From 86d867dcc6f86c5d3d851106f50564abdc94bb4b Mon Sep 17 00:00:00 2001
From: fortunate-lee <lijian01@kylinos.cn>
Date: Tue, 15 Apr 2025 10:11:52 +0800
Subject: [PATCH] refix cve-2023-50967

---
 back-port-CVE-2023-50967-2.patch | 40 ++++++++++++++++++++++++++++++++
 jose.spec                        |  9 ++++++-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 back-port-CVE-2023-50967-2.patch

diff --git a/back-port-CVE-2023-50967-2.patch b/back-port-CVE-2023-50967-2.patch
new file mode 100644
index 0000000..e205d54
--- /dev/null
+++ b/back-port-CVE-2023-50967-2.patch
@@ -0,0 +1,40 @@
+diff -Naur jose-11-bak/lib/openssl/pbes2.c jose-11/lib/openssl/pbes2.c
+--- jose-11-bak/lib/openssl/pbes2.c	2021-05-07 21:12:42.266277800 +0800
++++ jose-11/lib/openssl/pbes2.c	2025-04-14 16:20:13.338332563 +0800
+@@ -25,6 +25,8 @@
+ #include <string.h>
+ 
+ #define NAMES "PBES2-HS256+A128KW", "PBES2-HS384+A192KW", "PBES2-HS512+A256KW"
++#define P2C_MIN_ITERATIONS 1000
++#define P2C_MAX_ITERATIONS 32768
+ 
+ static json_t *
+ pbkdf2(const char *alg, jose_cfg_t *cfg, const json_t *jwk, int iter,
+@@ -193,7 +195,7 @@
+     json_auto_t *hdr = NULL;
+     const char *aes = NULL;
+     json_t *h = NULL;
+-    int p2c = 10000;
++    int p2c = P2C_MAX_ITERATIONS;
+     size_t stl = 0;
+ 
+     if (!json_object_get(cek, "k") && !jose_jwk_gen(cfg, cek))
+@@ -226,7 +228,7 @@
+         json_object_set_new(h, "p2c", json_integer(p2c)) < 0)
+         return false;
+ 
+-    if (p2c < 1000)
++    if (p2c < P2C_MIN_ITERATIONS || p2c > P2C_MAX_ITERATIONS)	    
+         return false;
+ 
+     if (json_object_set_new(h, "p2s", jose_b64_enc(st, stl)) == -1)
+@@ -268,6 +270,9 @@
+     if (json_unpack(hdr, "{s:I}", "p2c", &p2c) == -1)
+         return false;
+ 
++    if (p2c > P2C_MAX_ITERATIONS)
++        return false;	    
++
+     stl = jose_b64_dec(json_object_get(hdr, "p2s"), NULL, 0);
+     if (stl < 8 || stl > sizeof(st))
+         return false;
diff --git a/jose.spec b/jose.spec
index 01d768e..a45b729 100644
--- a/jose.spec
+++ b/jose.spec
@@ -1,11 +1,12 @@
 Name:           jose
 Version:        11
-Release:        2
+Release:        3
 Summary:        José is a command line utility for performing various tasks on JSON  objects
 License:        ASL 2.0
 URL:            https://github.com/latchset/%{name}
 Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
 Patch001:	back-port-CVE-2023-50967.patch
+Patch002:    back-port-CVE-2023-50967-2.patch
 
 BuildRequires:  pkgconfig, gcc, openssl-devel, zlib-devel, meson, ninja-build, asciidoc
 BuildRequires:  jansson-devel >= 2.10
@@ -82,6 +83,12 @@ rm -rf %{buildroot}/%{_libdir}/lib%{name}.la
 
 
 %changelog
+* Wed Apr 16 2025 lijian<lijian01@kylinos.cn> - 11-3
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC: refix CVE-2023-50967 
+
 * Sun Apr 7 2024 licihua<licihua@huawei.com> - 11-2
 - Type:bugfix
 - ID:NA
-- 
Gitee