!15 Fix CVE-2023-6681

From: @starlet-dx Reviewed-by: @cherry530 Signed-off-by: @cherry530
2023-12-29 01:46:28 +00:00 · 2023-12-29 01:46:28 +00:00 · 8fc7b7eeea
commit 8fc7b7eeea
parent cd92990b25 a6539b5698
2 changed files with 73 additions and 1 deletions
--- a/CVE-2023-6681.patch
+++ b/CVE-2023-6681.patch
@ -0,0 +1,67 @@
 From d2655d370586cb830e49acfb450f87598da60be8 Mon Sep 17 00:00:00 2001
 From: Simo Sorce <simo@redhat.com>
 Date: Thu, 7 Dec 2023 12:49:07 -0500
 Subject: [PATCH] Fix potential DoS issue with p2c header
 Unbounded p2c headers may be used to cause an application that accept
 PBES algorithms to spend alot of resources running PBKDF2 with a very
 high number of iterations.
 Clamp the default maximum to 16384 (double the default of 8192).
 An application that wants to use more iterations will have to chenge the
 jwa default max.
 Fixes CVE-2023-6681
 Signed-off-by: Simo Sorce <simo@redhat.com>
 ---
 jwcrypto/jwa.py   |  5 +++++
 jwcrypto/tests.py | 12 ++++++++++++
 2 files changed, 17 insertions(+)
 diff --git a/jwcrypto/jwa.py b/jwcrypto/jwa.py
 index de7a79f..ca4568e 100644
 --- a/jwcrypto/jwa.py
 +++ b/jwcrypto/jwa.py
@@ -28,6 +28,8 @@
 # Implements RFC 7518 - JSON Web Algorithms (JWA)
 +default_max_pbkdf2_iterations = 16384
 +
 class JWAAlgorithm(metaclass=ABCMeta):
@@ -588,6 +590,9 @@ def __init__(self):
         self.aeskwmap = {128: _A128KW, 192: _A192KW, 256: _A256KW}
     def _get_key(self, alg, key, p2s, p2c):
 +        if p2c > default_max_pbkdf2_iterations:
 +            raise ValueError('Invalid p2c value, too large')
 +
         if not isinstance(key, JWK):
             # backwards compatibility for old interface
             if isinstance(key, bytes):
 diff --git a/jwcrypto/tests.py b/jwcrypto/tests.py
 index 6069fab..bb2ff10 100644
 --- a/jwcrypto/tests.py
 +++ b/jwcrypto/tests.py
@@ -2099,6 +2099,18 @@ def test_pbes2_hs256_aeskw_custom_params(self):
         key = jwk.JWK.from_password('password')
         self.assertRaises(ValueError, enc.add_recipient, key)
 +        # Test p2c iteration checks
 +        maxiter = jwa.default_max_pbkdf2_iterations
 +        p2cenc = jwe.JWE(plaintext='plain',
 +                         protected={"alg": "PBES2-HS256+A128KW",
 +                                    "enc": "A256CBC-HS512",
 +                                    "p2c": maxiter + 1,
 +                                    "p2s": base64url_encode("A" * 16)})
 +        with self.assertRaisesRegex(ValueError, 'too large'):
 +            p2cenc.add_recipient(key)
 +        jwa.default_max_pbkdf2_iterations += 2
 +        p2cenc.add_recipient(key)
 +
 class JWATests(unittest.TestCase):
     def test_jwa_create(self):
--- a/python-jwcrypto.spec
+++ b/python-jwcrypto.spec
@ -1,10 +1,12 @@
 Name:           python-jwcrypto
 Version:        1.4.2
-Release:        1
+Release:        2
 Summary:        Implements JWK, JWS, JWE specifications with python-cryptography
 License:        LGPLv3+
 URL:            https://github.com/latchset/jwcrypto
 Source0:        https://github.com/latchset/jwcrypto/releases/download/v%{version}/jwcrypto-%{version}.tar.gz
 # https://github.com/latchset/jwcrypto/commit/d2655d370586cb830e49acfb450f87598da60be8
 Patch0:         CVE-2023-6681.patch
 BuildArch:      noarch
 BuildRequires:  python%{python3_pkgversion}-devel python%{python3_pkgversion}-setuptools
@ -42,6 +44,9 @@ Implements JWK, JWS, JWE specifications using python-cryptography
 %{python3_sitelib}/jwcrypto-%{version}-py%{python3_version}.egg-info
 %changelog
 * Fri Dec 29 2023 yaoxin <yao_xin001@hoperun.com> - 1.4.2-2
 - Fix CVE-2023-6681
 * Wed Dec 20 2023 yaoxin <yao_xin001@hoperun.com> - 1.4.2-1
 - Upgrade to 1.4.2 for fix CVE-2022-3102