Bug 1221804 (CVE-2023-50967)

Summary: VUL-0: CVE-2023-50967: jose: denial of service due to uncontrolled CPU consumption
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Marcus Meissner <meissner>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: andrea.mattiazzo
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/398356/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-21 10:23:07 UTC 
latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-50967
https://github.com/latchset/jose
https://www.cve.org/CVERecord?id=CVE-2023-50967
https://github.com/P3ngu1nW/CVE_Request/blob/main/latch-jose.md
https://bugzilla.redhat.com/show_bug.cgi?id=2270538
Comment 1 Andrea Mattiazzo 2024-03-21 10:28:15 UTC 
Tracking as affected:
- openSUSE:Backports:SLE-15-SP6/jose  11     
- openSUSE:Factory/jose               11     

Probably a ulimit is sufficient to limit resource usage. I don't found any limitation on the value of p2c in the upstream code, only a bottom value check in pbes2.c [0]

[0] https://github.com/latchset/jose/blob/dae5654d11bf633faf2124158b0f9d7c4ad0ba84/lib/openssl/pbes2.c#L230