[Debian-ha-maintainers] Bug#1082674: bookworm-pu: package booth/1.0-283-g9d4029a-2+deb12u1
Adrian Bunk
bunk at debian.org
Tue Sep 24 17:02:07 BST 2024
Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: Debian HA Maintainers <debian-ha-maintainers at alioth-lists.debian.net>, security at debian.org
* CVE-2024-3049: wrong hmac might be accepted (Closes: #1073249)
Tagged moreinfo, as question to the security team it they want this
fix in -pu or as DSA.
-------------- next part --------------
diffstat for booth-1.0-283-g9d4029a booth-1.0-283-g9d4029a
changelog | 7 +
patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch | 65 ++++++++++
patches/0002-attr-Fix-reading-of-server_reply.patch | 37 +++++
patches/series | 2
4 files changed, 111 insertions(+)
diff -Nru booth-1.0-283-g9d4029a/debian/changelog booth-1.0-283-g9d4029a/debian/changelog
--- booth-1.0-283-g9d4029a/debian/changelog 2023-04-12 23:58:53.000000000 +0300
+++ booth-1.0-283-g9d4029a/debian/changelog 2024-09-24 17:03:44.000000000 +0300
@@ -1,3 +1,10 @@
+booth (1.0-283-g9d4029a-2+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2024-3049: wrong hmac might be accepted (Closes: #1073249)
+
+ -- Adrian Bunk <bunk at debian.org> Tue, 24 Sep 2024 17:03:44 +0300
+
booth (1.0-283-g9d4029a-2) unstable; urgency=medium
* d/install: place files in /lib/systemd/system (Closes: #1034211)
diff -Nru booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
--- booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch 1970-01-01 02:00:00.000000000 +0200
+++ booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch 2024-09-24 17:02:31.000000000 +0300
@@ -0,0 +1,65 @@
+From e14c1d167f95053b13d56cd1b2e897168418373a Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse at redhat.com>
+Date: Wed, 21 Feb 2024 18:12:28 +0100
+Subject: auth: Check result of gcrypt gcry_md_get_algo_dlen
+
+When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This
+value is then used for memcmp so wrong hmac might be accepted as
+correct.
+
+Signed-off-by: Jan Friesse <jfriesse at redhat.com>
+---
+ src/auth.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/src/auth.c b/src/auth.c
+index 8f86b9a..a3b3d20 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen,
+ {
+ static gcry_md_hd_t digest;
+ gcry_error_t err;
++ int hlen;
++
++ hlen = gcry_md_get_algo_dlen(hid);
++ if (!hlen)
++ return -1;
+
+ if (!digest) {
+ err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC);
+@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen,
+ }
+ }
+ gcry_md_write(digest, data, datalen);
+- memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid));
++ memcpy(result, gcry_md_read(digest, 0), hlen);
+ gcry_md_reset(digest);
+ return 0;
+ }
+@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen,
+ {
+ unsigned char *our_hmac;
+ int rc;
++ int hlen;
++
++ hlen = gcry_md_get_algo_dlen(hid);
++ if (!hlen)
++ return -1;
+
+- our_hmac = malloc(gcry_md_get_algo_dlen(hid));
++ our_hmac = malloc(hlen);
+ if (!our_hmac)
+ return -1;
+
+ rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen);
+ if (rc)
+ goto out_free;
+- rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid));
++ rc = memcmp(our_hmac, hmac, hlen);
+
+ out_free:
+ if (our_hmac)
+--
+2.30.2
+
diff -Nru booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch
--- booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch 1970-01-01 02:00:00.000000000 +0200
+++ booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch 2024-09-24 17:02:31.000000000 +0300
@@ -0,0 +1,37 @@
+From d4541f2845553843b7db852ea8e0c334d56c2a01 Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse at redhat.com>
+Date: Wed, 21 Feb 2024 17:40:11 +0100
+Subject: attr: Fix reading of server_reply
+
+read_server_reply first reads boothc header and then rest of packet
+which contains hmac info. This should go in memory right after
+boothc_header and not after full length of packet, because full length
+of packet already contains hmac info.
+
+Solution is to simply use length of header and not length of packet.
+
+Longer term and better solution would be to drop read_server_reply
+completely and use recv_auth which is used for everything else but attr
+set and delete.
+
+Signed-off-by: Jan Friesse <jfriesse at redhat.com>
+---
+ src/attr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/attr.c b/src/attr.c
+index 09c15bc..e615c33 100644
+--- a/src/attr.c
++++ b/src/attr.c
+@@ -142,7 +142,7 @@ static int read_server_reply(
+ return -2;
+ }
+ len = ntohl(header->length);
+- rv = tpt->recv(site, msg+len, len-sizeof(*header));
++ rv = tpt->recv(site, msg+sizeof(*header), len-sizeof(*header));
+ if (rv < 0) {
+ return -1;
+ }
+--
+2.30.2
+
diff -Nru booth-1.0-283-g9d4029a/debian/patches/series booth-1.0-283-g9d4029a/debian/patches/series
--- booth-1.0-283-g9d4029a/debian/patches/series 1970-01-01 02:00:00.000000000 +0200
+++ booth-1.0-283-g9d4029a/debian/patches/series 2024-09-24 17:03:44.000000000 +0300
@@ -0,0 +1,2 @@
+0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
+0002-attr-Fix-reading-of-server_reply.patch
More information about the Debian-ha-maintainers
mailing list