Debian Bug report logs -
#993867
glewlwyd: CVE-2021-40818: webauthn buffer overflow
Reported by: Nicolas Mora <babelouest@debian.org>
Date: Tue, 7 Sep 2021 14:15:02 UTC
Severity: important
Tags: patch, security, upstream
Found in version glewlwyd/2.5.2-2
Fixed in version glewlwyd/2.5.2-3
Done: Nicolas Mora <babelouest@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian IoT Maintainers <debian-iot-maintainers@lists.alioth.debian.org>:
Bug#993867; Package glewlwyd.
(Tue, 07 Sep 2021 14:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nicolas Mora <babelouest@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian IoT Maintainers <debian-iot-maintainers@lists.alioth.debian.org>.
(Tue, 07 Sep 2021 14:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: glewlwyd
Version: 2.5.2-2
Severity: important
Tags: patch security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages glewlwyd depends on:
ii dbconfig-pgsql 2.0.19
ii debconf [debconf-2.0] 1.5.77
pn glewlwyd-common <none>
ii init-system-helpers 1.60
ii libc6 2.31-13
ii libcbor0 0.5.0+dfsg-2
ii libconfig9 1.5-0.4
ii libcrypt1 1:4.4.18-4
ii libgnutls30 3.7.1-5
pn libhoel1.4 <none>
pn libiddawc0.9 <none>
ii libjansson4 2.13.1-1.1
ii libldap-2.4-2 2.4.57+dfsg-3
ii libnettle8 3.7.3-1
ii liboath0 2.6.6-3
pn liborcania2.1 <none>
pn librhonabwy0.9 <none>
pn libulfius2.7 <none>
pn libyder2.0 <none>
ii lsb-base 11.1.0
ii sqlite3 3.34.1-3
ii ucf 3.0043
ii zlib1g 1:1.2.11.dfsg-2
glewlwyd recommends no packages.
Versions of packages glewlwyd suggests:
[webauthn.patch (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian IoT Maintainers <debian-iot-maintainers@lists.alioth.debian.org>:
Bug#993867; Package glewlwyd.
(Tue, 07 Sep 2021 16:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian IoT Maintainers <debian-iot-maintainers@lists.alioth.debian.org>.
(Tue, 07 Sep 2021 16:21:07 GMT) (full text, mbox, link).
Message #10 received at 993867@bugs.debian.org (full text, mbox, reply):
Hi Nicolas,
On Tue, Sep 07, 2021 at 10:05:08AM -0400, Nicolas Mora wrote:
> Package: glewlwyd
> Version: 2.5.2-2
> Severity: important
> Tags: patch security
> X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
>
>
>
>
> -- System Information:
> Debian Release: 11.0
> APT prefers stable-security
> APT policy: (500, 'stable-security'), (500, 'proposed-updates'), (500,
> 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
> Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not
> set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages glewlwyd depends on:
> ii dbconfig-pgsql 2.0.19
> ii debconf [debconf-2.0] 1.5.77
> pn glewlwyd-common <none>
> ii init-system-helpers 1.60
> ii libc6 2.31-13
> ii libcbor0 0.5.0+dfsg-2
> ii libconfig9 1.5-0.4
> ii libcrypt1 1:4.4.18-4
> ii libgnutls30 3.7.1-5
> pn libhoel1.4 <none>
> pn libiddawc0.9 <none>
> ii libjansson4 2.13.1-1.1
> ii libldap-2.4-2 2.4.57+dfsg-3
> ii libnettle8 3.7.3-1
> ii liboath0 2.6.6-3
> pn liborcania2.1 <none>
> pn librhonabwy0.9 <none>
> pn libulfius2.7 <none>
> pn libyder2.0 <none>
> ii lsb-base 11.1.0
> ii sqlite3 3.34.1-3
> ii ucf 3.0043
> ii zlib1g 1:1.2.11.dfsg-2
>
> glewlwyd recommends no packages.
