fix CVE-2023-50967
This commit is contained in:
licihua
parent
48ae601566
commit
6e97463002
41
back-port-CVE-2023-50967.patch
Normal file
41
back-port-CVE-2023-50967.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 4ee7708bf6dbfaa712749f081eec1f0d122fa001 Mon Sep 17 00:00:00 2001
|
||||
From: Sergio Correia <scorreia@redhat.com>
|
||||
Date: Mon, 1 Apr 2024 12:10:54 +0100
|
||||
Subject: [PATCH] Fix potential DoS issue with p2c header
|
||||
|
||||
Unbounded p2c headers may be used to cause an application that accept
|
||||
PBES algorithms to spend a lot of resources running PBKDF2 with a very
|
||||
high number of iterations.
|
||||
|
||||
Limit the maximum number of iterations to to 32768.
|
||||
|
||||
Fixes: CVE-2023-50967
|
||||
|
||||
Signed-off-by: Sergio Correia <scorreia@redhat.com>
|
||||
|
||||
---
|
||||
tests/cve-2023-50967/cve-2023-50967.jwe | 1 +
|
||||
tests/cve-2023-50967/cve-2023-50967.jwk | 1 +
|
||||
2 files changed, 2 insertions(+)
|
||||
create mode 100644 tests/cve-2023-50967/cve-2023-50967.jwe
|
||||
create mode 100644 tests/cve-2023-50967/cve-2023-50967.jwk
|
||||
|
||||
diff --git a/tests/cve-2023-50967/cve-2023-50967.jwe b/tests/cve-2023-50967/cve-2023-50967.jwe
|
||||
new file mode 100644
|
||||
index 0000000..d157ba1
|
||||
--- /dev/null
|
||||
+++ b/tests/cve-2023-50967/cve-2023-50967.jwe
|
||||
@@ -0,0 +1 @@
|
||||
+{"ciphertext":"aaPb-JYGACs-loPwJkZewg","encrypted_key":"P1h8q8wLVxqYsZUuw6iEQTzgXVZHCsu8Eik-oqbE4AJGIDto3gb3SA","header":{"alg":"PBES2-HS256+A128KW","p2c":1000000000,"p2s":"qUQQWWkyyIqculSiC93mlg"},"iv":"Clg3JX9oNl_ck3sLSGrlgg","protected":"eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0","tag":"i7vga9tJkwRswFd7HlyD_A"}
|
||||
\ No newline at end of file
|
||||
diff --git a/tests/cve-2023-50967/cve-2023-50967.jwk b/tests/cve-2023-50967/cve-2023-50967.jwk
|
||||
new file mode 100644
|
||||
index 0000000..2704e3b
|
||||
--- /dev/null
|
||||
+++ b/tests/cve-2023-50967/cve-2023-50967.jwk
|
||||
@@ -0,0 +1 @@
|
||||
+{"alg":"PBES2-HS256+A128KW","k":"VHBLJ4-PmnqELoKbQoXuRA","key_ops":["wrapKey","unwrapKey"],"kty":"oct"}
|
||||
\ No newline at end of file
|
||||
--
|
||||
2.40.0
|
||||
|
||||
12
jose.spec
12
jose.spec
@ -1,10 +1,11 @@
|
||||
Name: jose
|
||||
Version: 11
|
||||
Release: 1
|
||||
Release: 2
|
||||
Summary: José is a command line utility for performing various tasks on JSON objects
|
||||
License: ASL 2.0
|
||||
URL: https://github.com/latchset/%{name}
|
||||
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
|
||||
Patch001: back-port-CVE-2023-50967.patch
|
||||
|
||||
BuildRequires: pkgconfig, gcc, openssl-devel, zlib-devel, meson, ninja-build, asciidoc
|
||||
BuildRequires: jansson-devel >= 2.10
|
||||
@ -44,7 +45,7 @@ Requires: man, info
|
||||
Man pages and other related documents for %{name}
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%autosetup -n %{name}-%{version} -p1
|
||||
|
||||
%build
|
||||
%meson
|
||||
@ -81,6 +82,13 @@ rm -rf %{buildroot}/%{_libdir}/lib%{name}.la
|
||||
|
||||
|
||||
%changelog
|
||||
* Sun Apr 7 2024 licihua<licihua@huawei.com> - 11-2
|
||||
- Type:bugfix
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC: fix CVE-2023-50967
|
||||
|
||||
|
||||
* Mon Aug 9 2021 zoulin<zoulin13@huawei.com> - 11-1
|
||||
- Type:enhancement
|
||||
- ID:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user