Fix CVE-2024-3049

- attr: Fix reading of server_reply - auth: Check result of gcrypt gcry_md_get_algo_dlen (fixes CVE-2024-3049) - Resolves: rhbz#2290667 Signed-off-by: Jan Friesse <jfriesse@redhat.com>
2024-06-07 10:17:17 +02:00
9 changed files with 147 additions and 54 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -1 +0,0 @@
-1
--- a/0001-attr-Fix-reading-of-server_reply.patch
+++ b/0001-attr-Fix-reading-of-server_reply.patch
@ -0,0 +1,37 @@
+From 43eaf0e82b1475a6a5322881cbd8260b6c3f5ef8 Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Wed, 21 Feb 2024 17:40:11 +0100
+Subject: attr: Fix reading of server_reply
+
+read_server_reply first reads boothc header and then rest of packet
+which contains hmac info. This should go in memory right after
+boothc_header and not after full length of packet, because full length
+of packet already contains hmac info.
+
+Solution is to simply use length of header and not length of packet.
+
+Longer term and better solution would be to drop read_server_reply
+completely and use recv_auth which is used for everything else but attr
+set and delete.
+
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+---
+ src/attr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/attr.c b/src/attr.c
+index 44061e3..bc154f0 100644
+--- a/src/attr.c
+++ b/src/attr.c
+@@ -142,7 +142,7 @@ static int read_server_reply(
+ 		return -2;
+ 	}
+ 	len = ntohl(header->length);
+-	rv = tpt->recv(site, msg+len, len-sizeof(*header));
+	rv = tpt->recv(site, msg+sizeof(*header), len-sizeof(*header));
+ 	if (rv < 0) {
+ 		return -1;
+ 	}
+-- 
+2.41.0
+
--- a/0002-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
+++ b/0002-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
@ -0,0 +1,65 @@
+From 98b4284d1701f2efec278b51f151314148bfe70e Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Wed, 21 Feb 2024 18:12:28 +0100
+Subject: auth: Check result of gcrypt gcry_md_get_algo_dlen
+
+When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This
+value is then used for memcmp so wrong hmac might be accepted as
+correct.
+
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+---
+ src/auth.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/src/auth.c b/src/auth.c
+index 8f86b9a..a3b3d20 100644
+--- a/src/auth.c
+++ b/src/auth.c
+@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen,
+ {
+ 	static gcry_md_hd_t digest;
+ 	gcry_error_t err;
+	int hlen;
+
+	hlen = gcry_md_get_algo_dlen(hid);
+	if (!hlen)
+		return -1;
+ 
+ 	if (!digest) {
+ 		err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC);
+@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen,
+ 		}
+ 	}
+ 	gcry_md_write(digest, data, datalen);
+-	memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid));
+	memcpy(result, gcry_md_read(digest, 0), hlen);
+ 	gcry_md_reset(digest);
+ 	return 0;
+ }
+@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen,
+ {
+ 	unsigned char *our_hmac;
+ 	int rc;
+	int hlen;
+
+	hlen = gcry_md_get_algo_dlen(hid);
+	if (!hlen)
+		return -1;
+ 
+-	our_hmac = malloc(gcry_md_get_algo_dlen(hid));
+	our_hmac = malloc(hlen);
+ 	if (!our_hmac)
+ 		return -1;
+ 
+ 	rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen);
+ 	if (rc)
+ 		goto out_free;
+-	rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid));
+	rc = memcmp(our_hmac, hmac, hlen);
+ 
+ out_free:
+ 	if (our_hmac)
+-- 
+2.41.0
+
--- a/booth.spec
+++ b/booth.spec
@ -22,6 +22,23 @@
 %bcond_with html_man
 %bcond_with glue
 %bcond_with run_build_tests
+%bcond_with include_unit_test
+
+# set following to the result of  `git describe --abbrev=128 $commit`
+# This will be used to fill booth_ver, booth_numcomm and booth_sha1.
+# It is important to keep abbrev to get full length sha1! When updating source use
+# `spectool -g booth.spec` to download source.
+%global git_describe_str v1.0-283-g9d4029aa14323a7f3b496215d25e40bd14f33632
+
+# Set this to 1 when rebasing (changing git_describe_str) and increase otherwise
+%global release 5
+
+# Run shell script to parse git_describe str into version, numcomm and sha1 hash
+%global booth_ver %(s=%{git_describe_str}; vver=${s%%%%-*}; echo ${vver:1})
+%global booth_numcomm %(s=%{git_describe_str}; t=${s#*-}; echo ${t%%%%-*})
+%global booth_sha1 %(s=%{git_describe_str}; t=${s##*-}; echo ${t:1})
+%global booth_short_sha1 %(s=%{booth_sha1}; echo ${s:0:7})
+%global booth_archive_name %{name}-%{booth_ver}-%{booth_numcomm}-%{booth_short_sha1}

 ## User and group to use for nonprivileged services (should be in sync with pacemaker)
 %global uname hacluster
@ -39,12 +56,14 @@
 %global test_path   %{_datadir}/booth/tests

