[Debian-iot-maintainers] Bug#993867: glewlwyd: possible buffer overflow on webauthn registration
Nicolas Mora
babelouest at debian.org
Tue Sep 7 15:05:08 BST 2021
Package: glewlwyd
Version: 2.5.2-2
Severity: important
Tags: patch security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages glewlwyd depends on:
ii dbconfig-pgsql 2.0.19
ii debconf [debconf-2.0] 1.5.77
pn glewlwyd-common <none>
ii init-system-helpers 1.60
ii libc6 2.31-13
ii libcbor0 0.5.0+dfsg-2
ii libconfig9 1.5-0.4
ii libcrypt1 1:4.4.18-4
ii libgnutls30 3.7.1-5
pn libhoel1.4 <none>
pn libiddawc0.9 <none>
ii libjansson4 2.13.1-1.1
ii libldap-2.4-2 2.4.57+dfsg-3
ii libnettle8 3.7.3-1
ii liboath0 2.6.6-3
pn liborcania2.1 <none>
pn librhonabwy0.9 <none>
pn libulfius2.7 <none>
pn libyder2.0 <none>
ii lsb-base 11.1.0
ii sqlite3 3.34.1-3
ii ucf 3.0043
ii zlib1g 1:1.2.11.dfsg-2
glewlwyd recommends no packages.
Versions of packages glewlwyd suggests:
-------------- next part --------------
--- a/src/scheme/webauthn.c
+++ b/src/scheme/webauthn.c
@@ -1530,7 +1530,7 @@
gnutls_pubkey_t pubkey = NULL;
gnutls_x509_crt_t cert = NULL;
gnutls_datum_t cert_dat, data, signature, cert_issued_by;
- unsigned char data_signed[200], client_data_hash[32], cert_export[32], cert_export_b64[64];
+ unsigned char * data_signed = NULL, client_data_hash[32], cert_export[32], cert_export_b64[64];
size_t data_signed_offset = 0, client_data_hash_len = 32, cert_export_len = 32, cert_export_b64_len = 0;
if (j_error != NULL) {
@@ -1619,6 +1619,12 @@
break;
}
+ if ((data_signed = o_malloc(rpid_hash_len+client_data_hash_len+credential_id_len+cert_x_len+cert_y_len+2)) == NULL) {
+ y_log_message(Y_LOG_LEVEL_DEBUG, "check_attestation_fido_u2f - Error allocating data_signed");
+ json_array_append_new(j_error, json_string("Internal error"));
+ break;
+ }
+
// Build bytestring to verify signature
data_signed[0] = 0x0;
data_signed_offset = 1;
@@ -1653,6 +1659,7 @@
}
} while (0);
+ o_free(data_signed);
if (json_array_size(j_error)) {
j_return = json_pack("{sisO}", "result", G_ERROR_PARAM, "error", j_error);
More information about the Debian-iot-maintainers
mailing list