[chore]: Bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 (#2375)

Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.0 to 3.0.1. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Changelog](https://github.com/go-jose/go-jose/blob/v3/CHANGELOG.md) - [Commits](https://github.com/go-jose/go-jose/compare/v3.0.0...v3.0.1) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2023-11-22 12:20:29 +0100
committer: GitHub <noreply@github.com> 2023-11-22 12:20:29 +0100
commit: 7a9b493f4709b48156f0bb1ad7d3caffc259fa48 (patch)
tree: b5bc0278dc83a4ef7a1e0ba8a16c7e5aa7363cfe /vendor/github.com/go-jose
parent: [feature] Poll web view (#2377) (diff)
download: gotosocial-7a9b493f4709b48156f0bb1ad7d3caffc259fa48.tar.xz
2 files changed, 13 insertions, 0 deletions
diff --git a/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md b/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md
new file mode 100644
index 000000000..7820c2f4d
--- /dev/null
+++ b/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md
@@ -0,0 +1,8 @@
+# v3.0.1
+
+Fixed:
+ - Security issue: an attacker specifying a large "p2c" value can cause
+   JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large
+   amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the
+   disclosure and to Tom Tervoort for originally publishing the category of attack.
+   https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
diff --git a/vendor/github.com/go-jose/go-jose/v3/symmetric.go b/vendor/github.com/go-jose/go-jose/v3/symmetric.go
index fb54775ed..1ffd2708b 100644
--- a/vendor/github.com/go-jose/go-jose/v3/symmetric.go
+++ b/vendor/github.com/go-jose/go-jose/v3/symmetric.go
@@ -415,6 +415,11 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
 		if p2c <= 0 {
 			return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: must be a positive integer")
 		}
+		if p2c > 1000000 {
+			// An unauthenticated attacker can set a high P2C value. Set an upper limit to avoid
+			// DoS attacks.
+			return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: too high")
+		}
 
 		// salt is UTF8(Alg) || 0x00 || Salt Input
 		alg := headers.getAlgorithm()
author	dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-11-22 12:20:29 +0100
committer	GitHub <noreply@github.com>	2023-11-22 12:20:29 +0100
commit	7a9b493f4709b48156f0bb1ad7d3caffc259fa48 (patch)
tree	b5bc0278dc83a4ef7a1e0ba8a16c7e5aa7363cfe /vendor/github.com/go-jose
parent	[feature] Poll web view (#2377) (diff)
download	gotosocial-7a9b493f4709b48156f0bb1ad7d3caffc259fa48.tar.xz