backport CVE-2024-3049

2024-06-11 11:12:49 +08:00 · 2024-06-11 11:12:49 +08:00 · 5829fdad15
commit 5829fdad15
parent bdc2de7135
2 changed files with 89 additions and 1 deletions
--- a/backport-CVE-2024-3049.patch
+++ b/backport-CVE-2024-3049.patch
@ -0,0 +1,80 @@
+From 98b4284d1701f2efec278b51f151314148bfe70e Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Wed, 21 Feb 2024 18:12:28 +0100
+Subject: [PATCH] auth: Check result of gcrypt gcry_md_get_algo_dlen
+
+When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This
+value is then used for memcmp so wrong hmac might be accepted as
+correct.
+
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+
+---
+ src/attr.c |  2 +-
+ src/auth.c | 16 +++++++++++++---
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/src/attr.c b/src/attr.c
+index 44061e3..bc154f0 100644
+--- a/src/attr.c
+++ b/src/attr.c
+@@ -142,7 +142,7 @@ static int read_server_reply(
+ 		return -2;
+ 	}
+ 	len = ntohl(header->length);
+-	rv = tpt->recv(site, msg+len, len-sizeof(*header));
+	rv = tpt->recv(site, msg+sizeof(*header), len-sizeof(*header));
+ 	if (rv < 0) {
+ 		return -1;
+ 	}
+diff --git a/src/auth.c b/src/auth.c
+index 8f86b9a..a3b3d20 100644
+--- a/src/auth.c
+++ b/src/auth.c
+@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen,
+ {
+ 	static gcry_md_hd_t digest;
+ 	gcry_error_t err;
+	int hlen;
+
+	hlen = gcry_md_get_algo_dlen(hid);
+	if (!hlen)
+		return -1;
+ 
+ 	if (!digest) {
+ 		err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC);
+@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen,
+ 		}
+ 	}
+ 	gcry_md_write(digest, data, datalen);
+-	memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid));
+	memcpy(result, gcry_md_read(digest, 0), hlen);
+ 	gcry_md_reset(digest);
+ 	return 0;
+ }
+@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen,
+ {
+ 	unsigned char *our_hmac;
+ 	int rc;
+	int hlen;
+
+	hlen = gcry_md_get_algo_dlen(hid);
+	if (!hlen)
+		return -1;
+ 
+-	our_hmac = malloc(gcry_md_get_algo_dlen(hid));
+	our_hmac = malloc(hlen);
+ 	if (!our_hmac)
+ 		return -1;
+ 
+ 	rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen);
+ 	if (rc)
+ 		goto out_free;
+-	rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid));
+	rc = memcmp(our_hmac, hmac, hlen);
+ 
+ out_free:
+ 	if (our_hmac)
+-- 
+2.23.0
+
--- a/booth.spec
+++ b/booth.spec
@ -24,7 +24,7 @@
 %bcond_with run_build_tests
 %bcond_with include_unit_test

-%global release 5
+%global release 6

 ## User and group to use for nonprivileged services (should be in sync with pacemaker)
 %global uname hacluster
@ -53,6 +53,8 @@ Patch1:         pacemaker-Don-t-add-explicit-error-prefix-in-log.patch
 Patch2:         pacemaker-Use-long-format-for-crm_ticket-v.patch
 Patch3:         pacemaker-Check-snprintf-return-values.patch

+Patch3000:      backport-CVE-2024-3049.patch
+
 # direct build process dependencies
 BuildRequires:  autoconf
 BuildRequires:  automake
@ -300,6 +302,12 @@ VERBOSE=1 make check
 %{_usr}/lib/ocf/resource.d/booth/sharedrsc

 %changelog
+* Tue Jun 11 2024 xuchenchen <xuchenchen@kylinos.cn> -1.1-6
+- Type:CVES
+- ID:CVE-2024-3049
+- SUG:NA
+- DESC:fix CVE-2024-3049
+
 * Sun Apr 28 2024 bizhiyuan <bizhiyuan@kylinos.cn> - 1.1-5
 - pacemaker Check snprintf return values