Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
Fix CVE-2021-40818 in bullseye
[ Reason ]
CVE-2021-40818 allows a malicious user to perform a buffer overflow during a
webauthn registration with FIDO2 protocol.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The patch changes a 'unsigned char data_signed[200]' to a 'unsigned char *
data_signed = NULL' and allocates the variable with the proper length. The
previous code didn't take credential_id_len in account.
diff -Nru glewlwyd-2.5.2/debian/changelog glewlwyd-2.5.2/debian/changelog
--- glewlwyd-2.5.2/debian/changelog 2021-03-14 19:32:40.000000000 -0400
+++ glewlwyd-2.5.2/debian/changelog 2021-09-22 08:42:59.000000000 -0400
@@ -1,3 +1,11 @@
+glewlwyd (2.5.2-2+deb11u1) bullseye; urgency=medium
+
+ * d/patches: Fix CVE-2021-40818
+ possible buffer overflow during FIDO2 signature validation
+ in webauthn registration
+
+ -- Nicolas Mora <babelou...@debian.org> Wed, 22 Sep 2021 08:42:59 -0400
+
glewlwyd (2.5.2-2) unstable; urgency=medium
* Fix postgre database initialization (Closes: #985238)
diff -Nru glewlwyd-2.5.2/debian/patches/series
glewlwyd-2.5.2/debian/patches/series
--- glewlwyd-2.5.2/debian/patches/series 2021-03-14 19:32:40.000000000
-0400
+++ glewlwyd-2.5.2/debian/patches/series 2021-09-22 08:42:59.000000000
-0400
@@ -1 +1,2 @@
#webpack.patch
+webauthn.patch
diff -Nru glewlwyd-2.5.2/debian/patches/webauthn.patch
glewlwyd-2.5.2/debian/patches/webauthn.patch
--- glewlwyd-2.5.2/debian/patches/webauthn.patch 1969-12-31
19:00:00.000000000 -0500
+++ glewlwyd-2.5.2/debian/patches/webauthn.patch 2021-09-22
08:42:59.000000000 -0400
@@ -0,0 +1,35 @@
+Description: Fix buffer overflow
+Author: Nicolas Mora <babelou...@debian.org>
+Forwarded: not-needed
+--- a/src/scheme/webauthn.c
++++ b/src/scheme/webauthn.c
+@@ -1530,7 +1530,7 @@
+ gnutls_pubkey_t pubkey = NULL;
+ gnutls_x509_crt_t cert = NULL;
+ gnutls_datum_t cert_dat, data, signature, cert_issued_by;
+- unsigned char data_signed[200], client_data_hash[32], cert_export[32],
cert_export_b64[64];
++ unsigned char * data_signed = NULL, client_data_hash[32], cert_export[32],
cert_export_b64[64];
+ size_t data_signed_offset = 0, client_data_hash_len = 32, cert_export_len =
32, cert_export_b64_len = 0;
+
+ if (j_error != NULL) {
+@@ -1619,6 +1619,12 @@
+ break;
+ }
+
++ if ((data_signed =
o_malloc(rpid_hash_len+client_data_hash_len+credential_id_len+cert_x_len+cert_y_len+2))
== NULL) {
++ y_log_message(Y_LOG_LEVEL_DEBUG, "check_attestation_fido_u2f - Error
allocating data_signed");
++ json_array_append_new(j_error, json_string("Internal error"));
++ break;
++ }
++
+ // Build bytestring to verify signature
+ data_signed[0] = 0x0;
+ data_signed_offset = 1;
+@@ -1653,6 +1659,7 @@
+ }
+
+ } while (0);
++ o_free(data_signed);
+
+ if (json_array_size(j_error)) {
+ j_return = json_pack("{sisO}", "result", G_ERROR_PARAM, "error",
j_error);
