Merge pull request from GHSA-xqhj-fmc7-f8mv

ecdsautils: verify: fix signature verification (CVE-2022-24884)
2022-05-05 18:02:38 +02:00 · 2022-05-05 18:02:38 +02:00 · d0f43aeb08
commit d0f43aeb08
parent 422e20c8da dcfa4522b3
7 changed files with 108 additions and 13 deletions
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 The code of Project Gluon may be distributed under the following terms, unless
 noted otherwise in individual files or subtrees.
-Copyright (c) 2013-2021, Project Gluon
+Copyright (c) 2013-2022, Project Gluon
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
--- a/README.md
+++ b/README.md
@ -21,7 +21,7 @@ the future development of Gluon.
 Please refrain from using the `master` branch for anything else but development purposes!
 Use the most recent release instead. You can list all releases by running `git tag`
-and switch to one by running `git checkout v2021.1.1 && make update`.
+and switch to one by running `git checkout v2021.1.2 && make update`.
 If you're using the autoupdater, do not autoupdate nodes with anything but releases.
 If you upgrade using random master commits the nodes *will break* eventually.
--- a/docs/conf.py
+++ b/docs/conf.py
@ -20,11 +20,11 @@
 # -- Project information -----------------------------------------------------
 project = 'Gluon'
-copyright = '2015-2021, Project Gluon'
+copyright = '2015-2022, Project Gluon'
 author = 'Project Gluon'
 # The short X.Y version
-version = '2021.1.1'
+version = '2021.1.2'
 # The full version, including alpha/beta/rc tags
 release = version
--- a/docs/releases/v2021.1.2.rst
+++ b/docs/releases/v2021.1.2.rst
@ -1,9 +1,12 @@
-Gluon 2021.1.2 (unreleased)
+Gluon 2021.1.2
-===========================
+==============
 Important notes
 ---------------
 This release fixes a **critical security vulnerability** in Gluon's
 autoupdater.
 Upgrades to v2021.1 and later releases are only supported from releases v2018.2
 and later. Migration code for upgrades from older versions has been removed to
 simplify maintenance.
@ -23,11 +26,30 @@ log.
 Bugfixes
 --------
-* **[SECURITY]** This release will fix a critical security vulnerability
+* **[SECURITY]** Autoupdater: Fix signature verification
-  This bugfix has not been pushed to the public Gluon repository yet to avoid
+  A recently discovered issue (CVE-2022-24884) in the *ecdsautils* package
-  disclosing information on the issue. A detailed advisory will be published at
+  allows forgery of cryptographic signatures. This vulnerability can be
-  the same time as the Gluon release.
+  exploited to create a manifest accepted by the autoupdater without knowledge
  of the signers' private keys. By intercepting nodes' connections to the update
  server, such a manifest allows to distribute malicious firmware updates.
  This is a **critical** vulnerability. All nodes with autoupdater must be
  updated. Requiring multiple signatures for an update does *not* mitigate the
  issue.
  As a temporary workaround, the issue can be mitigated on individual nodes by
  disabling the autoupdater via config mode or using the following commands::
    uci set autoupdater.settings.enabled=0
    uci commit autoupdater
  A fixed firmware should be installed manually before enabling the autoupdater
  again.
  See security advisory `GHSA-qhcg-9ffp-78pw
  <https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-78pw>`_
  for further information on this vulnerability.
 * **[SECURITY]** Config Mode: Prevent Cross-Site Request Forgery (CSRF)
--- a/docs/site-example/site.conf
+++ b/docs/site-example/site.conf
@ -1,4 +1,4 @@
-- This is an example site configuration for Gluon v2021.1.1
+-- This is an example site configuration for Gluon v2021.1.2
 --
 -- Take a look at the documentation located at
 -- https://gluon.readthedocs.io/ for details.
--- a/docs/user/getting_started.rst
+++ b/docs/user/getting_started.rst
@ -8,7 +8,7 @@ Gluon's releases are managed using `Git tags`_. If you are just getting
 started with Gluon we recommend to use the latest stable release of Gluon.
 Take a look at the `list of gluon releases`_ and notice the latest release,
-e.g. *v2021.1.1*. Always get Gluon using git and don't try to download it
+e.g. *v2021.1.2*. Always get Gluon using git and don't try to download it
 as a Zip archive as the archive will be missing version information.
