From 59bea00824aef7e23c9218171fa51dc114db94d2 Mon Sep 17 00:00:00 2001 From: Clement Delafargue Date: Wed, 31 Jul 2024 18:38:06 +0200 Subject: [PATCH] add advisory for biscuit-haskell 0.3.x --- .../hackage/biscuit-haskell/HSEC-2024-0009.md | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 advisories/hackage/biscuit-haskell/HSEC-2024-0009.md diff --git a/advisories/hackage/biscuit-haskell/HSEC-2024-0009.md b/advisories/hackage/biscuit-haskell/HSEC-2024-0009.md new file mode 100644 index 00000000..38b2f33b --- /dev/null +++ b/advisories/hackage/biscuit-haskell/HSEC-2024-0009.md @@ -0,0 +1,30 @@ +```toml +[advisory] +id = "HSEC-2024-0009" +keywords = ["biscuit"] +aliases = ["CVE-2024-41949", "GHSA-rgqv-mwc3-c78m", "GHSA-47cq-pc2v-3rmp"] + +[[references]] +type = "ADVISORY" +url = "https://github.com/biscuit-auth/biscuit-haskell/security/advisories/GHSA-47cq-pc2v-3rmp" +[[references]] +type = "FIX" +url = "https://github.com/biscuit-auth/biscuit-haskell/pull/93" + +[[affected]] +package = "biscuit-haskell" +cvss = "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N" + +[[affected.versions]] +introduced = "0.3.0.0" +fixed = "0.4.0.0" +``` + +# Public key confusion in third-party blocks + +Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: + +- the public key of the previous block (used in the signature); +- the public keys part of the token symbol table (for public key interning in datalog expressions). + +A third-party block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair.