Debian Patches

Status for libjwt/1.10.2-1+deb11u1

Patch Description Author Forwarded Bugs Origin Last update
use-b64.patch use the packaged libb64 in order to avoid license problems with the base64.* files from Apple
===================================================================
Thorsten Alteholz <debian@alteholz.de> no
CVE-2024-25189-1.patch commit f73bac57c5bece16ac24f1a70022aa34355fc1bf

Implement a safer strcmp() function

As noted, the strcmp() function can be used for time-based side attacks.

I tried to test this and could not find a reasonable way to implement
this attack for several reasons:

1) strcmp() is optimized to compare 4 and 8 bytes at a time when possible
on almost every modern system, making the attack almost impossible.
2) Running 128 million iterations of strcmp() for a single byte attack
gave sub-nanosecond average differences (locally on same excution stack)
and almost as often as the comparison was correct, it was also wrong in
the reverse sense (i.e. two byte strcmp() took less time than single
byte).
3) Adding noise from network, application stack, web server, etc. would
only add to the failure rate of guessing the differences above.

Erwan noted that there are proofs out there showing that signal noise
reduction can make this guessing more "accurate", but this proof also
noted it would take up to 4 billion guesses to completely cover this
attack surface. The claim was that 50k attempts per second would break
a 256-bit hmac in 22 hours. While this isn't impossible, it's very
implausible.

However, for the sake of cryptographic correctness, I implemented
jwt_strcmp() which always compares all bytes, and does so up to the
longest string in the 2-string set, without passing string boundaries.

This makes it time-consistent for len(max(a,b)) comparisons. I proofed
this using a 128 million interation average for various scenarious.

Reported-by: Erwan Legrand <moi@erwanlegrand.com>
Signed-off-by: Ben Collins <bcollins@maclara-llc.com>

===================================================================
Ben Collins <bcollins@maclara-llc.com> no 2024-02-09
CVE-2024-25189-2.patch commit a5d61ef4f1b383876e0a78534383f38159471fd6

Rework jwt_strcmp() to use less branching

Signed-off-by: Ben Collins <bcollins@maclara-llc.com>

===================================================================
Ben Collins <bcollins@maclara-llc.com> no 2024-02-09
zzz-gnutls-soname.patch rename soname to libjwt-gnutls===================================================================
===================================================================
Nicolas Mora no

All known versions for source package 'libjwt'

Links