Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
The attached debdiff file fixes 2 bugs:
jwe cbc tag computation error
jws alg:none signature verification issue
[ Tests ]
The tests are updated by the debdiff file
[ Risks ]
The jws alg:none signature verification issue might lead to incorrect token
verification, while the jwe cbc tag computation error leads to incorrect token
decryption
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
diff -Nru rhonabwy-0.9.13/debian/changelog rhonabwy-0.9.13/debian/changelog
--- rhonabwy-0.9.13/debian/changelog 2021-02-09 07:33:21.000000000 -0500
+++ rhonabwy-0.9.13/debian/changelog 2021-09-22 07:29:46.000000000 -0400
@@ -1,3 +1,11 @@
+rhonabwy (0.9.13-3+deb11u1) bullseye; urgency=medium
+
+ * d/patches/bugfixes: apply upstream bugfixes
+ jwe cbc tag computation error
+ jws alg:none signature verification issue
+
+ -- Nicolas Mora <babelou...@debian.org> Wed, 22 Sep 2021 07:29:46 -0400
+
rhonabwy (0.9.13-3) unstable; urgency=medium
* Fix r_library_info_json_t output
diff -Nru rhonabwy-0.9.13/debian/patches/bugfixes.patch
rhonabwy-0.9.13/debian/patches/bugfixes.patch
--- rhonabwy-0.9.13/debian/patches/bugfixes.patch 1969-12-31
19:00:00.000000000 -0500
+++ rhonabwy-0.9.13/debian/patches/bugfixes.patch 2021-09-22
07:29:46.000000000 -0400
@@ -0,0 +1,37 @@
+Description: Fix jwe cbc tag computation and jws alg:none signature
verification
+Author: Nicolas Mora <babelou...@debian.org>
+Forwarded: not-needed
+--- a/src/jwe.c
++++ b/src/jwe.c
+@@ -450,7 +450,7 @@
+ memcpy(compute_hmac+hmac_size, al, 8);
+ hmac_size += 8;
+
+- if (!(res = gnutls_hmac_fast(mac, jwe->key, 16, compute_hmac, hmac_size,
tag))) {
++ if (!(res = gnutls_hmac_fast(mac, jwe->key, jwe->key_len/2, compute_hmac,
hmac_size, tag))) {
+ *tag_len = gnutls_hmac_get_len(mac)/2;
+ ret = RHN_OK;
+ } else {
+--- a/src/jws.c
++++ b/src/jws.c
+@@ -1268,9 +1268,6 @@
+ case R_JWA_ALG_ES256K:
+ ret = RHN_ERROR_UNSUPPORTED;
+ break;
+- case R_JWA_ALG_NONE:
+- ret = RHN_OK;
+- break;
+ default:
+ ret = RHN_ERROR_INVALID;
+ break;
+--- a/test/jws_core.c
++++ b/test/jws_core.c
+@@ -496,7 +496,7 @@
+ ck_assert_ptr_ne((token = r_jws_serialize(jws_sign, NULL, 0)), NULL);
+
+ ck_assert_int_eq(r_jws_parse(jws_verify, token, 0), RHN_OK);
+- ck_assert_int_eq(r_jws_verify_signature(jws_verify, NULL, 0), RHN_OK);
++ ck_assert_int_eq(r_jws_verify_signature(jws_verify, NULL, 0),
RHN_ERROR_INVALID);
+ o_free(token);
+
+ r_jws_free(jws_sign);
diff -Nru rhonabwy-0.9.13/debian/patches/series
rhonabwy-0.9.13/debian/patches/series
--- rhonabwy-0.9.13/debian/patches/series 2021-02-09 07:33:21.000000000
-0500
+++ rhonabwy-0.9.13/debian/patches/series 2021-09-22 07:29:46.000000000
-0400
@@ -1,2 +1,3 @@
library_info.patch
disable_test_rhonabwy_generate_key_pair.patch
+bugfixes.patch
