Bug#993867: glewlwyd: possible buffer overflow on webauthn registration

Tue, 07 Sep 2021 09:21:17 -0700 

Hi Nicolas,

On Tue, Sep 07, 2021 at 10:05:08AM -0400, Nicolas Mora wrote:
> Package: glewlwyd
> Version: 2.5.2-2
> Severity: important
> Tags: patch security
> X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
> 
> 
> 
> 
> -- System Information:
> Debian Release: 11.0
>   APT prefers stable-security
>   APT policy: (500, 'stable-security'), (500, 'proposed-updates'), (500,
> 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
> Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not
> set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages glewlwyd depends on:
> ii  dbconfig-pgsql         2.0.19
> ii  debconf [debconf-2.0]  1.5.77
> pn  glewlwyd-common        <none>
> ii  init-system-helpers    1.60
> ii  libc6                  2.31-13
> ii  libcbor0               0.5.0+dfsg-2
> ii  libconfig9             1.5-0.4
> ii  libcrypt1              1:4.4.18-4
> ii  libgnutls30            3.7.1-5
> pn  libhoel1.4             <none>
> pn  libiddawc0.9           <none>
> ii  libjansson4            2.13.1-1.1
> ii  libldap-2.4-2          2.4.57+dfsg-3
> ii  libnettle8             3.7.3-1
> ii  liboath0               2.6.6-3
> pn  liborcania2.1          <none>
> pn  librhonabwy0.9         <none>
> pn  libulfius2.7           <none>
> pn  libyder2.0             <none>
> ii  lsb-base               11.1.0
> ii  sqlite3                3.34.1-3
> ii  ucf                    3.0043
> ii  zlib1g                 1:1.2.11.dfsg-2
> 
> glewlwyd recommends no packages.
> 
> Versions of packages glewlwyd suggests:

> --- a/src/scheme/webauthn.c
> +++ b/src/scheme/webauthn.c
> @@ -1530,7 +1530,7 @@
>    gnutls_pubkey_t pubkey = NULL;
>    gnutls_x509_crt_t cert = NULL;
>    gnutls_datum_t cert_dat, data, signature, cert_issued_by;
> -  unsigned char data_signed[200], client_data_hash[32], cert_export[32], 
> cert_export_b64[64];
> +  unsigned char * data_signed = NULL, client_data_hash[32], cert_export[32], 
> cert_export_b64[64];
>    size_t data_signed_offset = 0, client_data_hash_len = 32, cert_export_len 
> = 32, cert_export_b64_len = 0;
>    
>    if (j_error != NULL) {
> @@ -1619,6 +1619,12 @@
>          break;
>        }
>        
> +      if ((data_signed = 
> o_malloc(rpid_hash_len+client_data_hash_len+credential_id_len+cert_x_len+cert_y_len+2))
>  == NULL) {
> +        y_log_message(Y_LOG_LEVEL_DEBUG, "check_attestation_fido_u2f - Error 
> allocating data_signed");
> +        json_array_append_new(j_error, json_string("Internal error"));
> +        break;
> +      }
> +
>        // Build bytestring to verify signature
>        data_signed[0] = 0x0;
>        data_signed_offset = 1;
> @@ -1653,6 +1659,7 @@
>        }
>        
>      } while (0);
> +    o_free(data_signed);
>      
>      if (json_array_size(j_error)) {
>        j_return = json_pack("{sisO}", "result", G_ERROR_PARAM, "error", 
> j_error);

Can you report the issue upstream?

Regards,
Salvatore

Reply via email to