[Debian-iot-maintainers] Bug#993867: glewlwyd: possible buffer overflow on webauthn registration

Tue Sep 7 15:05:08 BST 2021

Package: glewlwyd
Version: 2.5.2-2
Severity: important
Tags: patch security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>




-- System Information:
Debian Release: 11.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages glewlwyd depends on:
ii  dbconfig-pgsql         2.0.19
ii  debconf [debconf-2.0]  1.5.77
pn  glewlwyd-common        <none>
ii  init-system-helpers    1.60
ii  libc6                  2.31-13
ii  libcbor0               0.5.0+dfsg-2
ii  libconfig9             1.5-0.4
ii  libcrypt1              1:4.4.18-4
ii  libgnutls30            3.7.1-5
pn  libhoel1.4             <none>
pn  libiddawc0.9           <none>
ii  libjansson4            2.13.1-1.1
ii  libldap-2.4-2          2.4.57+dfsg-3
ii  libnettle8             3.7.3-1
ii  liboath0               2.6.6-3
pn  liborcania2.1          <none>
pn  librhonabwy0.9         <none>
pn  libulfius2.7           <none>
pn  libyder2.0             <none>
ii  lsb-base               11.1.0
ii  sqlite3                3.34.1-3
ii  ucf                    3.0043
ii  zlib1g                 1:1.2.11.dfsg-2

glewlwyd recommends no packages.

Versions of packages glewlwyd suggests:
-------------- next part --------------

--- a/src/scheme/webauthn.c
+++ b/src/scheme/webauthn.c
@@ -1530,7 +1530,7 @@
   gnutls_pubkey_t pubkey = NULL;
   gnutls_x509_crt_t cert = NULL;
   gnutls_datum_t cert_dat, data, signature, cert_issued_by;
-  unsigned char data_signed[200], client_data_hash[32], cert_export[32], cert_export_b64[64];
+  unsigned char * data_signed = NULL, client_data_hash[32], cert_export[32], cert_export_b64[64];
   size_t data_signed_offset = 0, client_data_hash_len = 32, cert_export_len = 32, cert_export_b64_len = 0;
   
   if (j_error != NULL) {
@@ -1619,6 +1619,12 @@
         break;
       }
       
+      if ((data_signed = o_malloc(rpid_hash_len+client_data_hash_len+credential_id_len+cert_x_len+cert_y_len+2)) == NULL) {
+        y_log_message(Y_LOG_LEVEL_DEBUG, "check_attestation_fido_u2f - Error allocating data_signed");
+        json_array_append_new(j_error, json_string("Internal error"));
+        break;
+      }
+
       // Build bytestring to verify signature
       data_signed[0] = 0x0;
       data_signed_offset = 1;
@@ -1653,6 +1659,7 @@
       }
       
     } while (0);
+    o_free(data_signed);
     
     if (json_array_size(j_error)) {
       j_return = json_pack("{sisO}", "result", G_ERROR_PARAM, "error", j_error);
