From 42c0385108ac00577480a64f84317e41792f554f Mon Sep 17 00:00:00 2001 From: Jan Friesse Date: Tue, 30 Apr 2024 17:24:28 +0200 Subject: [PATCH] - Resolves: RHEL-32613 - attr: Fix reading of server_reply - auth: Check result of gcrypt gcry_md_get_algo_dlen (fixes CVE-2024-3049) Signed-off-by: Jan Friesse --- ...3-1-attr-Fix-reading-of-server_reply.patch | 37 +++++++++++ ...sult-of-gcrypt-gcry_md_get_algo_dlen.patch | 65 +++++++++++++++++++ booth.spec | 10 ++- 3 files changed, 111 insertions(+), 1 deletion(-) create mode 100644 RHEL-32613-1-attr-Fix-reading-of-server_reply.patch create mode 100644 RHEL-32613-2-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch diff --git a/RHEL-32613-1-attr-Fix-reading-of-server_reply.patch b/RHEL-32613-1-attr-Fix-reading-of-server_reply.patch new file mode 100644 index 0000000..20473e8 --- /dev/null +++ b/RHEL-32613-1-attr-Fix-reading-of-server_reply.patch @@ -0,0 +1,37 @@ +From 4bdd96d767fc38239c4fac9e95404da99f61ac65 Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Wed, 21 Feb 2024 17:40:11 +0100 +Subject: [PATCH 1/4] attr: Fix reading of server_reply + +read_server_reply first reads boothc header and then rest of packet +which contains hmac info. This should go in memory right after +boothc_header and not after full length of packet, because full length +of packet already contains hmac info. + +Solution is to simply use length of header and not length of packet. + +Longer term and better solution would be to drop read_server_reply +completely and use recv_auth which is used for everything else but attr +set and delete. + +Signed-off-by: Jan Friesse +--- + src/attr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/attr.c b/src/attr.c +index 44061e3..bc154f0 100644 +--- a/src/attr.c ++++ b/src/attr.c +@@ -142,7 +142,7 @@ static int read_server_reply( + return -2; + } + len = ntohl(header->length); +- rv = tpt->recv(site, msg+len, len-sizeof(*header)); ++ rv = tpt->recv(site, msg+sizeof(*header), len-sizeof(*header)); + if (rv < 0) { + return -1; + } +-- +2.44.0 + diff --git a/RHEL-32613-2-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch b/RHEL-32613-2-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch new file mode 100644 index 0000000..11e709f --- /dev/null +++ b/RHEL-32613-2-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch @@ -0,0 +1,65 @@ +From 91fcfb5708f829ecff7d098ed4c0fc8f2da6d599 Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Wed, 21 Feb 2024 18:12:28 +0100 +Subject: [PATCH 2/4] auth: Check result of gcrypt gcry_md_get_algo_dlen + +When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This +value is then used for memcmp so wrong hmac might be accepted as +correct. + +Signed-off-by: Jan Friesse +--- + src/auth.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/src/auth.c b/src/auth.c +index 8f86b9a..a3b3d20 100644 +--- a/src/auth.c ++++ b/src/auth.c +@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen, + { + static gcry_md_hd_t digest; + gcry_error_t err; ++ int hlen; ++ ++ hlen = gcry_md_get_algo_dlen(hid); ++ if (!hlen) ++ return -1; + + if (!digest) { + err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC); +@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen, + } + } + gcry_md_write(digest, data, datalen); +- memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid)); ++ memcpy(result, gcry_md_read(digest, 0), hlen); + gcry_md_reset(digest); + return 0; + } +@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen, + { + unsigned char *our_hmac; + int rc; ++ int hlen; ++ ++ hlen = gcry_md_get_algo_dlen(hid); ++ if (!hlen) ++ return -1; + +- our_hmac = malloc(gcry_md_get_algo_dlen(hid)); ++ our_hmac = malloc(hlen); + if (!our_hmac) + return -1; + + rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen); + if (rc) + goto out_free; +- rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid)); ++ rc = memcmp(our_hmac, hmac, hlen); + + out_free: + if (our_hmac) +-- +2.44.0 + diff --git a/booth.spec b/booth.spec index a64fbc4..13c45e2 100644 --- a/booth.spec +++ b/booth.spec @@ -41,12 +41,14 @@ Name: booth Version: 1.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Ticket Manager for Multi-site Clusters License: GPLv2+ Url: https://github.com/%{github_owner}/%{name} Source0: https://github.com/%{github_owner}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz Patch0: rhel-specific-0001-config-Add-enable-authfile-option.patch +Patch1: RHEL-32613-1-attr-Fix-reading-of-server_reply.patch +Patch2: RHEL-32613-2-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch # direct build process dependencies BuildRequires: autoconf @@ -295,6 +297,12 @@ VERBOSE=1 make check %{_usr}/lib/ocf/resource.d/booth/sharedrsc %changelog +* Tue Apr 30 2024 Jan Friesse - 1.1-2 +- Resolves: RHEL-32613 + +- attr: Fix reading of server_reply +- auth: Check result of gcrypt gcry_md_get_algo_dlen (fixes CVE-2024-3049) + * Thu Nov 23 2023 Jan Friesse - 1.1-1 - Resolves: RHEL-15268 - Resolves: RHEL-7029