Compare commits
1 commit
| Author | SHA1 | Date | |
|---|---|---|---|
|
6722df57e6 |
3 changed files with 110 additions and 1 deletions
37
0001-attr-Fix-reading-of-server_reply.patch
Normal file
37
0001-attr-Fix-reading-of-server_reply.patch
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
From 43eaf0e82b1475a6a5322881cbd8260b6c3f5ef8 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Friesse <jfriesse@redhat.com>
|
||||
Date: Wed, 21 Feb 2024 17:40:11 +0100
|
||||
Subject: attr: Fix reading of server_reply
|
||||
|
||||
read_server_reply first reads boothc header and then rest of packet
|
||||
which contains hmac info. This should go in memory right after
|
||||
boothc_header and not after full length of packet, because full length
|
||||
of packet already contains hmac info.
|
||||
|
||||
Solution is to simply use length of header and not length of packet.
|
||||
|
||||
Longer term and better solution would be to drop read_server_reply
|
||||
completely and use recv_auth which is used for everything else but attr
|
||||
set and delete.
|
||||
|
||||
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
|
||||
---
|
||||
src/attr.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/attr.c b/src/attr.c
|
||||
index 44061e3..bc154f0 100644
|
||||
--- a/src/attr.c
|
||||
+++ b/src/attr.c
|
||||
@@ -142,7 +142,7 @@ static int read_server_reply(
|
||||
return -2;
|
||||
}
|
||||
len = ntohl(header->length);
|
||||
- rv = tpt->recv(site, msg+len, len-sizeof(*header));
|
||||
+ rv = tpt->recv(site, msg+sizeof(*header), len-sizeof(*header));
|
||||
if (rv < 0) {
|
||||
return -1;
|
||||
}
|
||||
--
|
||||
2.41.0
|
||||
|
||||
65
0002-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
Normal file
65
0002-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
Normal file
|
|
@ -0,0 +1,65 @@
|
|||
From 98b4284d1701f2efec278b51f151314148bfe70e Mon Sep 17 00:00:00 2001
|
||||
From: Jan Friesse <jfriesse@redhat.com>
|
||||
Date: Wed, 21 Feb 2024 18:12:28 +0100
|
||||
Subject: auth: Check result of gcrypt gcry_md_get_algo_dlen
|
||||
|
||||
When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This
|
||||
value is then used for memcmp so wrong hmac might be accepted as
|
||||
correct.
|
||||
|
||||
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
|
||||
---
|
||||
src/auth.c | 16 +++++++++++++---
|
||||
1 file changed, 13 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/auth.c b/src/auth.c
|
||||
index 8f86b9a..a3b3d20 100644
|
||||
--- a/src/auth.c
|
||||
+++ b/src/auth.c
|
||||
@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen,
|
||||
{
|
||||
static gcry_md_hd_t digest;
|
||||
gcry_error_t err;
|
||||
+ int hlen;
|
||||
+
|
||||
+ hlen = gcry_md_get_algo_dlen(hid);
|
||||
+ if (!hlen)
|
||||
+ return -1;
|
||||
|
||||
if (!digest) {
|
||||
err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC);
|
||||
@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen,
|
||||
}
|
||||
}
|
||||
gcry_md_write(digest, data, datalen);
|
||||
- memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid));
|
||||
+ memcpy(result, gcry_md_read(digest, 0), hlen);
|
||||
gcry_md_reset(digest);
|
||||
return 0;
|
||||
}
|
||||
@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen,
|
||||
{
|
||||
unsigned char *our_hmac;
|
||||
int rc;
|
||||
+ int hlen;
|
||||
+
|
||||
+ hlen = gcry_md_get_algo_dlen(hid);
|
||||
+ if (!hlen)
|
||||
+ return -1;
|
||||
|
||||
- our_hmac = malloc(gcry_md_get_algo_dlen(hid));
|
||||
+ our_hmac = malloc(hlen);
|
||||
if (!our_hmac)
|
||||
return -1;
|
||||
|
||||
rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen);
|
||||
if (rc)
|
||||
goto out_free;
|
||||
- rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid));
|
||||
+ rc = memcmp(our_hmac, hmac, hlen);
|
||||
|
||||
out_free:
|
||||
if (our_hmac)
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
|
@ -31,7 +31,7 @@
|
|||
%global git_describe_str v1.0-283-g9d4029aa14323a7f3b496215d25e40bd14f33632
|
||||
|
||||
# Set this to 1 when rebasing (changing git_describe_str) and increase otherwise
|
||||
%global release 4
|
||||
%global release 5
|
||||
|
||||
# Run shell script to parse git_describe str into version, numcomm and sha1 hash
|
||||
%global booth_ver %(s=%{git_describe_str}; vver=${s%%%%-*}; echo ${vver:1})
|
||||
|
|
@ -62,6 +62,8 @@ Summary: Ticket Manager for Multi-site Clusters
|
|||
License: GPL-2.0-or-later
|
||||
Url: https://github.com/%{github_owner}/%{name}
|
||||
Source0: https://github.com/%{github_owner}/%{name}/archive/%{booth_short_sha1}/%{booth_archive_name}.tar.gz
|
||||
Patch0: 0001-attr-Fix-reading-of-server_reply.patch
|
||||
Patch1: 0002-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
|
||||
|
||||
# direct build process dependencies
|
||||
BuildRequires: autoconf
|
||||
|
|
@ -310,6 +312,11 @@ VERBOSE=1 make check
|
|||
%{_usr}/lib/ocf/resource.d/booth/sharedrsc
|
||||
|
||||
%changelog
|
||||
* Fri Jun 07 2024 Jan Friesse <jfriesse@redhat.com> - 1.0-283.5.9d4029a.git
|
||||
- attr: Fix reading of server_reply
|
||||
- auth: Check result of gcrypt gcry_md_get_algo_dlen
|
||||
(fixes CVE-2024-3049)
|
||||
|
||||
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-283.4.9d4029a.git
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue