[Debian-ha-maintainers] Bug#1082674: bookworm-pu: package booth/1.0-283-g9d4029a-2+deb12u1

Tue Sep 24 17:02:07 BST 2024

Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: Debian HA Maintainers <debian-ha-maintainers at alioth-lists.debian.net>, security at debian.org

  * CVE-2024-3049: wrong hmac might be accepted (Closes: #1073249)

Tagged moreinfo, as question to the security team it they want this
fix in -pu or as DSA.
-------------- next part --------------
diffstat for booth-1.0-283-g9d4029a booth-1.0-283-g9d4029a

 changelog                                                            |    7 +
 patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch |   65 ++++++++++
 patches/0002-attr-Fix-reading-of-server_reply.patch                  |   37 +++++
 patches/series                                                       |    2 
 4 files changed, 111 insertions(+)

diff -Nru booth-1.0-283-g9d4029a/debian/changelog booth-1.0-283-g9d4029a/debian/changelog

--- booth-1.0-283-g9d4029a/debian/changelog	2023-04-12 23:58:53.000000000 +0300
+++ booth-1.0-283-g9d4029a/debian/changelog	2024-09-24 17:03:44.000000000 +0300
@@ -1,3 +1,10 @@
+booth (1.0-283-g9d4029a-2+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2024-3049: wrong hmac might be accepted (Closes: #1073249)
+
+ -- Adrian Bunk <bunk at debian.org>  Tue, 24 Sep 2024 17:03:44 +0300
+
 booth (1.0-283-g9d4029a-2) unstable; urgency=medium
 
   * d/install: place files in /lib/systemd/system (Closes: #1034211)
diff -Nru booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
--- booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch	1970-01-01 02:00:00.000000000 +0200
+++ booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch	2024-09-24 17:02:31.000000000 +0300
@@ -0,0 +1,65 @@
+From e14c1d167f95053b13d56cd1b2e897168418373a Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse at redhat.com>
+Date: Wed, 21 Feb 2024 18:12:28 +0100
+Subject: auth: Check result of gcrypt gcry_md_get_algo_dlen
+
+When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This
+value is then used for memcmp so wrong hmac might be accepted as
+correct.
+
+Signed-off-by: Jan Friesse <jfriesse at redhat.com>
+---
+ src/auth.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/src/auth.c b/src/auth.c
+index 8f86b9a..a3b3d20 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen,
+ {
+ 	static gcry_md_hd_t digest;
+ 	gcry_error_t err;
++	int hlen;
++
++	hlen = gcry_md_get_algo_dlen(hid);
++	if (!hlen)
++		return -1;
+ 
+ 	if (!digest) {
+ 		err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC);
+@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen,
+ 		}
+ 	}
+ 	gcry_md_write(digest, data, datalen);
+-	memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid));
++	memcpy(result, gcry_md_read(digest, 0), hlen);
+ 	gcry_md_reset(digest);
+ 	return 0;
+ }
+@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen,
+ {
+ 	unsigned char *our_hmac;
+ 	int rc;
++	int hlen;
++
++	hlen = gcry_md_get_algo_dlen(hid);
++	if (!hlen)
++		return -1;
+ 
+-	our_hmac = malloc(gcry_md_get_algo_dlen(hid));
++	our_hmac = malloc(hlen);
+ 	if (!our_hmac)
+ 		return -1;
+ 
+ 	rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen);
+ 	if (rc)
+ 		goto out_free;
+-	rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid));
++	rc = memcmp(our_hmac, hmac, hlen);
+ 
+ out_free:
+ 	if (our_hmac)
+-- 
+2.30.2
+
diff -Nru booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch
--- booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch	1970-01-01 02:00:00.000000000 +0200
+++ booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch	2024-09-24 17:02:31.000000000 +0300
@@ -0,0 +1,37 @@
+From d4541f2845553843b7db852ea8e0c334d56c2a01 Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse at redhat.com>
+Date: Wed, 21 Feb 2024 17:40:11 +0100
+Subject: attr: Fix reading of server_reply
+
+read_server_reply first reads boothc header and then rest of packet
+which contains hmac info. This should go in memory right after
+boothc_header and not after full length of packet, because full length
+of packet already contains hmac info.
+
+Solution is to simply use length of header and not length of packet.
+
+Longer term and better solution would be to drop read_server_reply
+completely and use recv_auth which is used for everything else but attr
+set and delete.
+
+Signed-off-by: Jan Friesse <jfriesse at redhat.com>
+---
+ src/attr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/attr.c b/src/attr.c
+index 09c15bc..e615c33 100644
+--- a/src/attr.c
++++ b/src/attr.c
+@@ -142,7 +142,7 @@ static int read_server_reply(
+ 		return -2;
+ 	}
+ 	len = ntohl(header->length);
+-	rv = tpt->recv(site, msg+len, len-sizeof(*header));
++	rv = tpt->recv(site, msg+sizeof(*header), len-sizeof(*header));
+ 	if (rv < 0) {
+ 		return -1;
+ 	}
+-- 
+2.30.2
+
diff -Nru booth-1.0-283-g9d4029a/debian/patches/series booth-1.0-283-g9d4029a/debian/patches/series
--- booth-1.0-283-g9d4029a/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ booth-1.0-283-g9d4029a/debian/patches/series	2024-09-24 17:03:44.000000000 +0300
@@ -0,0 +1,2 @@
+0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
+0002-attr-Fix-reading-of-server_reply.patch
