chore: Update module github.com/lestrrat-go/jwx to v1.2.28 [SECURITY] #34

renovate · 2024-01-24T17:12:02Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/lestrrat-go/jwx	`v1.2.27` -> `v1.2.28`

GitHub Vulnerability Alerts

CVE-2024-21664

Summary

Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference.

Details

This seems to also affect other functions that calls Parse internally, like jws.Verify.

My understanding of these functions from the docs is that they are supposed to fail gracefully on invalid input and don't require any prior validation.

Based on the stack trace in the PoC, the issue seems to be that the processing done in jws/message.go:UnmarshalJSON() assumes that if a signature field is present, then a protected field is also present. If this is not the case, then the subsequent call to getB64Value(sig.protected) will dereference sig.protected, which is nil.

PoC

Reproducer:

package poc

import (
        "testing"

        "github.com/lestrrat-go/jwx/v2/jws"
)

func TestPOC(t *testing.T) {
        _, _ = jws.Parse([]byte(`{"signature": ""}`))
}

Result:

$ go test        
--- FAIL: TestPOC (0.00s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
        panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0x5fd618]

goroutine 6 [running]:
testing.tRunner.func1.2({0x628800, 0x831030})
        /usr/local/go/src/testing/testing.go:1545 +0x238
testing.tRunner.func1()
        /usr/local/go/src/testing/testing.go:1548 +0x397
panic({0x628800?, 0x831030?})
        /usr/local/go/src/runtime/panic.go:914 +0x21f
github.com/lestrrat-go/jwx/v2/jws.getB64Value({0x0?, 0x0?})
        /home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@&#8203;v2.0.18/jws/jws.go:484 +0x18
github.com/lestrrat-go/jwx/v2/jws.(*Message).UnmarshalJSON(0xc0000a2140, {0xc0000ec000, 0x11, 0x200})
        /home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@&#8203;v2.0.18/jws/message.go:323 +0x4ad
encoding/json.(*decodeState).object(0xc0000ea028, {0x64fa60?, 0xc0000a2140?, 0x16?})
        /usr/local/go/src/encoding/json/decode.go:604 +0x6cc
encoding/json.(*decodeState).value(0xc0000ea028, {0x64fa60?, 0xc0000a2140?, 0xc00006e630?})
        /usr/local/go/src/encoding/json/decode.go:374 +0x3e
encoding/json.(*decodeState).unmarshal(0xc0000ea028, {0x64fa60?, 0xc0000a2140?})
        /usr/local/go/src/encoding/json/decode.go:181 +0x133
encoding/json.(*Decoder).Decode(0xc0000ea000, {0x64fa60, 0xc0000a2140})
        /usr/local/go/src/encoding/json/stream.go:73 +0x179
github.com/lestrrat-go/jwx/v2/internal/json.Unmarshal({0xc00001a288, 0x11, 0x11}, {0x64fa60, 0xc0000a2140})
        /home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@&#8203;v2.0.18/internal/json/json.go:26 +0x97
github.com/lestrrat-go/jwx/v2/jws.parseJSON({0xc00001a288, 0x11, 0x11})
        /home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@&#8203;v2.0.18/jws/jws.go:588 +0x50
github.com/lestrrat-go/jwx/v2/jws.Parse({0xc00001a288, 0x11, 0x11}, {0x0?, 0xc00006e760?, 0x48450f?})
        /home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@&#8203;v2.0.18/jws/jws.go:525 +0x89
poc.TestPOC(0x0?)
        /home/fredrik/src/jwx_poc/poc_test.go:10 +0x57
testing.tRunner(0xc0000e4340, 0x68ef30)
        /usr/local/go/src/testing/testing.go:1595 +0xff
created by testing.(*T).Run in goroutine 1
        /usr/local/go/src/testing/testing.go:1648 +0x3ad
exit status 2
FAIL    poc     0.005s

Impact

The vulnerability can be used to crash / DOS a system doing JWS verification.

Release Notes

lestrrat-go/jwx (github.com/lestrrat-go/jwx)

`v1.2.28`

Compare Source

v1.2.28 09 Jan 2024
[Security Fixes]
  * [jws] JWS messages formated in full JSON format (i.e. not the compact format, which
    consists of three base64 strings concatenated with a '.') with missing "protected"
    headers could cause a panic, thereby introducing a possiblity of a DoS.

    This has been fixed so that the `jws.Parse` function succeeds in parsing a JWS message
    lacking a protected header. Calling `jws.Verify` on this same JWS message will result
    in a failed verification attempt. Note that this behavior will differ slightly when
    parsing JWS messages in compact form, which result in an error.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

