rpms/booth
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Resolves: RHEL-32613

Browse Source
This commit is contained in:
Jan Friesse 2024-04-30 17:24:28 +02:00 committed by root
parent 37a2044665
commit 924d561d10
4 changed files with 112 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.booth.metadata Normal file
View File

@ -0,0 +1 @@
7d9cbffc7e0392a7857af08d6f466d9d97631f72 booth-1.1.tar.gz

37
RHEL-32613-1-attr-Fix-reading-of-server_reply.patch Normal file
View File

@ -0,0 +1,37 @@
From 4bdd96d767fc38239c4fac9e95404da99f61ac65 Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Wed, 21 Feb 2024 17:40:11 +0100
Subject: [PATCH 1/4] attr: Fix reading of server_reply
read_server_reply first reads boothc header and then rest of packet
which contains hmac info. This should go in memory right after
boothc_header and not after full length of packet, because full length
of packet already contains hmac info.
Solution is to simply use length of header and not length of packet.
Longer term and better solution would be to drop read_server_reply
completely and use recv_auth which is used for everything else but attr
set and delete.
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
---
src/attr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/attr.c b/src/attr.c
index 44061e3..bc154f0 100644
--- a/src/attr.c
+++ b/src/attr.c
@@ -142,7 +142,7 @@ static int read_server_reply(
return -2;
}
len = ntohl(header->length);
- rv = tpt->recv(site, msg+len, len-sizeof(*header));
+ rv = tpt->recv(site, msg+sizeof(*header), len-sizeof(*header));
if (rv < 0) {
return -1;
}
--
2.44.0

65
RHEL-32613-2-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch Normal file
View File

@ -0,0 +1,65 @@
From 91fcfb5708f829ecff7d098ed4c0fc8f2da6d599 Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Wed, 21 Feb 2024 18:12:28 +0100
Subject: [PATCH 2/4] auth: Check result of gcrypt gcry_md_get_algo_dlen
When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This
value is then used for memcmp so wrong hmac might be accepted as
correct.
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
---
src/auth.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/auth.c b/src/auth.c
index 8f86b9a..a3b3d20 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen,
{
static gcry_md_hd_t digest;
gcry_error_t err;
+ int hlen;
+
+ hlen = gcry_md_get_algo_dlen(hid);
+ if (!hlen)
+ return -1;
if (!digest) {
err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC);
@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen,
}
}
gcry_md_write(digest, data, datalen);
- memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid));
+ memcpy(result, gcry_md_read(digest, 0), hlen);
gcry_md_reset(digest);
return 0;
}
@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen,
{
unsigned char *our_hmac;
int rc;
+ int hlen;
+
+ hlen = gcry_md_get_algo_dlen(hid);
+ if (!hlen)
+ return -1;
- our_hmac = malloc(gcry_md_get_algo_dlen(hid));
+ our_hmac = malloc(hlen);
if (!our_hmac)
return -1;
rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen);
if (rc)
goto out_free;
- rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid));
+ rc = memcmp(our_hmac, hmac, hlen);
out_free:
if (our_hmac)
--
2.44.0

10
booth.spec
View File

@ -41,12 +41,14 @@
Name: booth Name: booth
Version: 1.1 Version: 1.1
Release: 1%{?dist} Release: 2%{?dist}
Summary: Ticket Manager for Multi-site Clusters Summary: Ticket Manager for Multi-site Clusters
License: GPLv2+ License: GPLv2+
Url: https://github.com/%{github_owner}/%{name} Url: https://github.com/%{github_owner}/%{name}
Source0: https://github.com/%{github_owner}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/%{github_owner}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
Patch0: rhel-specific-0001-config-Add-enable-authfile-option.patch Patch0: rhel-specific-0001-config-Add-enable-authfile-option.patch
Patch1: RHEL-32613-1-attr-Fix-reading-of-server_reply.patch
Patch2: RHEL-32613-2-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
# direct build process dependencies # direct build process dependencies
BuildRequires: autoconf BuildRequires: autoconf
@ -295,6 +297,12 @@ VERBOSE=1 make check
%{_usr}/lib/ocf/resource.d/booth/sharedrsc %{_usr}/lib/ocf/resource.d/booth/sharedrsc
%changelog %changelog
* Tue Apr 30 2024 Jan Friesse <jfriesse@redhat.com> - 1.1-2
- Resolves: RHEL-32613
- attr: Fix reading of server_reply
- auth: Check result of gcrypt gcry_md_get_algo_dlen (fixes CVE-2024-3049)
* Thu Nov 23 2023 Jan Friesse <jfriesse@redhat.com> - 1.1-1 * Thu Nov 23 2023 Jan Friesse <jfriesse@redhat.com> - 1.1-1
- Resolves: RHEL-15268 - Resolves: RHEL-15268
- Resolves: RHEL-7029 - Resolves: RHEL-7029