Subject: Fix potential DoS issue with p2c header +ID: CVE-2023-50967 +Origin: v12-3-g4ee7708 <https://github.com/latchset/jose/commit/v12-3-g4ee7708> +Upstream-Author: Sergio Correia <scorr...@redhat.com> +Date: Mon Apr 1 12:10:54 2024 +0100 + + Unbounded p2c headers may be used to cause an application that accept + PBES algorithms to spend a lot of resources running PBKDF2 with a very + high number of iterations. + + Limit the maximum number of iterations to to 32768. + + Fixes: CVE-2023-50967 + + Signed-off-by: Sergio Correia <scorr...@redhat.com> + +--- a/lib/openssl/pbes2.c ++++ b/lib/openssl/pbes2.c +@@ -25,6 +25,8 @@ + #include <string.h> + + #define NAMES "PBES2-HS256+A128KW", "PBES2-HS384+A192KW", "PBES2-HS512+A256KW" ++#define P2C_MIN_ITERATIONS 1000 ++#define P2C_MAX_ITERATIONS 32768 + + static json_t * + pbkdf2(const char *alg, jose_cfg_t *cfg, const json_t *jwk, int iter, +@@ -193,7 +195,7 @@ + json_auto_t *hdr = NULL; + const char *aes = NULL; + json_t *h = NULL; +- int p2c = 10000; ++ int p2c = P2C_MAX_ITERATIONS; + size_t stl = 0; + + if (!json_object_get(cek, "k") && !jose_jwk_gen(cfg, cek)) +@@ -226,7 +228,7 @@ + json_object_set_new(h, "p2c", json_integer(p2c)) < 0) + return false; + +- if (p2c < 1000) ++ if (p2c < P2C_MIN_ITERATIONS || p2c > P2C_MAX_ITERATIONS) + return false; + + if (json_object_set_new(h, "p2s", jose_b64_enc(st, stl)) == -1) +@@ -268,6 +270,9 @@ + if (json_unpack(hdr, "{s:I}", "p2c", &p2c) == -1) + return false; + ++ if (p2c > P2C_MAX_ITERATIONS) ++ return false; ++ + stl = jose_b64_dec(json_object_get(hdr, "p2s"), NULL, 0); + if (stl < 8 || stl > sizeof(st)) + return false; +--- /dev/null ++++ b/tests/cve-2023-50967/cve-2023-50967.jwe +@@ -0,0 +1 @@ ++{"ciphertext":"aaPb-JYGACs-loPwJkZewg","encrypted_key":"P1h8q8wLVxqYsZUuw6iEQTzgXVZHCsu8Eik-oqbE4AJGIDto3gb3SA","header":{"alg":"PBES2-HS256+A128KW","p2c":1000000000,"p2s":"qUQQWWkyyIqculSiC93mlg"},"iv":"Clg3JX9oNl_ck3sLSGrlgg","protected":"eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0","tag":"i7vga9tJkwRswFd7HlyD_A"} +--- /dev/null ++++ b/tests/cve-2023-50967/cve-2023-50967.jwk +@@ -0,0 +1 @@ ++{"alg":"PBES2-HS256+A128KW","k":"VHBLJ4-PmnqELoKbQoXuRA","key_ops":["wrapKey","unwrapKey"],"kty":"oct"} +--- a/tests/jose-jwe-dec ++++ b/tests/jose-jwe-dec +@@ -53,3 +53,8 @@ + test "`jose jwe dec -i $prfx.13.jweg -k $prfx.13.1.jwk`" = "`cat $prfx.13.pt`" + test "`jose jwe dec -i $prfx.13.jweg -k $prfx.13.2.jwk`" = "`cat $prfx.13.pt`" + test "`jose jwe dec -i $prfx.13.jweg -k $prfx.13.3.jwk`" = "`cat $prfx.13.pt`" ++ ++# CVE-2023-50967 - test originally from https://github.com/P3ngu1nW/CVE_Request/blob/main/latch-jose.md ++# This test is expected to fail quickly on patched systems. ++prfx="${CVE_2023_50967}/cve-2023-50967" ++! test "$(jose jwe dec -i $prfx.jwe -k $prfx.jwk)" +--- a/tests/meson.build ++++ b/tests/meson.build +@@ -31,6 +31,8 @@ + e = environment() + e.prepend('PATH', meson.current_build_dir() + '/../cmd', separator: ':') + e.set('VECTORS', meson.current_source_dir() + '/vectors') ++e.set('CVE_2023_50967', meson.current_source_dir() + '/cve-2023-50967') ++ + + foreach p: progs + exe = executable(p, p + '.c', dependencies: jansson, link_with: libjose) diff -Nru jose-11/debian/patches/series jose-11/debian/patches/series --- jose-11/debian/patches/series 2021-12-01 19:56:42.000000000 +0100 +++ jose-11/debian/patches/series 2024-04-04 12:32:29.000000000 +0200 @@ -1,5 +1,6 @@ # cherry-picked commits. Keep in upstream's chronological order +1711969854.v12-3-g4ee7708.fix-potential-dos-issue-with-p2c-header.patch # patches for upstream for-upstream/2021-12-01.replace-usage-of-which.patch
signature.asc
Description: PGP signature