Bug 32274 - cjose new security issue CVE-2023-37464
Summary: cjose new security issue CVE-2023-37464
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-11 16:10 CEST by Nicolas Salguero
Modified: 2023-09-18 17:48 CEST (History)
2 users (show)

See Also:
Source RPM: cjose-0.6.1-3.mga9.src.rpm
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2023-09-11 16:10:13 CEST
Fedora has issued an advisory today (September 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFWAPMYYVBO2U65HPYDTBEKNSXG4TP5C/

Mageia 8 and 9 are also affected.
Nicolas Salguero 2023-09-11 16:10:31 CEST

Source RPM: (none) => cjose-0.6.1-3.mga9.src.rpm
CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA9TOO, MGA8TOO

Comment 1 Lewis Smith 2023-09-12 21:05:21 CEST
Version : 0.6.2.2 ... Security fix for CVE-2023-37464

No maintainer in view for this pkg, so assigning the update globally.

Status comment: (none) => Fixed in 0.6.2.2
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-09-14 14:00:21 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. (CVE-2023-37464)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37464
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFWAPMYYVBO2U65HPYDTBEKNSXG4TP5C/
========================

Updated packages in 9/core/updates_testing:
========================
lib(64)cjose0-0.6.1-3.1.mga9
lib(64)cjose-devel-0.6.1-3.1.mga9

from SRPM:
cjose-0.6.1-3.1.mga9.src.rpm

Updated packages in 8/core/updates_testing:
========================
lib(64)cjose0-0.6.1-1.1.mga8
lib(64)cjose-devel-0.6.1-1.1.mga8

from SRPM:
cjose-0.6.1-1.1.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => nicolas.salguero
Status comment: Fixed in 0.6.2.2 => (none)

Nicolas Salguero 2023-09-18 09:21:20 CEST

Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 9

Comment 3 Herman Viaene 2023-09-18 17:48:47 CEST
MGA8-64 Xfce on Acer Aspire 5253
No installation issues
No wiki, no previous updates, so
# urpmq --whatrequires lib64cjose0
apache-mod_auth_openidc
apache-mod_auth_openidc
apache-mod_auth_openidc
lib64cjose-devel
lib64cjose-devel
lib64cjose0
and
# urpmq --whatrequires-recursive lib64cjose0
apache-mod_auth_openidc
apache-mod_auth_openidc
apache-mod_auth_openidc
lib64cjose-devel
lib64cjose-devel
lib64cjose0
No idea how to get any further here and googling does not bring me any further than the repos.

CC: (none) => herman.viaene


Note You need to log in before you can comment on or make changes to this bug.