Log Message:
libjwt: updated to 2.1.1

2.1.1

jwt_decode_2(): Security vulnerability

This function had faulty logic based on some assumptions that it could trust the \ 
JWT in that if it was alg:none, it would not run the callback.

The assumption would allow an attacker to modify the JWT header and body and \ 
trick the function into returning without having retrieved a key from the cb, \ 
meaning no verification of the signature was done, and it retuned as if \ 
everything was successful.

The caller of jwt_decode_2 has no real way to know that their cb was never run.

As an aside, it was found that some of the test cases were assuming that you \ 
could call jwt_decode_2 with key_provider == NULL. This doesn't make much sense, \ 
considering there's no way to pass a key without a key_provider.

In this instance, if passed a JWT with alg:none, this was fine. If called with \ 
any other alg type, the code would attempt to run the NULL ``key_provider` and \ 
produce a SEGV.

RESOLUTION

jwt_decode_2 will always run the key_provider if passed, assuming there was not \ 
a previous error.
Always check key_provider for NULL before using it
If no key_provider, but JWT had alg != none, processing fails
NOTES:

jwt_decode() and jwt_decode_2() are being deprecated in favor more robust \ 
functionality.