Bug 1221804 (CVE-2023-50967) - VUL-0: CVE-2023-50967: jose: denial of service due to uncontrolled CPU consumption
Summary: VUL-0: CVE-2023-50967: jose: denial of service due to uncontrolled CPU consum...
Status: NEW
Alias: CVE-2023-50967
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P3 - Medium : Major (vote)
Target Milestone: ---
Assignee: Marcus Meissner
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/398356/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-21 10:23 UTC by SMASH SMASH
Modified: 2024-03-21 11:15 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-03-21 10:23:07 UTC 
latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-50967
https://github.com/latchset/jose
https://www.cve.org/CVERecord?id=CVE-2023-50967
https://github.com/P3ngu1nW/CVE_Request/blob/main/latch-jose.md
https://bugzilla.redhat.com/show_bug.cgi?id=2270538
Comment 1 Andrea Mattiazzo 2024-03-21 10:28:15 UTC 
Tracking as affected:
- openSUSE:Backports:SLE-15-SP6/jose  11     
- openSUSE:Factory/jose               11     

Probably a ulimit is sufficient to limit resource usage. I don't found any limitation on the value of p2c in the upstream code, only a bottom value check in pbes2.c [0]

[0] https://github.com/latchset/jose/blob/dae5654d11bf633faf2124158b0f9d7c4ad0ba84/lib/openssl/pbes2.c#L230