import libtpms-0.9.1-3.20211126git1ff6fe1f43.el9_2

2 years ago · 070ae0097c
parent f6765a4cc4
commit 070ae0097c
2 changed files with 59 additions and 1 deletions
--- a/SOURCES/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
+++ b/SOURCES/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
@ -0,0 +1,52 @@
+From 324dbb4c27ae789c73b69dbf4611242267919dd4 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Mon, 20 Feb 2023 14:41:10 -0500
+Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017
+ & -1018)
+
+Check that there are sufficient bytes in the buffer before reading the
+cipherSize from it. Also, reduce the bufferSize variable by the number
+of bytes that make up the cipherSize to avoid reading and writing bytes
+beyond the buffer in subsequent steps that do in-place decryption.
+
+This fixes CVE-2023-1017 & CVE-2023-1018.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/tpm2/CryptUtil.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
+index 002fde0..8fae5b6 100644
+--- a/src/tpm2/CryptUtil.c
+++ b/src/tpm2/CryptUtil.c
+@@ -830,6 +830,10 @@ CryptParameterDecryption(
+ 			  + sizeof(session->sessionKey.t.buffer)));
+     TPM2B_HMAC_KEY          key;            // decryption key
+     UINT32                  cipherSize = 0; // size of cipher text
+
+    if (leadingSizeInByte > bufferSize)
+	return TPM_RC_INSUFFICIENT;
+
+     // Retrieve encrypted data size.
+     if(leadingSizeInByte == 2)
+ 	{
+@@ -837,6 +841,7 @@ CryptParameterDecryption(
+ 	    // data to be decrypted
+ 	    cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
+ 	    buffer = &buffer[2];   // advance the buffer
+	    bufferSize -= 2;
+ 	}
+ #ifdef  TPM4B
+     else if(leadingSizeInByte == 4)
+@@ -844,6 +849,7 @@ CryptParameterDecryption(
+ 	    // the leading size is four bytes so get the four byte size field
+ 	    cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
+ 	    buffer = &buffer[4];   //advance pointer
+	    bufferSize -= 4;
+ 	}
+ #endif
+     else
+-- 
+2.39.2
+
--- a/SPECS/libtpms.spec
+++ b/SPECS/libtpms.spec
@ -3,7 +3,7 @@

 Name:           libtpms
 Version:        0.9.1
-Release:        2.%{gitdate}git%{gitversion}%{?dist}
+Release:        3.%{gitdate}git%{gitversion}%{?dist}

 Summary: Library providing Trusted Platform Module (TPM) functionality
 License:        BSD
@ -12,6 +12,7 @@ Source0:        libtpms-%{gitdate}.tar.xz
 Patch0001:      0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch
 Patch0002:      0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch
 Patch0003:      0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch
+Patch0004:      0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch

 BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig gawk sed
@ -58,6 +59,11 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || :
 %{_mandir}/man3/*

 %changelog
+* Wed Mar 01 2023 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-3.20211126git1ff6fe1f43
+- Backport "tpm2: Check size of buffer before accessing it" (CVE-2023-1017 & CVE-2023-1018)
+  Resolves: rhbz#2173960
+  Resolves: rhbz#2173967
+
 * Mon Jun 20 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-2.20211126git1ff6fe1f43
 - Backport s_ContextSlotMask initialization fix
  Resolves: rhbz#2035731