>
> Versions of packages glewlwyd suggests:
> --- a/src/scheme/webauthn.c
> +++ b/src/scheme/webauthn.c
> @@ -1530,7 +1530,7 @@
> gnutls_pubkey_t pubkey = NULL;
> gnutls_x509_crt_t cert = NULL;
> gnutls_datum_t cert_dat, data, signature, cert_issued_by;
> - unsigned char data_signed[200], client_data_hash[32], cert_export[32], cert_export_b64[64];
> + unsigned char * data_signed = NULL, client_data_hash[32], cert_export[32], cert_export_b64[64];
> size_t data_signed_offset = 0, client_data_hash_len = 32, cert_export_len = 32, cert_export_b64_len = 0;
>
> if (j_error != NULL) {
> @@ -1619,6 +1619,12 @@
> break;
> }
>
> + if ((data_signed = o_malloc(rpid_hash_len+client_data_hash_len+credential_id_len+cert_x_len+cert_y_len+2)) == NULL) {
> + y_log_message(Y_LOG_LEVEL_DEBUG, "check_attestation_fido_u2f - Error allocating data_signed");
> + json_array_append_new(j_error, json_string("Internal error"));
> + break;
> + }
> +
> // Build bytestring to verify signature
> data_signed[0] = 0x0;
> data_signed_offset = 1;
> @@ -1653,6 +1659,7 @@
> }
>
> } while (0);
> + o_free(data_signed);
>
> if (json_array_size(j_error)) {
> j_return = json_pack("{sisO}", "result", G_ERROR_PARAM, "error", j_error);
Can you report the issue upstream?
Regards,
Salvatore
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 07 Sep 2021 16:21:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian IoT Maintainers <debian-iot-maintainers@lists.alioth.debian.org>:
Bug#993867; Package glewlwyd.
(Tue, 07 Sep 2021 17:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Nicolas Mora" <babelouest@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian IoT Maintainers <debian-iot-maintainers@lists.alioth.debian.org>.
(Tue, 07 Sep 2021 17:27:02 GMT) (full text, mbox, link).
Message #17 received at 993867@bugs.debian.org (full text, mbox, reply):
Hello,
7 septembre 2021 12:19 "Salvatore Bonaccorso" <carnil@debian.org> a écrit:
>
> Can you report the issue upstream?
>
The issue is already fixed upstream (I'm the upstream author):
https://github.com/babelouest/glewlwyd/commit/0efd112bb62f566877750ad62ee828bff579b4e2
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian IoT Maintainers <debian-iot-maintainers@lists.alioth.debian.org>:
Bug#993867; Package glewlwyd.
(Tue, 07 Sep 2021 19:06:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian IoT Maintainers <debian-iot-maintainers@lists.alioth.debian.org>.
(Tue, 07 Sep 2021 19:06:05 GMT) (full text, mbox, link).
Message #22 received at 993867@bugs.debian.org (full text, mbox, reply):
Hi Nicolas,
On Tue, Sep 07, 2021 at 05:16:21PM +0000, Nicolas Mora wrote:
> Hello,
>
> 7 septembre 2021 12:19 "Salvatore Bonaccorso" <carnil@debian.org> a écrit:
>
> >
> > Can you report the issue upstream?
> >
> The issue is already fixed upstream (I'm the upstream author):
> https://github.com/babelouest/glewlwyd/commit/0efd112bb62f566877750ad62ee828bff579b4e2
Embarassing, I can assure you I did check the git repo.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian IoT Maintainers <debian-iot-maintainers@lists.alioth.debian.org>:
Bug#993867; Package glewlwyd.
(Tue, 07 Sep 2021 22:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nicolas Mora <babelouest@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian IoT Maintainers <debian-iot-maintainers@lists.alioth.debian.org>.
(Tue, 07 Sep 2021 22:18:03 GMT) (full text, mbox, link).
Message #27 received at 993867@bugs.debian.org (full text, mbox, reply):
Le 2021-09-07 à 15 h 03, Salvatore Bonaccorso a écrit :
>
> Embarassing, I can assure you I did check the git repo.
>
That's ok, the commit message wasn't about the buffer overflow and it
was a few weeks ago, so no worries :)
/Nicolas
Reply sent
to Nicolas Mora <babelouest@debian.org>:
You have taken responsibility.
(Tue, 07 Sep 2021 23:36:04 GMT) (full text, mbox, link).
Notification sent
to Nicolas Mora <babelouest@debian.org>:
Bug acknowledged by developer.
(Tue, 07 Sep 2021 23:36:04 GMT) (full text, mbox, link).
Message #32 received at 993867-close@bugs.debian.org (full text, mbox, reply):
Source: glewlwyd
Source-Version: 2.5.2-3
Done: Nicolas Mora <babelouest@debian.org>
We believe that the bug you reported is fixed in the latest version of
glewlwyd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 993867@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nicolas Mora <babelouest@debian.org> (supplier of updated glewlwyd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 07 Sep 2021 19:00:32 -0400
Source: glewlwyd
Architecture: source
Version: 2.5.2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian IoT Maintainers <debian-iot-maintainers@lists.alioth.debian.org>
Changed-By: Nicolas Mora <babelouest@debian.org>
Closes: 987477 993867
Changes:
glewlwyd (2.5.2-3) unstable; urgency=medium
.
* d/postinst: Run pgsql script on $dbc_server
* d/install: Copy sql scripts to usr/share/dbconfig-common/data/
* d/po/es.po: Add spanish translation (Closes: #987477)
* d/patches: fix webauthn buffer overflow (Closes: #993867)
Checksums-Sha1:
113f28f14ed076522cd820e00ad1d3459fff785d 2572 glewlwyd_2.5.2-3.dsc
84fdbd7b288dabe6e683af2c5f18031206693604 5437175 glewlwyd_2.5.2.orig.tar.gz
f6fba9df6d7d2cd316b3a30037369dfd52133856 29640 glewlwyd_2.5.2-3.debian.tar.xz
778d9f1fd6cc02275bdd1023e877fcfece6a6b5b 18887 glewlwyd_2.5.2-3_amd64.buildinfo
Checksums-Sha256:
c0327d470e6d4e743df7e822fce31ea7a3395d2d846db9db59ce93f9c3ddae02 2572 glewlwyd_2.5.2-3.dsc
2630d4e3ea2350c7060ff39321ff7e0cbef5893b9bd99ad098fc5fafba31fe4f 5437175 glewlwyd_2.5.2.orig.tar.gz
d391d93cc26f016f21e13955591b283532d745eb953378398da93ac88e5e82b9 29640 glewlwyd_2.5.2-3.debian.tar.xz
f2c24f0d5572404c2df998e438e5e40d57be1a15691e8d4153277b91ab84bca9 18887 glewlwyd_2.5.2-3_amd64.buildinfo
Files:
4595a7edbf49afea661ac7515b0f1841 2572 web optional glewlwyd_2.5.2-3.dsc
fa6d6f99894aae2b0e16a36e9322f4a8 5437175 web optional glewlwyd_2.5.2.orig.tar.gz
8ea788bd797fc21b2dc8051e2f9ec7c8 29640 web optional glewlwyd_2.5.2-3.debian.tar.xz
074493334ff1626390b9060f4334cd29 18887 web optional glewlwyd_2.5.2-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEhAWwL8wo75dEyPJT/oITlEC9IrkFAmE38GYACgkQ/oITlEC9
IrlGVA//SYp4tfEnngnp6ilXvWLoHL0764GgpExGebWIX6Z3L9xlbCxXXJWCZfnq
QnEEg+58b5zHA5uudybRWHSoHIpvH3wkUuQ9ulzSb2KjipX/1fgY8ZVf4wAUrGAY
SLRMB+9zp+tJbTVrKiuTMQvcOasPU6pwSbHQ+1JeRoJoArZSNEwQmTPLmOHuAUPu
e69RbLvEkxrYIhM9cY+rv5ktqdzH27GF0TX14cEdSyuNxuOS+RQljX1QP5KOggT8
4xAEZcgdkCxIA1yt0nSVNKApKDZ6phWnQd80C6aFFLtIBSN0iL88YLKwxCfSoIkG
2CFDSOJhvJzKRjC/2GQ5npvyUIxD+dBNCpbg/praFYL0W3MyOPfFFe0OpEY9Puqz
YM++kf5MY4YVwoZjoqZJMMHKPacQmbKUiXLOhuurrXwtaJCiDs/+VSZ5yrHGNFtp
6ARqAuWJlWU48iiuA2s3HqiD62G7AI4I0yFMmRD/4mcdYsl4Roto9Rkao6Q0nf8o
UF9lKP83TXUSLP0Jqn4CRA8Yb7+tqkq7ZNVLlDuHm+q0+5BRCu25aYlsdZ1sjF36
S9lA5sx1oBlEqGnBc+KjED+o5aEnMdfkaC40zGbGXu5tx+6NrgtK6a5Xht3IYkh5
CZV2WduOOoqHttoQjFp60mY036HbBCA25mTd+6DZCuF/4faZ0qU=
=GztN
-----END PGP SIGNATURE-----
Changed Bug title to 'glewlwyd: CVE-2021-40818: webauthn buffer overflow' from 'glewlwyd: possible buffer overflow on webauthn registration'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 08 Sep 2021 21:54:02 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 08 Oct 2021 07:27:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Aug 2 04:28:20 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.