[Pkg-javascript-devel] Bug#1054667: Bug#1054667: node-browserify-sign: CVE-2023-46234

Yadd yadd at debian.org
Sat Oct 28 09:05:25 BST 2023 

On 10/27/23 20:20, Moritz Mühlenhoff wrote:
> Source: node-browserify-sign
> X-Debbugs-CC: team at security.debian.org
> Severity: grave
> Tags: security
> 
> Hi,
> 
> The following vulnerability was published for node-browserify-sign.
> 
> CVE-2023-46234[0]:
> | browserify-sign is a package to duplicate the functionality of
> | node's crypto public key functions, much of this is based on Fedor
> | Indutny's work on indutny/tls.js. An upper bound check issue in
> | `dsaVerify` function allows an attacker to construct signatures that
> | can be successfully verified by any public key, thus leading to a
> | signature forgery attack. All places in this project that involve
> | DSA verification of user-input signatures will be affected by this
> | vulnerability. This issue has been patched in version 4.2.2.
> 
> https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
> https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2023-46234
>      https://www.cve.org/CVERecord?id=CVE-2023-46234
> 
> Please adjust the affected versions in the BTS as needed.

Hi,

please find attached the debdiff for Bookworm

Kind regards,
Yadd
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 5e3404f..c421503 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-browserify-sign (4.2.1-3+deb12u1) bookworm-security; urgency=high
+
+  * Team upload
+  * Properly check the upper bound for DSA signatures (Closes: #1054667, CVE-2023-46234)
+
+ -- Yadd <yadd at debian.org>  Sat, 28 Oct 2023 12:03:04 +0400
+
 node-browserify-sign (4.2.1-3) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-46234.patch b/debian/patches/CVE-2023-46234.patch
new file mode 100644
index 0000000..152fd72
--- /dev/null
+++ b/debian/patches/CVE-2023-46234.patch
@@ -0,0 +1,68 @@
+Description: properly check the upper bound for DSA signatures
+Author: roadicing <roadicing at gmail.com>
+Origin: upstream, https://github.com/browserify/browserify-sign/commit/85994cd6
+Bug: https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
+Bug-Debian: https://bugs.debian.org/1054667
+Forwarded: not-needed
+Applied-Upstream: 4.2.2, commit: 85994cd6
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2023-10-28
+
+--- a/browser/verify.js
++++ b/browser/verify.js
+@@ -78,7 +78,7 @@
+ 
+ function checkValue (b, q) {
+   if (b.cmpn(0) <= 0) throw new Error('invalid sig')
+-  if (b.cmp(q) >= q) throw new Error('invalid sig')
++  if (b.cmp(q) >= 0) throw new Error('invalid sig')
+ }
+ 
+ module.exports = verify
+--- a/test/index.js
++++ b/test/index.js
+@@ -4,6 +4,8 @@
+ var nCrypto = require('crypto')
+ var bCrypto = require('../browser')
+ var fixtures = require('./fixtures')
++var BN = require('bn.js')
++var parseKeys = require('parse-asn1')
+ 
+ function isNode10 () {
+   return parseInt(process.version.split('.')[1], 10) <= 10
+@@ -100,6 +102,35 @@
+       t.end()
+     })
+   }
++
++  var s = parseKeys(pub).data.q;
++  test(
++    f.message + ' against a fake signature',
++    { skip: !s || '(this test only applies to DSA signatures and not EC signatures, this is ' + f.scheme + ')' },
++    function (t) {
++      var messageBase64 = Buffer.from(f.message, 'base64');
++
++      // forge a fake signature
++      var r = new BN('1');
++
++      try {
++        var fakeSig = asn1.signature.encode({ r: r, s: s }, 'der');
++      } catch (e) {
++        t.ifError(e);
++        t.end();
++        return;
++      }
++
++      var bVer = bCrypto.createVerify(f.scheme);
++      t['throws'](
++        function () { bVer.update(messageBase64).verify(pub, fakeSig); },
++        Error,
++        'fake signature is invalid'
++      );
++
++      t.end();
++    }
++  );
+ })
+ 
+ fixtures.valid.kvectors.forEach(function (f) {
diff --git a/debian/patches/series b/debian/patches/series
index 8aafdeb..86ff972 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 drop-rmd160-support.patch
+CVE-2023-46234.patch

More information about the Pkg-javascript-devel mailing list