32274 – cjose new security issue CVE-2023-37464

Bug 32274 - cjose new security issue CVE-2023-37464

Summary: cjose new security issue CVE-2023-37464

Status:	ASSIGNED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8TOO
Keywords:

Depends on:
Blocks:

Reported:	2023-09-11 16:10 CEST by Nicolas Salguero
Modified:	2023-09-18 17:48 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	cjose-0.6.1-3.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-09-11 16:10:13 CEST

Fedora has issued an advisory today (September 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFWAPMYYVBO2U65HPYDTBEKNSXG4TP5C/

Mageia 8 and 9 are also affected.

Nicolas Salguero 2023-09-11 16:10:31 CEST

Source RPM: (none) => cjose-0.6.1-3.mga9.src.rpm
CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA9TOO, MGA8TOO

Comment 1 Lewis Smith 2023-09-12 21:05:21 CEST

Version : 0.6.2.2 ... Security fix for CVE-2023-37464

No maintainer in view for this pkg, so assigning the update globally.

Status comment: (none) => Fixed in 0.6.2.2
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-09-14 14:00:21 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. (CVE-2023-37464)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37464
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFWAPMYYVBO2U65HPYDTBEKNSXG4TP5C/
========================

Updated packages in 9/core/updates_testing:
========================
lib(64)cjose0-0.6.1-3.1.mga9
lib(64)cjose-devel-0.6.1-3.1.mga9

from SRPM:
cjose-0.6.1-3.1.mga9.src.rpm

Updated packages in 8/core/updates_testing:
========================
lib(64)cjose0-0.6.1-1.1.mga8
lib(64)cjose-devel-0.6.1-1.1.mga8

from SRPM:
cjose-0.6.1-1.1.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => nicolas.salguero
Status comment: Fixed in 0.6.2.2 => (none)

Nicolas Salguero 2023-09-18 09:21:20 CEST

Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 9

Comment 3 Herman Viaene 2023-09-18 17:48:47 CEST

MGA8-64 Xfce on Acer Aspire 5253
No installation issues
No wiki, no previous updates, so
# urpmq --whatrequires lib64cjose0
apache-mod_auth_openidc
apache-mod_auth_openidc
apache-mod_auth_openidc
lib64cjose-devel
lib64cjose-devel
lib64cjose0
and
# urpmq --whatrequires-recursive lib64cjose0
apache-mod_auth_openidc
apache-mod_auth_openidc
apache-mod_auth_openidc
lib64cjose-devel
lib64cjose-devel
lib64cjose0
No idea how to get any further here and googling does not bring me any further than the repos.

CC: (none) => herman.viaene

Note You need to log in before you can comment on or make changes to this bug.