Accepting request 915306 from home:pgajdos

- security update - added patches fix CVE-2021-3746 [bsc#1189935], out-of-bounds access via specially crafted TPM 2 command packets + libtpms-CVE-2021-3746.patch OBS-URL: https://build.opensuse.org/request/show/915306 OBS-URL: https://build.opensuse.org/package/show/security/libtpms?expand=0&rev=28
2021-09-10 13:22:37 +00:00 · 2021-09-10 13:22:37 +00:00 · 5e1c966304
commit 5e1c966304
parent 83310af55f
3 changed files with 60 additions and 1 deletions
--- a/libtpms-CVE-2021-3746.patch
+++ b/libtpms-CVE-2021-3746.patch
@ -0,0 +1,49 @@
+diff --git a/src/tpm2/NVMarshal.c b/src/tpm2/NVMarshal.c
+index 2b2d84a6..430f481f 100644
+--- a/src/tpm2/NVMarshal.c
+++ b/src/tpm2/NVMarshal.c
+@@ -4103,6 +4103,12 @@ INDEX_ORDERLY_RAM_Marshal(void *array, size_t array_size,
+                                      datasize, buffer, size);
+         }
+         offset += nrh.size;
+        if (offset + sizeof(NV_RAM_HEADER) > array_size) {
+            /* nothing will fit anymore and there won't be a 0-sized
+             * terminating node (@1).
+             */
+            break;
+        }
+     }
+ 
+     written += BLOCK_SKIP_WRITE_PUSH(TRUE, buffer, size);
+@@ -4144,6 +4150,16 @@ INDEX_ORDERLY_RAM_Unmarshal(void *array, size_t array_size,
+          */
+         nrhp = array + offset;
+ 
+        if (offset + sizeof(NV_RAM_HEADER) > sourceside_size) {
+            /* this case can occur with the previous entry filling up the
+             * space; in this case there will not be a 0-sized terminating
+             * node (see @1 above). We clear the rest of our space.
+             */
+            if (array_size > offset)
+                memset(nrhp, 0, array_size - offset);
+            break;
+        }
+
+         /* write the NVRAM header;
+            nrh->size holds the complete size including data;
+            nrh->size = 0 indicates the end */
+diff --git a/src/tpm2/Object.c b/src/tpm2/Object.c
+index ab503487..967105f5 100644
+--- a/src/tpm2/Object.c
+++ b/src/tpm2/Object.c
+@@ -284,7 +284,8 @@ FindEmptyObjectSlot(
+ 		    if(handle)
+ 			*handle = i + TRANSIENT_FIRST;
+ 		    // Initialize the object attributes
+-		    MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES));
+		    // MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES));
+		    MemorySet(object, 0, sizeof(*object)); // libtpms added: Initialize the whole object
+ 		    return object;
+ 		}
+ 	}
+
--- a/libtpms.changes
+++ b/libtpms.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Aug 31 16:36:31 UTC 2021 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2021-3746 [bsc#1189935], out-of-bounds access via specially crafted TPM 2 command packets
+  + libtpms-CVE-2021-3746.patch
+
 -------------------------------------------------------------------
 Sat Aug  7 15:00:32 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>

--- a/libtpms.spec
+++ b/libtpms.spec
@ -25,6 +25,8 @@ License:        BSD-3-Clause
 Group:          Development/Libraries/C and C++
 URL:            https://github.com/stefanberger/libtpms
 Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
+# CVE-2021-3746 [bsc#1189935], out-of-bounds access via specially crafted TPM 2 command packets
+Patch0:         libtpms-CVE-2021-3746.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  fdupes
@ -57,7 +59,7 @@ Requires:       mozilla-nspr-devel
 Libtpms header files and documentation.

 %prep
-%autosetup
+%autosetup -p1

 %build
 autoreconf -fiv