Bug 58389 - rhonabwy: CVE-2024-25714 (5.2)
Summary: rhonabwy: CVE-2024-25714 (5.2)
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Security updates
Version: UCS 5.2
Hardware: Other Linux
: P5 normal
Target Milestone: UCS 5.2-2-errata
Assignee: Florian Best
QA Contact: Arvid Requate
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-06-14 09:59 CEST by Florian Best
Modified: 2025-06-18 14:28 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Customer ID:
Max CVSS v3 score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2025-06-14 09:59:49 CEST 
In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks, because it stops the comparison when the first difference is spotted in the two signatures. (The fix uses gnutls_memcmp, which has constant-time execution.) 

Patch: https://github.com/babelouest/rhonabwy/commit/f9fd9a1c77e48b514ebb3baf0360f87eef3d846e

https://www.cve.org/CVERecord?id=CVE-2024-25714
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25714
Comment 1 Florian Best univentionstaff 2025-06-16 07:50:38 CEST 
ca4f56d95eef | Bug #58389: include changes from rhonabwy 1.1.12
3077419a5541 | Bug #58389: rename to quilt format
3a2729ede673 | Bug #58389: fix CVE-2024-25714: Mitigate HMAC signature side-channel attack

Package: rhonabwy
Version: 1.1.11-1A~5.2.0.202506160732
Branch: 5.2-0
Scope: errata5.2-2

rhonabwy.yaml
8e196b4409c8 | chore(rhonabwy): update advisory
Comment 2 Arvid Requate univentionstaff 2025-06-17 16:43:36 CEST 
QA of ucs-patches:
* rhonabwy/ucs_5.2-0-errata5.2-2/1.1.11-1/03_CVE_2024_25714_mitigate_hmac_signature_side_channel_attack.quilt matches patch from github
* rhonabwy/ucs_5.2-0-errata5.2-2/1.1.11-1/01_update_to_1_1_12.quilt matches
  https://salsa.debian.org/debian-iot-team/oauth2/rhonabwy/-/commit/d4c18af2941630d181142ea8bdd77408b00fde27
* rhonabwy/ucs_5.2-0-errata5.2-2/1.1.11-1/01_update_to_1_1_12.patch matches
  https://salsa.debian.org/debian-iot-team/oauth2/rhonabwy/-/commit/bffcd1b689e1dcc332130ed3d6cf3fb151ab5713
* debian/changelog version unmodified compared to UCS 5.2-x

Patches applied during package built:
```
rhonabwy (1.1.11-1A~5.2.0.202506160732) ucs5-2-0-0; urgency=low

  * UCS auto build. The following patches have been applied to the original source package
    01_update_to_1_1_12.patch
    01_update_to_1_1_12.quilt
    02_fix_array_to_string.quilt
    03_CVE_2024_25714_mitigate_hmac_signature_side_channel_attack.quilt

 -- Univention builddaemon <buildd@univention.de>  Mon, 16 Jun 2025 07:32:46 -0000

rhonabwy (1.1.11-1) unstable; urgency=medium

  * New upstream release
  * d/copyright: Remove superfluous files
  * d/rules: Remove configure option -DDOWNLOAD_DEPENDENCIES=OFF
  * d/librhonabwy-dev.install: Add cmake dependencies

 -- Nicolas Mora <babelouest@debian.org>  Thu, 21 Sep 2023 20:32:13 -0400
```

* Advisory Ok
Comment 3 Christian Castens univentionstaff 2025-06-18 14:28:31 CEST 
<https://errata.software-univention.de/#/?erratum=5.2x119>