Package: node-node-forge | Debian Sources

Package: node-node-forge / 0.10.0~dfsg-3+deb11u1

Metadata

Package	Version	Patches format
node-node-forge	0.10.0~dfsg-3+deb11u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
2001_webpack_shared_path.patch \| (download)	webpack-tests.config.js \| 3 3 + 0 - 0 ! 1 file changed, 3 insertions(+)	have webpack use system shared modules
2002_avoid_privacy_breach.patch \| (download)	README.md \| 4 0 + 4 - 0 ! 1 file changed, 4 deletions(-)	avoid privacy breaches reading the documentation
CVE 2022 24773.patch \| (download)	lib/asn1.js \| 32 29 + 3 - 0 ! lib/oids.js \| 4 4 + 0 - 0 ! lib/rsa.js \| 84 81 + 3 - 0 ! tests/unit/rsa.js \| 369 369 + 0 - 0 ! 4 files changed, 483 insertions(+), 6 deletions(-)	fix signature verification issues (cve-2022-24771, cve-2022-24772, cve-2022-24773) SECURITY: Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh (moosa-yahyazadeh@uiowa.edu): . - Leniency in checking `digestAlgorithm` structure can lead to signature forgery. - The code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. - Failing to check tailing garbage bytes can lead to signature forgery. - The code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. - Leniency in checking type octet. - `DigestInfo` is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. . For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney: https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/ . Fixed with the following: . - [asn1] `fromDer` is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new option `parseAllBytes` can disable this behavior. - NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag. - [rsa] Add and use a validator to check for proper structure of parsed ASN.1 `RSASSA-PKCS-v1_5` `DigestInfo` data. Additionally check that the hash algorithm identifier is a known value. An invalid `DigestInfo` or algorithm identifier will now cause an error to be thrown. - [oid] Added `1.2.840.113549.2.2` / `md2` for hash algorithm checking. - [tests] Tests were added for all of the reported issues. A private verify option was added to assist in checking multiple possible failures in the test data.

Patch

File delta

Description

2001_webpack_shared_path.patch | (download)

webpack-tests.config.js | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 have webpack use system shared modules

2002_avoid_privacy_breach.patch | (download)

README.md | 4 0 + 4 - 0 !
1 file changed, 4 deletions(-)

 avoid privacy breaches reading the documentation

CVE 2022 24773.patch | (download)

lib/asn1.js | 32 29 + 3 - 0 !
lib/oids.js | 4 4 + 0 - 0 !
lib/rsa.js | 84 81 + 3 - 0 !
tests/unit/rsa.js | 369 369 + 0 - 0 !
4 files changed, 483 insertions(+), 6 deletions(-)

 fix signature verification issues (cve-2022-24771, cve-2022-24772, cve-2022-24773)
 **SECURITY**: Three RSA PKCS#1 v1.5 signature verification issues were
 reported by Moosa Yahyazadeh (moosa-yahyazadeh@uiowa.edu):
 .
 - Leniency in checking `digestAlgorithm` structure can lead to signature
   forgery.
   - The code is lenient in checking the digest algorithm structure. This can
     allow a crafted structure that steals padding bytes and uses unchecked
     portion of the PKCS#1 encoded message to forge a signature when a low
     public exponent is being used.
 - Failing to check tailing garbage bytes can lead to signature forgery.
   - The code does not check for tailing garbage bytes after decoding a
     `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed
     and garbage data added to forge a signature when a low public exponent is
     being used.
 - Leniency in checking type octet.
   - `DigestInfo` is not properly checked for proper ASN.1 structure. This can
     lead to successful verification with signatures that contain invalid
     structures but a valid digest.
 .
 For more information, please see "Bleichenbacher's RSA signature forgery based
 on implementation error" by Hal Finney:
 https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/
 .
 Fixed with the following:
 .
 - [asn1] `fromDer` is now more strict and will default to ensuring all
   input bytes are parsed or throw an error. A new option `parseAllBytes`
   can disable this behavior.
   - **NOTE**: The previous behavior is being changed since it can lead
     to security issues with crafted inputs. It is possible that code
     doing custom DER parsing may need to adapt to this new behavior and
     optional flag.
 - [rsa] Add and use a validator to check for proper structure of parsed
   ASN.1 `RSASSA-PKCS-v1_5` `DigestInfo` data. Additionally check that
   the hash algorithm identifier is a known value. An invalid
   `DigestInfo` or algorithm identifier will now cause an error to be
   thrown.
 - [oid] Added `1.2.840.113549.2.2` / `md2` for hash algorithm checking.
 - [tests] Tests were added for all of the reported issues. A private
   verify option was added to assist in checking multiple possible
   failures in the test data.