[Debian-iot-maintainers] Bug#993867: glewlwyd: possible buffer overflow on webauthn registration
Salvatore Bonaccorso
carnil at debian.org
Tue Sep 7 17:19:54 BST 2021
Hi Nicolas,
On Tue, Sep 07, 2021 at 10:05:08AM -0400, Nicolas Mora wrote:
> Package: glewlwyd
> Version: 2.5.2-2
> Severity: important
> Tags: patch security
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
>
>
>
>
> -- System Information:
> Debian Release: 11.0
> APT prefers stable-security
> APT policy: (500, 'stable-security'), (500, 'proposed-updates'), (500,
> 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
> Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not
> set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages glewlwyd depends on:
> ii dbconfig-pgsql 2.0.19
> ii debconf [debconf-2.0] 1.5.77
> pn glewlwyd-common <none>
> ii init-system-helpers 1.60
> ii libc6 2.31-13
> ii libcbor0 0.5.0+dfsg-2
> ii libconfig9 1.5-0.4
> ii libcrypt1 1:4.4.18-4
> ii libgnutls30 3.7.1-5
> pn libhoel1.4 <none>
> pn libiddawc0.9 <none>
> ii libjansson4 2.13.1-1.1
> ii libldap-2.4-2 2.4.57+dfsg-3
> ii libnettle8 3.7.3-1
> ii liboath0 2.6.6-3
> pn liborcania2.1 <none>
> pn librhonabwy0.9 <none>
> pn libulfius2.7 <none>
> pn libyder2.0 <none>
> ii lsb-base 11.1.0
> ii sqlite3 3.34.1-3
> ii ucf 3.0043
> ii zlib1g 1:1.2.11.dfsg-2
>
> glewlwyd recommends no packages.
>
> Versions of packages glewlwyd suggests:
> --- a/src/scheme/webauthn.c
> +++ b/src/scheme/webauthn.c
> @@ -1530,7 +1530,7 @@
> gnutls_pubkey_t pubkey = NULL;
> gnutls_x509_crt_t cert = NULL;
> gnutls_datum_t cert_dat, data, signature, cert_issued_by;
> - unsigned char data_signed[200], client_data_hash[32], cert_export[32], cert_export_b64[64];
> + unsigned char * data_signed = NULL, client_data_hash[32], cert_export[32], cert_export_b64[64];
> size_t data_signed_offset = 0, client_data_hash_len = 32, cert_export_len = 32, cert_export_b64_len = 0;
>
> if (j_error != NULL) {
> @@ -1619,6 +1619,12 @@
> break;
> }
>
> + if ((data_signed = o_malloc(rpid_hash_len+client_data_hash_len+credential_id_len+cert_x_len+cert_y_len+2)) == NULL) {
> + y_log_message(Y_LOG_LEVEL_DEBUG, "check_attestation_fido_u2f - Error allocating data_signed");
> + json_array_append_new(j_error, json_string("Internal error"));
> + break;
> + }
> +
> // Build bytestring to verify signature
> data_signed[0] = 0x0;
> data_signed_offset = 1;
> @@ -1653,6 +1659,7 @@
> }
>
> } while (0);
> + o_free(data_signed);
>
> if (json_array_size(j_error)) {
> j_return = json_pack("{sisO}", "result", G_ERROR_PARAM, "error", j_error);
Can you report the issue upstream?
Regards,
Salvatore
More information about the Debian-iot-maintainers
mailing list