import keylime-7.3.0-13.el9_3

SOURCES/0014-tpm_util-Replace-a-logger.error-with-an-Exception-in.patch

@@ -0,0 +1,80 @@
+From add9847988e963fd124863736592fc16cc8c716b Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Tue, 11 Jul 2023 18:03:28 -0400
+Subject: [PATCH 14/14] tpm_util: Replace a logger.error with an Exception in
+ case of invalid signature
+
+This fixes a possibly severe issue in 7.2.5 & 7.3.0.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ keylime/tpm/tpm_util.py      |  6 +-----
+ keylime/tpm/tpm_util_test.py | 21 +++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/keylime/tpm/tpm_util.py b/keylime/tpm/tpm_util.py
+index ce2ce0f..58a1a04 100644
+--- a/keylime/tpm/tpm_util.py
++++ b/keylime/tpm/tpm_util.py
+@@ -3,7 +3,6 @@ import string
+ import struct
+ from typing import Any, Dict, List, Optional, Tuple, Union
+ 
+-from cryptography.exceptions import InvalidSignature
+ from cryptography.hazmat import backends
+ from cryptography.hazmat.primitives import hashes, hmac, serialization
+ from cryptography.hazmat.primitives.asymmetric import ec, padding
+@@ -155,10 +154,7 @@ def checkquote(
+     digest.update(quoteblob)
+     quote_digest = digest.finalize()
+ 
+-    try:
+-        verify(pubkey, signature, quote_digest, hashfunc)
+-    except InvalidSignature:
+-        logger.error("Invalid quote signature!")
++    verify(pubkey, signature, quote_digest, hashfunc)
+ 
+     # Check that reported nonce is expected one
+     retDict = tpm2_objects.unmarshal_tpms_attest(quoteblob)
+diff --git a/keylime/tpm/tpm_util_test.py b/keylime/tpm/tpm_util_test.py
+index aaf16cd..2c73997 100644
+--- a/keylime/tpm/tpm_util_test.py
++++ b/keylime/tpm/tpm_util_test.py
+@@ -2,6 +2,7 @@ import base64
+ import unittest
+ from unittest import mock
+ 
++from cryptography.exceptions import InvalidSignature
+ from cryptography.hazmat.primitives.asymmetric.ec import (
+     SECP256R1,
+     EllipticCurve,
+@@ -60,6 +61,26 @@ class TestTpmUtil(unittest.TestCase):
+         except Exception as e:
+             self.fail(f"checkquote failed with {e}")
+ 
++        # test bad input
++        bad_quoteblob = bytearray(quoteblob)
++        bad_quoteblob[5] ^= 0x1
++        with self.assertRaises(InvalidSignature):
++            checkquote(aikblob, nonce, sigblob, bad_quoteblob, pcrblob, "sha256")
++
++        l = list(nonce)
++        l[0] = "a"
++        bad_nonce = "".join(l)
++        with self.assertRaises(Exception):
++            checkquote(aikblob, bad_nonce, sigblob, quoteblob, pcrblob, "sha256")
++
++        bad_pcrblob = bytearray(pcrblob)
++        bad_pcrblob[5] ^= 0x1
++        with self.assertRaises(Exception):
++            checkquote(aikblob, nonce, sigblob, quoteblob, bad_pcrblob, "sha256")
++
++        with self.assertRaises(ValueError):
++            checkquote(aikblob, nonce, sigblob, quoteblob, pcrblob, "sha1")
++
+     @staticmethod
+     def not_random(numbytes: int) -> bytes:
+         return b"\x12" * numbytes
+-- 
+2.41.0
+

SPECS/keylime.spec

@@ -9,7 +9,7 @@
 
 Name:    keylime
 Version: 7.3.0
-Release: 12%{?dist}
+Release: 13%{?dist}
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust
 
 URL:            https://github.com/keylime/keylime
@@ -30,6 +30,7 @@ Patch: 0010-CVE-2023-38200.patch
 Patch: 0011-Automatically-update-agent-API-version.patch
 Patch: 0012-Restore-create-allowlist.patch
 Patch: 0013-Set-generator-and-timestamp-in-create-policy.patch
+Patch: 0014-tpm_util-Replace-a-logger.error-with-an-Exception-in.patch
 
 License: ASL 2.0 and MIT
 
@@ -370,6 +371,10 @@ fi
 %license LICENSE
 
 %changelog
+* Fri Jan 05 2024 Sergio Correia <scorreia@redhat.com> - 7.3.0-13
+- Backport fix for CVE-2023-3674
+  Resolves: RHEL-21013
+
 * Tue Oct 17 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-12
 - Set the generator and timestamp in create_policy.py
   Related: RHEL-11866