Merge pull request from GHSA-xqhj-fmc7-f8mv

ecdsautils: verify: fix signature verification (CVE-2022-24884)
2022-05-05 18:02:38 +02:00 · 2022-05-05 18:02:38 +02:00 · 2ea83c447b
commit 2ea83c447b
parent 7e082f8a08 bc80a3be1f
1 changed files with 73 additions and 0 deletions
--- a/patches/packages/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch
+++ b/patches/packages/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch
@ -0,0 +1,73 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Wed, 27 Apr 2022 19:01:39 +0200
+Subject: ecdsautils: verify: fix signature verification (CVE-2022-24884)
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/utils/ecdsautils/Makefile b/utils/ecdsautils/Makefile
+index 7f1c76f0301f56b0a88c1f6a1a0147397fde25c7..5ba893be69d40279cd6f5c9e544e941d0011f451 100644
+--- a/utils/ecdsautils/Makefile
+++ b/utils/ecdsautils/Makefile
+@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
+ 
+ PKG_NAME:=ecdsautils
+ PKG_VERSION:=0.3.2.20160630
+-PKG_RELEASE:=1
+PKG_RELEASE:=2
+ PKG_REV:=07538893fb6c2a9539678c45f9dbbf1e4f222b46
+ PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net>
+ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+diff --git a/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..34d80cc201c0e87ca654c3def4fbbbddf622b0ba
+--- /dev/null
+++ b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch
+@@ -0,0 +1,48 @@
+From 1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 Mon Sep 17 00:00:00 2001
+Message-Id: <1d4b091abdf15ad7b2312535b5b95ad70f6dbd08.1651078760.git.mschiffer@universe-factory.net>
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Wed, 20 Apr 2022 22:04:07 +0200
+Subject: [PATCH] verify: fix signature verification (CVE-2022-24884)
+
+Verify that r and s are non-zero. Without these checks, an all-zero
+signature is always considered valid.
+
+While it would be nicer to error out in ecdsa_verify_prepare_legacy()
+already, that would require users of libecdsautil to check a return value
+of the prepare step. To be safe, implement the fix in an API/ABI-compatible
+way that doesn't need changes to the users.
+---
+ src/lib/ecdsa.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/lib/ecdsa.c b/src/lib/ecdsa.c
+index 8cd7722be8cd..a661b56bd7c8 100644
+--- a/src/lib/ecdsa.c
++++ b/src/lib/ecdsa.c
+@@ -135,6 +135,12 @@ regenerate:
+ void ecdsa_verify_prepare_legacy(ecdsa_verify_context_t *ctx, const ecc_int256_t *hash, const ecdsa_signature_t *signature) {
+   ecc_int256_t w, u1, tmp;
+ 
++  if (ecc_25519_gf_is_zero(&signature->s) || ecc_25519_gf_is_zero(&signature->r)) {
++    // Signature is invalid, mark by setting ctx->r to an invalid value
++    memset(&ctx->r, 0, sizeof(ctx->r));
++    return;
++  }
++
+   ctx->r = signature->r;
+ 
+   ecc_25519_gf_recip(&w, &signature->s);
+@@ -149,6 +155,10 @@ bool ecdsa_verify_legacy(const ecdsa_verify_context_t *ctx, const ecc_25519_work
+   ecc_25519_work_t s2, work;
+   ecc_int256_t w, tmp;
+ 
++  // Signature was detected as invalid in prepare step
++  if (ecc_25519_gf_is_zero(&ctx->r))
++    return false;
++
+   ecc_25519_scalarmult(&s2, &ctx->u2, pubkey);
+   ecc_25519_add(&work, &ctx->s1, &s2);
+   ecc_25519_store_xy_legacy(&w, NULL, &work);
+-- 
+2.36.0
+