USN-6307-1: JOSE for C/C++ vulnerability

Publication date

24 August 2023

Overview

JOSE for C/C++ could be made to crash if it received specially crafted input.


Packages

  • cjose - Development files for libcjose

Details

It was discovered that JOSE for C/C++ AES GCM decryption routine incorrectly
uses the Tag length from the actual Authentication Tag provided in the JWE.
An attacker could use this to cause a denial of service (system crash) or
might expose sensitive information.

It was discovered that JOSE for C/C++ AES GCM decryption routine incorrectly
uses the Tag length from the actual Authentication Tag provided in the JWE.
An attacker could use this to cause a denial of service (system crash) or
might expose sensitive information.

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
23.04 lunar libcjose0 –  0.6.2.1-1ubuntu0.1
22.04 jammy libcjose0 –  0.6.1+dfsg1-3ubuntu1.1
20.04 focal libcjose0 –  0.6.1+dfsg1-1ubuntu0.1
18.04 bionic libcjose0 –  0.6.0+dfsg1-1ubuntu0.1~esm1  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›