File booth-CVE-2024-3049.patch of Package booth.34249

From 43eaf0e82b1475a6a5322881cbd8260b6c3f5ef8 Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Wed, 21 Feb 2024 17:40:11 +0100
Subject: [PATCH 1/2] attr: Fix reading of server_reply

read_server_reply first reads boothc header and then rest of packet
which contains hmac info. This should go in memory right after
boothc_header and not after full length of packet, because full length
of packet already contains hmac info.

Solution is to simply use length of header and not length of packet.

Longer term and better solution would be to drop read_server_reply
completely and use recv_auth which is used for everything else but attr
set and delete.

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
---
 src/attr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/attr.c b/src/attr.c
index 44061e35..bc154f04 100644
--- a/src/attr.c
+++ b/src/attr.c
@@ -142,7 +142,7 @@ static int read_server_reply(
 		return -2;
 	}
 	len = ntohl(header->length);
-	rv = tpt->recv(site, msg+len, len-sizeof(*header));
+	rv = tpt->recv(site, msg+sizeof(*header), len-sizeof(*header));
 	if (rv < 0) {
 		return -1;
 	}

From 98b4284d1701f2efec278b51f151314148bfe70e Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Wed, 21 Feb 2024 18:12:28 +0100
Subject: [PATCH 2/2] auth: Check result of gcrypt gcry_md_get_algo_dlen

When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This
value is then used for memcmp so wrong hmac might be accepted as
correct.

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
---
 src/auth.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/auth.c b/src/auth.c
index 8f86b9ab..a3b3d20b 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen,
 {
 	static gcry_md_hd_t digest;
 	gcry_error_t err;
+	int hlen;
+
+	hlen = gcry_md_get_algo_dlen(hid);
+	if (!hlen)
+		return -1;
 
 	if (!digest) {
 		err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC);
@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen,
 		}
 	}
 	gcry_md_write(digest, data, datalen);
-	memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid));
+	memcpy(result, gcry_md_read(digest, 0), hlen);
 	gcry_md_reset(digest);
 	return 0;
 }
@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen,
 {
 	unsigned char *our_hmac;
 	int rc;
+	int hlen;
+
+	hlen = gcry_md_get_algo_dlen(hid);
+	if (!hlen)
+		return -1;
 
-	our_hmac = malloc(gcry_md_get_algo_dlen(hid));
+	our_hmac = malloc(hlen);
 	if (!our_hmac)
 		return -1;
 
 	rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen);
 	if (rc)
 		goto out_free;
-	rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid));
+	rc = memcmp(our_hmac, hmac, hlen);
 
 out_free:
 	if (our_hmac)

openSUSE Build Service is sponsored by