Bug 2072469
| Summary: | Random memory overwrite | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | nickgearls | |
| Component: | cjose | Assignee: | Tomas Halman <thalman> | |
| Status: | VERIFIED --- | QA Contact: | Scott Poore <spoore> | |
| Severity: | high | Docs Contact: | ||
| Priority: | low | |||
| Version: | CentOS Stream | CC: | aboscatt, bstinson, hans.zandbelt, jwboyer, thalman | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | All | |||
| Whiteboard: | sync-to-jira | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2180445 (view as bug list) | Environment: | ||
| Last Closed: | Type: | Bug | ||
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2180445 | |||
I'd also like to ask you to switch to the maintenance fork at https://github.com/zmartzone/cjose, as suggested before in https://github.com/cisco/cjose/issues/121 ; the parent project's last commit was 3.5 years ago, and issues no longer get addressed; for the record, Debian has made that switch https://salsa.debian.org/debian/cjose Sure Hans, I count on that. I switched to the maintenance fork, thanks for maintaining it Verified. Sanity only.
Version ::
cjose-0.6.1-3.module+el8.9.0+18395+74bc73c4.x86_64
mod_auth_openidc-2.4.9.4-5.module+el8.9.0+18723+672ccf5d.x86_64
Name : mod_auth_openidc
Stream : 2.3 [d][e][a]
Version : 8090020230425101425
Context : b46abd14
Architecture : x86_64
Profiles : default [d] [i]
Default profiles : default
Repo : rhel-AppStream
Summary : Apache module suporting OpenID Connect authentication
Description : This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Requires : platform:[el8]
Artifacts : cjose-0:0.6.1-3.module+el8.9.0+18395+74bc73c4.src
: cjose-0:0.6.1-3.module+el8.9.0+18395+74bc73c4.x86_64
: cjose-debuginfo-0:0.6.1-3.module+el8.9.0+18395+74bc73c4.x86_64
: cjose-debugsource-0:0.6.1-3.module+el8.9.0+18395+74bc73c4.x86_64
: cjose-devel-0:0.6.1-3.module+el8.9.0+18395+74bc73c4.x86_64
: mod_auth_openidc-0:2.4.9.4-5.module+el8.9.0+18723+672ccf5d.src
: mod_auth_openidc-0:2.4.9.4-5.module+el8.9.0+18723+672ccf5d.x86_64
: mod_auth_openidc-debuginfo-0:2.4.9.4-5.module+el8.9.0+18723+672ccf5d.x86_64
: mod_auth_openidc-debugsource-0:2.4.9.4-5.module+el8.9.0+18723+672ccf5d.x86_64
Results ::
gating tests:
test_oidc.py .... [100%]
-------------------- generated xml file: /root/federation_testing/result_oidc.xml ---------------------
====================================== 4 passed in 1.55 seconds =======================================
FYI: there's another vulnerability that is fixed only in the maintenance fork https://github.com/OpenIDC/cjose/security/advisories/GHSA-3rhg-3gf2-6xgj which makes this update more urgent. |
In jwe.c, on line 1952: cek = cjose_get_alloc()(cek_len); memcpy(cek, jwe->cek, cek_len); allocation result is not checked. We should add (before memcpy): if (!cek) { CJOSE_ERROR(err, CJOSE_ERR_NO_MEMORY); return NULL; } Bug registered at https://github.com/cisco/cjose/issues/110. Cisco does not maintain this repo anymore; do you plan to maintain the package in Redhat? For info, there's a fork trying to keep this software up-to-date (and it includes this patch): https://github.com/zmartzone/cjose/tree/version-0.6.2.x