Version in base suite: 4.2.1-1 Base version: node-browserify-sign_4.2.1-1 Target version: node-browserify-sign_4.2.1-1+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-browserify-sign/node-browserify-sign_4.2.1-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-browserify-sign/node-browserify-sign_4.2.1-1+deb11u1.dsc changelog | 8 +++++ patches/CVE-2023-46234.patch | 68 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 salsa-ci.yml | 2 + 4 files changed, 79 insertions(+) diff -Nru node-browserify-sign-4.2.1/debian/changelog node-browserify-sign-4.2.1/debian/changelog --- node-browserify-sign-4.2.1/debian/changelog 2020-12-19 11:51:39.000000000 +0000 +++ node-browserify-sign-4.2.1/debian/changelog 2023-10-30 02:52:31.000000000 +0000 @@ -1,3 +1,11 @@ +node-browserify-sign (4.2.1-1+deb11u1) bullseye-security; urgency=high + + * Team upload + * Properly check the upper bound for DSA signatures + (Closes: #1054667, CVE-2023-46234) + + -- Yadd Mon, 30 Oct 2023 06:52:31 +0400 + node-browserify-sign (4.2.1-1) unstable; urgency=medium * Team upload diff -Nru node-browserify-sign-4.2.1/debian/patches/CVE-2023-46234.patch node-browserify-sign-4.2.1/debian/patches/CVE-2023-46234.patch --- node-browserify-sign-4.2.1/debian/patches/CVE-2023-46234.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-browserify-sign-4.2.1/debian/patches/CVE-2023-46234.patch 2023-10-30 02:49:45.000000000 +0000 @@ -0,0 +1,68 @@ +Description: properly check the upper bound for DSA signatures +Author: roadicing +Origin: upstream, https://github.com/browserify/browserify-sign/commit/85994cd6 +Bug: https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw +Bug-Debian: https://bugs.debian.org/1054667 +Forwarded: not-needed +Applied-Upstream: 4.2.2, commit: 85994cd6 +Reviewed-By: Yadd +Last-Update: 2023-10-28 + +--- a/browser/verify.js ++++ b/browser/verify.js +@@ -78,7 +78,7 @@ + + function checkValue (b, q) { + if (b.cmpn(0) <= 0) throw new Error('invalid sig') +- if (b.cmp(q) >= q) throw new Error('invalid sig') ++ if (b.cmp(q) >= 0) throw new Error('invalid sig') + } + + module.exports = verify +--- a/test/index.js ++++ b/test/index.js +@@ -4,6 +4,8 @@ + var nCrypto = require('crypto') + var bCrypto = require('../browser') + var fixtures = require('./fixtures') ++var BN = require('bn.js') ++var parseKeys = require('parse-asn1') + + function isNode10 () { + return parseInt(process.version.split('.')[1], 10) <= 10 +@@ -100,6 +102,35 @@ + t.end() + }) + } ++ ++ var s = parseKeys(pub).data.q; ++ test( ++ f.message + ' against a fake signature', ++ { skip: !s || '(this test only applies to DSA signatures and not EC signatures, this is ' + f.scheme + ')' }, ++ function (t) { ++ var messageBase64 = Buffer.from(f.message, 'base64'); ++ ++ // forge a fake signature ++ var r = new BN('1'); ++ ++ try { ++ var fakeSig = asn1.signature.encode({ r: r, s: s }, 'der'); ++ } catch (e) { ++ t.ifError(e); ++ t.end(); ++ return; ++ } ++ ++ var bVer = bCrypto.createVerify(f.scheme); ++ t['throws']( ++ function () { bVer.update(messageBase64).verify(pub, fakeSig); }, ++ Error, ++ 'fake signature is invalid' ++ ); ++ ++ t.end(); ++ } ++ ); + }) + + fixtures.valid.kvectors.forEach(function (f) { diff -Nru node-browserify-sign-4.2.1/debian/patches/series node-browserify-sign-4.2.1/debian/patches/series --- node-browserify-sign-4.2.1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ node-browserify-sign-4.2.1/debian/patches/series 2023-10-30 02:49:45.000000000 +0000 @@ -0,0 +1 @@ +CVE-2023-46234.patch diff -Nru node-browserify-sign-4.2.1/debian/salsa-ci.yml node-browserify-sign-4.2.1/debian/salsa-ci.yml --- node-browserify-sign-4.2.1/debian/salsa-ci.yml 2020-12-19 11:43:47.000000000 +0000 +++ node-browserify-sign-4.2.1/debian/salsa-ci.yml 2023-10-30 02:49:45.000000000 +0000 @@ -1,4 +1,6 @@ --- +variables: + RELEASE: 'bullseye' include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml