| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| use-b64.patch | use the packaged libb64 in order to avoid license problems with the base64.* files from Apple =================================================================== |
Thorsten Alteholz <debian@alteholz.de> | no | |||
| CVE-2024-25189-1.patch | commit f73bac57c5bece16ac24f1a70022aa34355fc1bf Implement a safer strcmp() function As noted, the strcmp() function can be used for time-based side attacks. I tried to test this and could not find a reasonable way to implement this attack for several reasons: 1) strcmp() is optimized to compare 4 and 8 bytes at a time when possible on almost every modern system, making the attack almost impossible. 2) Running 128 million iterations of strcmp() for a single byte attack gave sub-nanosecond average differences (locally on same excution stack) and almost as often as the comparison was correct, it was also wrong in the reverse sense (i.e. two byte strcmp() took less time than single byte). 3) Adding noise from network, application stack, web server, etc. would only add to the failure rate of guessing the differences above. Erwan noted that there are proofs out there showing that signal noise reduction can make this guessing more "accurate", but this proof also noted it would take up to 4 billion guesses to completely cover this attack surface. The claim was that 50k attempts per second would break a 256-bit hmac in 22 hours. While this isn't impossible, it's very implausible. However, for the sake of cryptographic correctness, I implemented jwt_strcmp() which always compares all bytes, and does so up to the longest string in the 2-string set, without passing string boundaries. This makes it time-consistent for len(max(a,b)) comparisons. I proofed this using a 128 million interation average for various scenarious. Reported-by: Erwan Legrand <moi@erwanlegrand.com> Signed-off-by: Ben Collins <bcollins@maclara-llc.com> =================================================================== |
Ben Collins <bcollins@maclara-llc.com> | no | 2024-02-09 | ||
| CVE-2024-25189-2.patch | commit a5d61ef4f1b383876e0a78534383f38159471fd6 Rework jwt_strcmp() to use less branching Signed-off-by: Ben Collins <bcollins@maclara-llc.com> =================================================================== |
Ben Collins <bcollins@maclara-llc.com> | no | 2024-02-09 | ||
| zzz-gnutls-soname.patch | rename soname to libjwt-gnutls=================================================================== =================================================================== |
Nicolas Mora | no |