rpms
/
libtpms
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import libtpms-0.9.1-3.20211126git1ff6fe1f43.el9_2

Browse Source
i9c changed/i9c/libtpms-0.9.1-3.20211126git1ff6fe1f43.el9_2
MSVSphere Packaging Team 2 years ago
parent 74c376094e
commit 8838832c38
2 changed files with 59 additions and 1 deletions
Show Stats Download Patch File Download Diff File

52
SOURCES/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
Unescape View File

@ -0,0 +1,52 @@
From 324dbb4c27ae789c73b69dbf4611242267919dd4 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Mon, 20 Feb 2023 14:41:10 -0500
Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017
& -1018)
Check that there are sufficient bytes in the buffer before reading the
cipherSize from it. Also, reduce the bufferSize variable by the number
of bytes that make up the cipherSize to avoid reading and writing bytes
beyond the buffer in subsequent steps that do in-place decryption.
This fixes CVE-2023-1017 & CVE-2023-1018.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/tpm2/CryptUtil.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
index 002fde0..8fae5b6 100644
--- a/src/tpm2/CryptUtil.c
+++ b/src/tpm2/CryptUtil.c
@@ -830,6 +830,10 @@ CryptParameterDecryption(
+ sizeof(session->sessionKey.t.buffer)));
TPM2B_HMAC_KEY key; // decryption key
UINT32 cipherSize = 0; // size of cipher text
+
+ if (leadingSizeInByte > bufferSize)
+ return TPM_RC_INSUFFICIENT;
+
// Retrieve encrypted data size.
if(leadingSizeInByte == 2)
{
@@ -837,6 +841,7 @@ CryptParameterDecryption(
// data to be decrypted
cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
buffer = &buffer[2]; // advance the buffer
+ bufferSize -= 2;
}
#ifdef TPM4B
else if(leadingSizeInByte == 4)
@@ -844,6 +849,7 @@ CryptParameterDecryption(
// the leading size is four bytes so get the four byte size field
cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
buffer = &buffer[4]; //advance pointer
+ bufferSize -= 4;
}
#endif
else
--
2.39.2

8
SPECS/libtpms.spec
Unescape View File

@ -3,7 +3,7 @@
Name: libtpms Name: libtpms
Version: 0.9.1 Version: 0.9.1
Release: 2.%{gitdate}git%{gitversion}%{?dist} Release: 3.%{gitdate}git%{gitversion}%{?dist}
Summary: Library providing Trusted Platform Module (TPM) functionality Summary: Library providing Trusted Platform Module (TPM) functionality
License: BSD License: BSD
@ -12,6 +12,7 @@ Source0: libtpms-%{gitdate}.tar.xz
Patch0001: 0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch Patch0001: 0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch
Patch0002: 0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch Patch0002: 0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch
Patch0003: 0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch Patch0003: 0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch
Patch0004: 0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: pkgconfig gawk sed BuildRequires: pkgconfig gawk sed
@ -61,6 +62,11 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || :
* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 0.9.1-2.20211126git1ff6fe1f43 * Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 0.9.1-2.20211126git1ff6fe1f43
- Rebuilt for MSVSphere 9.1. - Rebuilt for MSVSphere 9.1.
* Wed Mar 01 2023 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-3.20211126git1ff6fe1f43
- Backport "tpm2: Check size of buffer before accessing it" (CVE-2023-1017 & CVE-2023-1018)
Resolves: rhbz#2173960
Resolves: rhbz#2173967
* Mon Jun 20 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-2.20211126git1ff6fe1f43 * Mon Jun 20 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-2.20211126git1ff6fe1f43
- Backport s_ContextSlotMask initialization fix - Backport s_ContextSlotMask initialization fix
Resolves: rhbz#2035731 Resolves: rhbz#2035731

Write Preview
Loading…
Cancel
Save