CVS commit: pkgsrc/security/libjwt

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Wed Jan 29 18:17:24 UTC 2025

Modified Files:
        pkgsrc/security/libjwt: Makefile distinfo

Log Message:
libjwt: updated to 2.1.1

2.1.1

jwt_decode_2(): Security vulnerability

This function had faulty logic based on some assumptions that it could trust the JWT in that if it was alg:none, it would not run the callback.

The assumption would allow an attacker to modify the JWT header and body and trick the function into returning without having retrieved a key from the cb, meaning no verification of the signature was 
done, and it retuned as if everything was successful.

The caller of jwt_decode_2 has no real way to know that their cb was never run.

As an aside, it was found that some of the test cases were assuming that you could call jwt_decode_2 with key_provider == NULL. This doesn't make much sense, considering there's no way to pass a key 
without a key_provider.

In this instance, if passed a JWT with alg:none, this was fine. If called with any other alg type, the code would attempt to run the NULL ``key_provider` and produce a SEGV.

RESOLUTION

jwt_decode_2 will always run the key_provider if passed, assuming there was not a previous error.
Always check key_provider for NULL before using it
If no key_provider, but JWT had alg != none, processing fails
NOTES:

jwt_decode() and jwt_decode_2() are being deprecated in favor more robust functionality.


To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/libjwt/Makefile \
    pkgsrc/security/libjwt/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/libjwt/Makefile
diff -u pkgsrc/security/libjwt/Makefile:1.1 pkgsrc/security/libjwt/Makefile:1.2
--- pkgsrc/security/libjwt/Makefile:1.1 Fri Sep 13 19:35:15 2024
+++ pkgsrc/security/libjwt/Makefile     Wed Jan 29 18:17:24 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.1 2024/09/13 19:35:15 adam Exp $
+# $NetBSD: Makefile,v 1.2 2025/01/29 18:17:24 adam Exp $
 
-DISTNAME=      libjwt-1.17.2
+DISTNAME=      libjwt-2.1.1
 CATEGORIES=    security
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=benmcollins/}
 GITHUB_RELEASE=        v${PKGVERSION_NOREV}
@@ -18,6 +18,7 @@ USE_LIBTOOL=          yes
 USE_TOOLS+=            gmake pkg-config
 GNU_CONFIGURE=         yes
 CONFIGURE_ARGS+=       --disable-doxygen-doc
+CONFIGURE_ARGS+=       --without-gnutls
 
 # cmake does not produce .pc file.
 #CMAKE_CONFIGURE_ARGS+=        -DBUILD_SHARED_LIBS=ON
Index: pkgsrc/security/libjwt/distinfo
diff -u pkgsrc/security/libjwt/distinfo:1.1 pkgsrc/security/libjwt/distinfo:1.2
--- pkgsrc/security/libjwt/distinfo:1.1 Fri Sep 13 19:35:15 2024
+++ pkgsrc/security/libjwt/distinfo     Wed Jan 29 18:17:24 2025
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.1 2024/09/13 19:35:15 adam Exp $
+$NetBSD: distinfo,v 1.2 2025/01/29 18:17:24 adam Exp $
 
-BLAKE2s (libjwt-1.17.2.tar.bz2) = 4719f4d95305c2ba0fe0c4915e2657cea7aaa030d24026dcfa58238fa4cd0ce8
-SHA512 (libjwt-1.17.2.tar.bz2) = 68d4282de890eacd9e6a13d0166efcb8f39fd3eb95f09bdab5e3f7bf419668fc5276df2804680e0444efa428f1b47f5a5b92e8a98b7cd38f7e997342debf162b
-Size (libjwt-1.17.2.tar.bz2) = 419762 bytes
+BLAKE2s (libjwt-2.1.1.tar.bz2) = 505522653b8d6fc21fd0694a4b378de5f54d700dc10c10bf3b8fa074f950f02f
+SHA512 (libjwt-2.1.1.tar.bz2) = c99b575febdc3c3d5467bfc0b384ead9d40042d3851c0dd87b8428af0b236d8cdaf625d9e7f4343b3b4caa3a70d7c6aa51b0746e1ec0dc7b01ca6c4582f14fe0
+Size (libjwt-2.1.1.tar.bz2) = 424656 bytes