Version in base suite: 1.0-283-g9d4029a-2 Base version: booth_1.0-283-g9d4029a-2 Target version: booth_1.0-283-g9d4029a-2+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/b/booth/booth_1.0-283-g9d4029a-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/b/booth/booth_1.0-283-g9d4029a-2+deb12u1.dsc changelog | 7 + patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch | 65 ++++++++++ patches/0002-attr-Fix-reading-of-server_reply.patch | 37 +++++ patches/series | 2 4 files changed, 111 insertions(+) diff -Nru booth-1.0-283-g9d4029a/debian/changelog booth-1.0-283-g9d4029a/debian/changelog --- booth-1.0-283-g9d4029a/debian/changelog 2023-04-12 20:58:53.000000000 +0000 +++ booth-1.0-283-g9d4029a/debian/changelog 2024-09-24 14:03:44.000000000 +0000 @@ -1,3 +1,10 @@ +booth (1.0-283-g9d4029a-2+deb12u1) bookworm-security; urgency=medium + + * Non-maintainer upload. + * CVE-2024-3049: wrong hmac might be accepted (Closes: #1073249) + + -- Adrian Bunk Tue, 24 Sep 2024 17:03:44 +0300 + booth (1.0-283-g9d4029a-2) unstable; urgency=medium * d/install: place files in /lib/systemd/system (Closes: #1034211) diff -Nru booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch --- booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch 1970-01-01 00:00:00.000000000 +0000 +++ booth-1.0-283-g9d4029a/debian/patches/0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch 2024-09-24 14:02:31.000000000 +0000 @@ -0,0 +1,65 @@ +From e14c1d167f95053b13d56cd1b2e897168418373a Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Wed, 21 Feb 2024 18:12:28 +0100 +Subject: auth: Check result of gcrypt gcry_md_get_algo_dlen + +When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This +value is then used for memcmp so wrong hmac might be accepted as +correct. + +Signed-off-by: Jan Friesse +--- + src/auth.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/src/auth.c b/src/auth.c +index 8f86b9a..a3b3d20 100644 +--- a/src/auth.c ++++ b/src/auth.c +@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen, + { + static gcry_md_hd_t digest; + gcry_error_t err; ++ int hlen; ++ ++ hlen = gcry_md_get_algo_dlen(hid); ++ if (!hlen) ++ return -1; + + if (!digest) { + err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC); +@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen, + } + } + gcry_md_write(digest, data, datalen); +- memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid)); ++ memcpy(result, gcry_md_read(digest, 0), hlen); + gcry_md_reset(digest); + return 0; + } +@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen, + { + unsigned char *our_hmac; + int rc; ++ int hlen; ++ ++ hlen = gcry_md_get_algo_dlen(hid); ++ if (!hlen) ++ return -1; + +- our_hmac = malloc(gcry_md_get_algo_dlen(hid)); ++ our_hmac = malloc(hlen); + if (!our_hmac) + return -1; + + rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen); + if (rc) + goto out_free; +- rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid)); ++ rc = memcmp(our_hmac, hmac, hlen); + + out_free: + if (our_hmac) +-- +2.30.2 + diff -Nru booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch --- booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch 1970-01-01 00:00:00.000000000 +0000 +++ booth-1.0-283-g9d4029a/debian/patches/0002-attr-Fix-reading-of-server_reply.patch 2024-09-24 14:02:31.000000000 +0000 @@ -0,0 +1,37 @@ +From d4541f2845553843b7db852ea8e0c334d56c2a01 Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Wed, 21 Feb 2024 17:40:11 +0100 +Subject: attr: Fix reading of server_reply + +read_server_reply first reads boothc header and then rest of packet +which contains hmac info. This should go in memory right after +boothc_header and not after full length of packet, because full length +of packet already contains hmac info. + +Solution is to simply use length of header and not length of packet. + +Longer term and better solution would be to drop read_server_reply +completely and use recv_auth which is used for everything else but attr +set and delete. + +Signed-off-by: Jan Friesse +--- + src/attr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/attr.c b/src/attr.c +index 09c15bc..e615c33 100644 +--- a/src/attr.c ++++ b/src/attr.c +@@ -142,7 +142,7 @@ static int read_server_reply( + return -2; + } + len = ntohl(header->length); +- rv = tpt->recv(site, msg+len, len-sizeof(*header)); ++ rv = tpt->recv(site, msg+sizeof(*header), len-sizeof(*header)); + if (rv < 0) { + return -1; + } +-- +2.30.2 + diff -Nru booth-1.0-283-g9d4029a/debian/patches/series booth-1.0-283-g9d4029a/debian/patches/series --- booth-1.0-283-g9d4029a/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ booth-1.0-283-g9d4029a/debian/patches/series 2024-09-24 14:03:44.000000000 +0000 @@ -0,0 +1,2 @@ +0001-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch +0002-attr-Fix-reading-of-server_reply.patch