…#34) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/lestrrat-go/jwx](https://togithub.com/lestrrat-go/jwx) | `v1.2.27` -> `v1.2.28` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2flestrrat-go%2fjwx/v1.2.28?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2flestrrat-go%2fjwx/v1.2.28?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2flestrrat-go%2fjwx/v1.2.27/v1.2.28?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2flestrrat-go%2fjwx/v1.2.27/v1.2.28?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-21664](https://togithub.com/lestrrat-go/jwx/security/advisories/GHSA-pvcr-v8j8-j5q3) ### Summary Calling `jws.Parse` with a JSON serialized payload where the `signature` field is present while `protected` is absent can lead to a nil pointer dereference. ### Details This seems to also affect other functions that calls `Parse` internally, like `jws.Verify`. My understanding of these functions from the docs is that they are supposed to fail gracefully on invalid input and don't require any prior validation. Based on the stack trace in the PoC, the issue seems to be that the processing done in `jws/message.go:UnmarshalJSON()` assumes that if a `signature` field is present, then a `protected` field is also present. If this is not the case, then the subsequent call to `getB64Value(sig.protected)` will dereference `sig.protected`, which is `nil`. ### PoC Reproducer: ```go package poc import ( "testing" "github.com/lestrrat-go/jwx/v2/jws" ) func TestPOC(t *testing.T) { _, _ = jws.Parse([]byte(`{"signature": ""}`)) } ``` Result: ``` $ go test --- FAIL: TestPOC (0.00s) panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0x5fd618] goroutine 6 [running]: testing.tRunner.func1.2({0x628800, 0x831030}) /usr/local/go/src/testing/testing.go:1545 +0x238 testing.tRunner.func1() /usr/local/go/src/testing/testing.go:1548 +0x397 panic({0x628800?, 0x831030?}) /usr/local/go/src/runtime/panic.go:914 +0x21f github.com/lestrrat-go/jwx/v2/jws.getB64Value({0x0?, 0x0?}) /home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/jws.go:484 +0x18 github.com/lestrrat-go/jwx/v2/jws.(*Message).UnmarshalJSON(0xc0000a2140, {0xc0000ec000, 0x11, 0x200}) /home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/message.go:323 +0x4ad encoding/json.(*decodeState).object(0xc0000ea028, {0x64fa60?, 0xc0000a2140?, 0x16?}) /usr/local/go/src/encoding/json/decode.go:604 +0x6cc encoding/json.(*decodeState).value(0xc0000ea028, {0x64fa60?, 0xc0000a2140?, 0xc00006e630?}) /usr/local/go/src/encoding/json/decode.go:374 +0x3e encoding/json.(*decodeState).unmarshal(0xc0000ea028, {0x64fa60?, 0xc0000a2140?}) /usr/local/go/src/encoding/json/decode.go:181 +0x133 encoding/json.(*Decoder).Decode(0xc0000ea000, {0x64fa60, 0xc0000a2140}) /usr/local/go/src/encoding/json/stream.go:73 +0x179 github.com/lestrrat-go/jwx/v2/internal/json.Unmarshal({0xc00001a288, 0x11, 0x11}, {0x64fa60, 0xc0000a2140}) /home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/internal/json/json.go:26 +0x97 github.com/lestrrat-go/jwx/v2/jws.parseJSON({0xc00001a288, 0x11, 0x11}) /home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/jws.go:588 +0x50 github.com/lestrrat-go/jwx/v2/jws.Parse({0xc00001a288, 0x11, 0x11}, {0x0?, 0xc00006e760?, 0x48450f?}) /home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/jws.go:525 +0x89 poc.TestPOC(0x0?) /home/fredrik/src/jwx_poc/poc_test.go:10 +0x57 testing.tRunner(0xc0000e4340, 0x68ef30) /usr/local/go/src/testing/testing.go:1595 +0xff created by testing.(*T).Run in goroutine 1 /usr/local/go/src/testing/testing.go:1648 +0x3ad exit status 2 FAIL poc 0.005s ``` ### Impact The vulnerability can be used to crash / DOS a system doing JWS verification. --- ### Release Notes <details> <summary>lestrrat-go/jwx (github.com/lestrrat-go/jwx)</summary> ### [`v1.2.28`](https://togithub.com/lestrrat-go/jwx/releases/tag/v1.2.28) [Compare Source](https://togithub.com/lestrrat-go/jwx/compare/v1.2.27...v1.2.28) v1.2.28 09 Jan 2024 [Security Fixes] * [jws] JWS messages formated in full JSON format (i.e. not the compact format, which consists of three base64 strings concatenated with a '.') with missing "protected" headers could cause a panic, thereby introducing a possiblity of a DoS. This has been fixed so that the `jws.Parse` function succeeds in parsing a JWS message lacking a protected header. Calling `jws.Verify` on this same JWS message will result in a failed verification attempt. Note that this behavior will differ slightly when parsing JWS messages in compact form, which result in an error. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/nobl9/sloctl).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Update module github.com/lestrrat-go/jwx to v1.2.28 [SECURITY]

260c20b

renovate bot requested a review from nieomylnieja as a code owner January 24, 2024 17:12

renovate bot added golang security labels Jan 24, 2024

renovate bot changed the title ~~Update module github.com/lestrrat-go/jwx to v1.2.28 [SECURITY]~~ chore: Update module github.com/lestrrat-go/jwx to v1.2.28 [SECURITY] Jan 24, 2024

n9-machine-user added chore patch go labels Jan 24, 2024

nieomylnieja approved these changes Jan 24, 2024

View reviewed changes

nieomylnieja merged commit 28a5ea4 into main Jan 24, 2024
7 checks passed

nieomylnieja deleted the renovate_go-github.com/lestrrat-go/jwx-vulnerability branch January 24, 2024 17:17

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: Update module github.com/lestrrat-go/jwx to v1.2.28 [SECURITY] #34

chore: Update module github.com/lestrrat-go/jwx to v1.2.28 [SECURITY] #34

renovate bot commented Jan 24, 2024 •

edited

Loading

chore: Update module github.com/lestrrat-go/jwx to v1.2.28 [SECURITY] #34

chore: Update module github.com/lestrrat-go/jwx to v1.2.28 [SECURITY] #34

Conversation

renovate bot commented Jan 24, 2024 • edited Loading

GitHub Vulnerability Alerts

CVE-2024-21664

Summary

Details

PoC

Impact

Release Notes

v1.2.28

Configuration

renovate bot commented Jan 24, 2024 •

edited

Loading

`v1.2.28`