In jwe.c, on line 1952: cek = cjose_get_alloc()(cek_len); memcpy(cek, jwe->cek, cek_len); allocation result is not checked. We should add (before memcpy): if (!cek) { CJOSE_ERROR(err, CJOSE_ERR_NO_MEMORY); return NULL; } Bug registered at https://github.com/cisco/cjose/issues/110. Cisco does not maintain this repo anymore; do you plan to maintain the package in Redhat? For info, there's a fork trying to keep this software up-to-date (and it includes this patch): https://github.com/zmartzone/cjose/tree/version-0.6.2.x
I'd also like to ask you to switch to the maintenance fork at https://github.com/zmartzone/cjose, as suggested before in https://github.com/cisco/cjose/issues/121 ; the parent project's last commit was 3.5 years ago, and issues no longer get addressed; for the record, Debian has made that switch https://salsa.debian.org/debian/cjose
Sure Hans, I count on that.
I switched to the maintenance fork, thanks for maintaining it
Verified. Sanity only. Version :: cjose-0.6.1-3.module+el8.9.0+18395+74bc73c4.x86_64 mod_auth_openidc-2.4.9.4-5.module+el8.9.0+18723+672ccf5d.x86_64 Name : mod_auth_openidc Stream : 2.3 [d][e][a] Version : 8090020230425101425 Context : b46abd14 Architecture : x86_64 Profiles : default [d] [i] Default profiles : default Repo : rhel-AppStream Summary : Apache module suporting OpenID Connect authentication Description : This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. Requires : platform:[el8] Artifacts : cjose-0:0.6.1-3.module+el8.9.0+18395+74bc73c4.src : cjose-0:0.6.1-3.module+el8.9.0+18395+74bc73c4.x86_64 : cjose-debuginfo-0:0.6.1-3.module+el8.9.0+18395+74bc73c4.x86_64 : cjose-debugsource-0:0.6.1-3.module+el8.9.0+18395+74bc73c4.x86_64 : cjose-devel-0:0.6.1-3.module+el8.9.0+18395+74bc73c4.x86_64 : mod_auth_openidc-0:2.4.9.4-5.module+el8.9.0+18723+672ccf5d.src : mod_auth_openidc-0:2.4.9.4-5.module+el8.9.0+18723+672ccf5d.x86_64 : mod_auth_openidc-debuginfo-0:2.4.9.4-5.module+el8.9.0+18723+672ccf5d.x86_64 : mod_auth_openidc-debugsource-0:2.4.9.4-5.module+el8.9.0+18723+672ccf5d.x86_64 Results :: gating tests: test_oidc.py .... [100%] -------------------- generated xml file: /root/federation_testing/result_oidc.xml --------------------- ====================================== 4 passed in 1.55 seconds =======================================
FYI: there's another vulnerability that is fixed only in the maintenance fork https://github.com/OpenIDC/cjose/security/advisories/GHSA-3rhg-3gf2-6xgj which makes this update more urgent.