 Name:           booth
-Version:        1.2
-Release:        6%{?dist}
+Version:        %{booth_ver}
+Release:        %{booth_numcomm}.%{release}.%{booth_short_sha1}.git%{?dist}
 Summary:        Ticket Manager for Multi-site Clusters
 License:        GPL-2.0-or-later
 Url:            https://github.com/%{github_owner}/%{name}
-Source0:        https://github.com/%{github_owner}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
+Source0:        https://github.com/%{github_owner}/%{name}/archive/%{booth_short_sha1}/%{booth_archive_name}.tar.gz
+Patch0:         0001-attr-Fix-reading-of-server_reply.patch
+Patch1:         0002-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch

 # direct build process dependencies
 BuildRequires:  autoconf
@ -58,7 +77,7 @@ BuildRequires:  asciidoctor
 BuildRequires:  gcc
 BuildRequires:  pkgconfig
 # linking dependencies
-BuildRequires:  gnutls-devel
+BuildRequires:  libgcrypt-devel
 BuildRequires:  libxml2-devel
 ## just for <pacemaker/crm/services.h> include
 BuildRequires:  pacemaker-libs-devel
@ -163,6 +182,9 @@ Requires:       %{name}-arbitrator = %{version}-%{release}
 Requires:       %{name}-site = %{version}-%{release}
 Requires:       gdb
 Requires:       %{__python3}
+%if 0%{?with_include_unit_test}
+Requires:       python3-pexpect
+%endif
 # runtests.py suite (for perl and ss)
 Requires:       perl-interpreter iproute

@ -172,7 +194,7 @@ Automated tests for running Booth, ticket manager for multi-site clusters.
 # BUILD #

 %prep
-%autosetup -n %{name}-%{version} -S git_am
+%autosetup -n %{name}-%{booth_sha1} -S git_am

 %build
 ./autogen.sh
@ -204,6 +226,10 @@ mkdir -p %{buildroot}/%{test_path}
 # Copy tests from tarball
 cp -a -t %{buildroot}/%{test_path} \
        -- conf test
+%if 0%{?with_include_unit_test}
+cp -a -t %{buildroot}/%{test_path} \
+        -- unit-tests script/unit-test.py
+%endif
 chmod +x %{buildroot}/%{test_path}/test/booth_path
 chmod +x %{buildroot}/%{test_path}/test/live_test.sh
 mkdir -p %{buildroot}/%{test_path}/src
@ -286,37 +312,10 @@ VERBOSE=1 make check
 %{_usr}/lib/ocf/resource.d/booth/sharedrsc

 %changelog
-* Fri Sep 19 2025 Python Maint <python-maint@redhat.com> - 1.2-6
- Rebuilt for Python 3.14.0rc3 bytecode
-
-* Thu Aug 21 2025 Cristian Le <git@lecris.dev>
- Convert STI tests to TMT (rhbz#2382867)
-
-* Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 1.2-5
- Rebuilt for Python 3.14.0rc2 bytecode
-
-* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Fri Jun 07 2024 Jan Friesse <jfriesse@redhat.com> - 1.2-1
- New upstream release
-
-* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Wed Oct 18 2023 Jan Friesse <jfriesse@redhat.com> - 1.1-1
- New upstream release
- Upstream releases should now be released regularly, so convert spec
-  to use them instead of git snapshots
+* Fri Jun 07 2024 Jan Friesse <jfriesse@redhat.com> - 1.0-283.5.9d4029a.git
+- attr: Fix reading of server_reply
+- auth: Check result of gcrypt gcry_md_get_algo_dlen
+  (fixes CVE-2024-3049)

 * Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-283.4.9d4029a.git
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
--- a/plans.fmf
+++ b/plans.fmf
@ -1,13 +0,0 @@
-summary: Run all tests
-discover:
-  how: fmf
-prepare:
-  - name: Disable installing everything from srpm
-    how: install
-    exclude: ".*"
-  - name: Install the main test package
-    how: install
-    package:
-      - booth-test
-execute:
-  how: tmt
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (booth-1.2.tar.gz) = b63217e561fd5e8ede1ba432ec6b4ef6efb73dc16a501814cf07b82f87a23c3f734ebf09c56a5d521668ee57ed02be48d257aabb1d2e3c4840f1219ef13d3fde
+SHA512 (booth-1.0-283-9d4029a.tar.gz) = 628a3e1e128d0fdcd4600d8d4b46220363575bda83c85cd43bfe940a2a29a9176490342261354138f8d4c593b611cf0282653c1e4b3d4b4841d99ef31ba45ada
--- a/tests/main.fmf
+++ b/tests/main.fmf
@ -1,3 +0,0 @@
-/upstream:
-  summary: Run upstream tests
-  test: ./upstream/runtest.sh
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -0,0 +1,9 @@
+- hosts: localhost
+  roles:
+  - role: standard-test-basic
+    tags:
+    - classic
+    tests:
+    - upstream
+    required_packages:
+    - booth-test
--- a/tests/upstream/runtest.sh
+++ b/tests/upstream/runtest.sh