packages/jose
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!6 fix CVE-2023-50967

Browse Source 
From: @licihua 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
This commit is contained in:
openeuler-ci-bot 2024-04-07 08:49:55 +00:00 committed by Gitee
commit 21b586b3cc
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 51 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
back-port-CVE-2023-50967.patch Normal file
View File

@ -0,0 +1,41 @@
From 4ee7708bf6dbfaa712749f081eec1f0d122fa001 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Mon, 1 Apr 2024 12:10:54 +0100
Subject: [PATCH] Fix potential DoS issue with p2c header
Unbounded p2c headers may be used to cause an application that accept
PBES algorithms to spend a lot of resources running PBKDF2 with a very
high number of iterations.
Limit the maximum number of iterations to to 32768.
Fixes: CVE-2023-50967
Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
tests/cve-2023-50967/cve-2023-50967.jwe | 1 +
tests/cve-2023-50967/cve-2023-50967.jwk | 1 +
2 files changed, 2 insertions(+)
create mode 100644 tests/cve-2023-50967/cve-2023-50967.jwe
create mode 100644 tests/cve-2023-50967/cve-2023-50967.jwk
diff --git a/tests/cve-2023-50967/cve-2023-50967.jwe b/tests/cve-2023-50967/cve-2023-50967.jwe
new file mode 100644
index 0000000..d157ba1
--- /dev/null
+++ b/tests/cve-2023-50967/cve-2023-50967.jwe
@@ -0,0 +1 @@
+{"ciphertext":"aaPb-JYGACs-loPwJkZewg","encrypted_key":"P1h8q8wLVxqYsZUuw6iEQTzgXVZHCsu8Eik-oqbE4AJGIDto3gb3SA","header":{"alg":"PBES2-HS256+A128KW","p2c":1000000000,"p2s":"qUQQWWkyyIqculSiC93mlg"},"iv":"Clg3JX9oNl_ck3sLSGrlgg","protected":"eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0","tag":"i7vga9tJkwRswFd7HlyD_A"}
\ No newline at end of file
diff --git a/tests/cve-2023-50967/cve-2023-50967.jwk b/tests/cve-2023-50967/cve-2023-50967.jwk
new file mode 100644
index 0000000..2704e3b
--- /dev/null
+++ b/tests/cve-2023-50967/cve-2023-50967.jwk
@@ -0,0 +1 @@
+{"alg":"PBES2-HS256+A128KW","k":"VHBLJ4-PmnqELoKbQoXuRA","key_ops":["wrapKey","unwrapKey"],"kty":"oct"}
\ No newline at end of file
--
2.40.0

12
jose.spec
View File

@ -1,10 +1,11 @@
Name: jose Name: jose
Version: 11 Version: 11
Release: 1 Release: 2
Summary: José is a command line utility for performing various tasks on JSON objects Summary: José is a command line utility for performing various tasks on JSON objects
License: ASL 2.0 License: ASL 2.0
URL: https://github.com/latchset/%{name} URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Patch001: back-port-CVE-2023-50967.patch
BuildRequires: pkgconfig, gcc, openssl-devel, zlib-devel, meson, ninja-build, asciidoc BuildRequires: pkgconfig, gcc, openssl-devel, zlib-devel, meson, ninja-build, asciidoc
BuildRequires: jansson-devel >= 2.10 BuildRequires: jansson-devel >= 2.10
@ -44,7 +45,7 @@ Requires: man, info
Man pages and other related documents for %{name} Man pages and other related documents for %{name}
%prep %prep
%setup -q %autosetup -n %{name}-%{version} -p1
%build %build
%meson %meson
@ -81,6 +82,13 @@ rm -rf %{buildroot}/%{_libdir}/lib%{name}.la
%changelog %changelog
* Sun Apr 7 2024 licihua<licihua@huawei.com> - 11-2
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: fix CVE-2023-50967
* Mon Aug 9 2021 zoulin<zoulin13@huawei.com> - 11-1 * Mon Aug 9 2021 zoulin<zoulin13@huawei.com> - 11-1
- Type:enhancement - Type:enhancement
- ID:NA - ID:NA