Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:GA
booth
booth-CVE-2024-3049.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File booth-CVE-2024-3049.patch of Package booth
From 43eaf0e82b1475a6a5322881cbd8260b6c3f5ef8 Mon Sep 17 00:00:00 2001 From: Jan Friesse <jfriesse@redhat.com> Date: Wed, 21 Feb 2024 17:40:11 +0100 Subject: [PATCH 1/2] attr: Fix reading of server_reply read_server_reply first reads boothc header and then rest of packet which contains hmac info. This should go in memory right after boothc_header and not after full length of packet, because full length of packet already contains hmac info. Solution is to simply use length of header and not length of packet. Longer term and better solution would be to drop read_server_reply completely and use recv_auth which is used for everything else but attr set and delete. Signed-off-by: Jan Friesse <jfriesse@redhat.com> --- src/attr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/attr.c b/src/attr.c index 44061e35..bc154f04 100644 --- a/src/attr.c +++ b/src/attr.c @@ -142,7 +142,7 @@ static int read_server_reply( return -2; } len = ntohl(header->length); - rv = tpt->recv(site, msg+len, len-sizeof(*header)); + rv = tpt->recv(site, msg+sizeof(*header), len-sizeof(*header)); if (rv < 0) { return -1; } From 98b4284d1701f2efec278b51f151314148bfe70e Mon Sep 17 00:00:00 2001 From: Jan Friesse <jfriesse@redhat.com> Date: Wed, 21 Feb 2024 18:12:28 +0100 Subject: [PATCH 2/2] auth: Check result of gcrypt gcry_md_get_algo_dlen When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This value is then used for memcmp so wrong hmac might be accepted as correct. Signed-off-by: Jan Friesse <jfriesse@redhat.com> --- src/auth.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/auth.c b/src/auth.c index 8f86b9ab..a3b3d20b 100644 --- a/src/auth.c +++ b/src/auth.c @@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen, { static gcry_md_hd_t digest; gcry_error_t err; + int hlen; + + hlen = gcry_md_get_algo_dlen(hid); + if (!hlen) + return -1; if (!digest) { err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC); @@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen, } } gcry_md_write(digest, data, datalen); - memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid)); + memcpy(result, gcry_md_read(digest, 0), hlen); gcry_md_reset(digest); return 0; } @@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen, { unsigned char *our_hmac; int rc; + int hlen; + + hlen = gcry_md_get_algo_dlen(hid); + if (!hlen) + return -1; - our_hmac = malloc(gcry_md_get_algo_dlen(hid)); + our_hmac = malloc(hlen); if (!our_hmac) return -1; rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen); if (rc) goto out_free; - rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid)); + rc = memcmp(our_hmac, hmac, hlen); out_free: if (our_hmac)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor