From 5e1c96630419849a9289c6b8d5d3407a22827b37ad8f05fd612f3c30e2af9e59 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Fri, 10 Sep 2021 13:22:37 +0000 Subject: [PATCH] Accepting request 915306 from home:pgajdos - security update - added patches fix CVE-2021-3746 [bsc#1189935], out-of-bounds access via specially crafted TPM 2 command packets + libtpms-CVE-2021-3746.patch OBS-URL: https://build.opensuse.org/request/show/915306 OBS-URL: https://build.opensuse.org/package/show/security/libtpms?expand=0&rev=28 --- libtpms-CVE-2021-3746.patch | 49 +++++++++++++++++++++++++++++++++++++ libtpms.changes | 8 ++++++ libtpms.spec | 4 ++- 3 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 libtpms-CVE-2021-3746.patch diff --git a/libtpms-CVE-2021-3746.patch b/libtpms-CVE-2021-3746.patch new file mode 100644 index 0000000..ef34831 --- /dev/null +++ b/libtpms-CVE-2021-3746.patch @@ -0,0 +1,49 @@ +diff --git a/src/tpm2/NVMarshal.c b/src/tpm2/NVMarshal.c +index 2b2d84a6..430f481f 100644 +--- a/src/tpm2/NVMarshal.c ++++ b/src/tpm2/NVMarshal.c +@@ -4103,6 +4103,12 @@ INDEX_ORDERLY_RAM_Marshal(void *array, size_t array_size, + datasize, buffer, size); + } + offset += nrh.size; ++ if (offset + sizeof(NV_RAM_HEADER) > array_size) { ++ /* nothing will fit anymore and there won't be a 0-sized ++ * terminating node (@1). ++ */ ++ break; ++ } + } + + written += BLOCK_SKIP_WRITE_PUSH(TRUE, buffer, size); +@@ -4144,6 +4150,16 @@ INDEX_ORDERLY_RAM_Unmarshal(void *array, size_t array_size, + */ + nrhp = array + offset; + ++ if (offset + sizeof(NV_RAM_HEADER) > sourceside_size) { ++ /* this case can occur with the previous entry filling up the ++ * space; in this case there will not be a 0-sized terminating ++ * node (see @1 above). We clear the rest of our space. ++ */ ++ if (array_size > offset) ++ memset(nrhp, 0, array_size - offset); ++ break; ++ } ++ + /* write the NVRAM header; + nrh->size holds the complete size including data; + nrh->size = 0 indicates the end */ +diff --git a/src/tpm2/Object.c b/src/tpm2/Object.c +index ab503487..967105f5 100644 +--- a/src/tpm2/Object.c ++++ b/src/tpm2/Object.c +@@ -284,7 +284,8 @@ FindEmptyObjectSlot( + if(handle) + *handle = i + TRANSIENT_FIRST; + // Initialize the object attributes +- MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES)); ++ // MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES)); ++ MemorySet(object, 0, sizeof(*object)); // libtpms added: Initialize the whole object + return object; + } + } + diff --git a/libtpms.changes b/libtpms.changes index e787ed7..6daa717 100644 --- a/libtpms.changes +++ b/libtpms.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Aug 31 16:36:31 UTC 2021 - pgajdos@suse.com + +- security update +- added patches + fix CVE-2021-3746 [bsc#1189935], out-of-bounds access via specially crafted TPM 2 command packets + + libtpms-CVE-2021-3746.patch + ------------------------------------------------------------------- Sat Aug 7 15:00:32 UTC 2021 - Callum Farmer diff --git a/libtpms.spec b/libtpms.spec index c1e7971..b6e7c9b 100644 --- a/libtpms.spec +++ b/libtpms.spec @@ -25,6 +25,8 @@ License: BSD-3-Clause Group: Development/Libraries/C and C++ URL: https://github.com/stefanberger/libtpms Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz +# CVE-2021-3746 [bsc#1189935], out-of-bounds access via specially crafted TPM 2 command packets +Patch0: libtpms-CVE-2021-3746.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: fdupes @@ -57,7 +59,7 @@ Requires: mozilla-nspr-devel Libtpms header files and documentation. %prep -%autosetup +%autosetup -p1 %build autoreconf -fiv