pool/libtpms
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 915306 from home:pgajdos

Browse Source 
- security update
- added patches
  fix CVE-2021-3746 [bsc#1189935], out-of-bounds access via specially crafted TPM 2 command packets
  + libtpms-CVE-2021-3746.patch

OBS-URL: https://build.opensuse.org/request/show/915306
OBS-URL: https://build.opensuse.org/package/show/security/libtpms?expand=0&rev=28
This commit is contained in:
Marcus Meissner 2021-09-10 13:22:37 +00:00 committed by Git OBS Bridge
parent 83310af55f
commit 5e1c966304
3 changed files with 60 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
libtpms-CVE-2021-3746.patch Normal file
View File

@ -0,0 +1,49 @@
diff --git a/src/tpm2/NVMarshal.c b/src/tpm2/NVMarshal.c
index 2b2d84a6..430f481f 100644
--- a/src/tpm2/NVMarshal.c
+++ b/src/tpm2/NVMarshal.c
@@ -4103,6 +4103,12 @@ INDEX_ORDERLY_RAM_Marshal(void *array, size_t array_size,
datasize, buffer, size);
}
offset += nrh.size;
+ if (offset + sizeof(NV_RAM_HEADER) > array_size) {
+ /* nothing will fit anymore and there won't be a 0-sized
+ * terminating node (@1).
+ */
+ break;
+ }
}
written += BLOCK_SKIP_WRITE_PUSH(TRUE, buffer, size);
@@ -4144,6 +4150,16 @@ INDEX_ORDERLY_RAM_Unmarshal(void *array, size_t array_size,
*/
nrhp = array + offset;
+ if (offset + sizeof(NV_RAM_HEADER) > sourceside_size) {
+ /* this case can occur with the previous entry filling up the
+ * space; in this case there will not be a 0-sized terminating
+ * node (see @1 above). We clear the rest of our space.
+ */
+ if (array_size > offset)
+ memset(nrhp, 0, array_size - offset);
+ break;
+ }
+
/* write the NVRAM header;
nrh->size holds the complete size including data;
nrh->size = 0 indicates the end */
diff --git a/src/tpm2/Object.c b/src/tpm2/Object.c
index ab503487..967105f5 100644
--- a/src/tpm2/Object.c
+++ b/src/tpm2/Object.c
@@ -284,7 +284,8 @@ FindEmptyObjectSlot(
if(handle)
*handle = i + TRANSIENT_FIRST;
// Initialize the object attributes
- MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES));
+ // MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES));
+ MemorySet(object, 0, sizeof(*object)); // libtpms added: Initialize the whole object
return object;
}
}

8
libtpms.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Tue Aug 31 16:36:31 UTC 2021 - pgajdos@suse.com
- security update
- added patches
fix CVE-2021-3746 [bsc#1189935], out-of-bounds access via specially crafted TPM 2 command packets
+ libtpms-CVE-2021-3746.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Aug 7 15:00:32 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> Sat Aug 7 15:00:32 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>

4
libtpms.spec
View File

@ -25,6 +25,8 @@ License: BSD-3-Clause
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
URL: https://github.com/stefanberger/libtpms URL: https://github.com/stefanberger/libtpms
Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
# CVE-2021-3746 [bsc#1189935], out-of-bounds access via specially crafted TPM 2 command packets
Patch0: libtpms-CVE-2021-3746.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: fdupes BuildRequires: fdupes
@ -57,7 +59,7 @@ Requires: mozilla-nspr-devel
Libtpms header files and documentation. Libtpms header files and documentation.
%prep %prep
%autosetup %autosetup -p1
%build %build
autoreconf -fiv autoreconf -fiv