 Please keep in mind that there is no "default Gluon" build; a site configuration
@ -50,7 +50,7 @@ Building the images
 -------------------
 To build Gluon, first check out the repository. Replace *RELEASE* with the
-version you'd like to checkout, e.g. *v2021.1.1*.
+version you'd like to checkout, e.g. *v2021.1.2*.
 ::
--- a/patches/packages/packages/0004-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch
+++ b/patches/packages/packages/0004-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch
@ -0,0 +1,73 @@
 From: Matthias Schiffer <mschiffer@universe-factory.net>
 Date: Wed, 27 Apr 2022 19:01:39 +0200
 Subject: ecdsautils: verify: fix signature verification (CVE-2022-24884)
 Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
 diff --git a/utils/ecdsautils/Makefile b/utils/ecdsautils/Makefile
 index 7f1c76f0301f56b0a88c1f6a1a0147397fde25c7..5ba893be69d40279cd6f5c9e544e941d0011f451 100644
 --- a/utils/ecdsautils/Makefile
 +++ b/utils/ecdsautils/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=ecdsautils
 PKG_VERSION:=0.3.2.20160630
 -PKG_RELEASE:=1
 +PKG_RELEASE:=2
 PKG_REV:=07538893fb6c2a9539678c45f9dbbf1e4f222b46
 PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net>
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 diff --git a/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch
 new file mode 100644
 index 0000000000000000000000000000000000000000..34d80cc201c0e87ca654c3def4fbbbddf622b0ba
 --- /dev/null
 +++ b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch
@@ -0,0 +1,48 @@
 +From 1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 Mon Sep 17 00:00:00 2001
 +Message-Id: <1d4b091abdf15ad7b2312535b5b95ad70f6dbd08.1651078760.git.mschiffer@universe-factory.net>
 +From: Matthias Schiffer <mschiffer@universe-factory.net>
 +Date: Wed, 20 Apr 2022 22:04:07 +0200
 +Subject: [PATCH] verify: fix signature verification (CVE-2022-24884)
 +
 +Verify that r and s are non-zero. Without these checks, an all-zero
 +signature is always considered valid.
 +
 +While it would be nicer to error out in ecdsa_verify_prepare_legacy()
 +already, that would require users of libecdsautil to check a return value
 +of the prepare step. To be safe, implement the fix in an API/ABI-compatible
 +way that doesn't need changes to the users.
 +---
 + src/lib/ecdsa.c | 10 ++++++++++
 + 1 file changed, 10 insertions(+)
 +
 +diff --git a/src/lib/ecdsa.c b/src/lib/ecdsa.c
 +index 8cd7722be8cd..a661b56bd7c8 100644
 +--- a/src/lib/ecdsa.c
 ++++ b/src/lib/ecdsa.c
 +@@ -135,6 +135,12 @@ regenerate:
 + void ecdsa_verify_prepare_legacy(ecdsa_verify_context_t *ctx, const ecc_int256_t *hash, const ecdsa_signature_t *signature) {
 +   ecc_int256_t w, u1, tmp;
 + 
 ++  if (ecc_25519_gf_is_zero(&signature->s) || ecc_25519_gf_is_zero(&signature->r)) {
 ++    // Signature is invalid, mark by setting ctx->r to an invalid value
 ++    memset(&ctx->r, 0, sizeof(ctx->r));
 ++    return;
 ++  }
 ++
 +   ctx->r = signature->r;
 + 
 +   ecc_25519_gf_recip(&w, &signature->s);
 +@@ -149,6 +155,10 @@ bool ecdsa_verify_legacy(const ecdsa_verify_context_t *ctx, const ecc_25519_work
 +   ecc_25519_work_t s2, work;
 +   ecc_int256_t w, tmp;
 + 
 ++  // Signature was detected as invalid in prepare step
 ++  if (ecc_25519_gf_is_zero(&ctx->r))
 ++    return false;
 ++
 +   ecc_25519_scalarmult(&s2, &ctx->u2, pubkey);
 +   ecc_25519_add(&work, &ctx->s1, &s2);
 +   ecc_25519_store_xy_legacy(&w, NULL, &work);
 +-- 
 +2.36.0
 +