diff --git a/mokutil-check-corrupted-key-list.patch b/mokutil-check-corrupted-key-list.patch new file mode 100644 index 0000000..9ed6bcf --- /dev/null +++ b/mokutil-check-corrupted-key-list.patch @@ -0,0 +1,32 @@ +From e2e549583543bb0d607670b25af75821f55d5538 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Thu, 10 Apr 2014 12:36:29 +0800 +Subject: [PATCH] Check corrupted key list + +Signed-off-by: Gary Ching-Pang Lin +--- + src/mokutil.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/mokutil.c b/src/mokutil.c +index eb563ca..6792823 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -237,6 +237,14 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num) + unsigned long count = 0; + + while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { ++ if (CertList->SignatureListSize == 0 || ++ CertList->SignatureListSize <= CertList->SignatureSize) { ++ fprintf (stderr, "Corrupted signature list\n"); ++ if (list) ++ free (list); ++ return NULL; ++ } ++ + if ((efi_guidcmp (CertList->SignatureType, EfiCertX509Guid) != 0) && + (efi_guidcmp (CertList->SignatureType, EfiHashSha1Guid) != 0) && + (efi_guidcmp (CertList->SignatureType, EfiHashSha224Guid) != 0) && +-- +1.8.4.5 + diff --git a/mokutil-no-invalid-x509.patch b/mokutil-no-invalid-x509.patch new file mode 100644 index 0000000..750bb57 --- /dev/null +++ b/mokutil-no-invalid-x509.patch @@ -0,0 +1,28 @@ +From 0806111a850304a0490376d568ea5bf74fcdbd04 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Thu, 10 Apr 2014 12:37:54 +0800 +Subject: [PATCH] Don't import an invalid x509 cert + +Signed-off-by: Gary Ching-Pang Lin +--- + src/mokutil.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 6792823..cdb5739 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1265,8 +1265,9 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, + goto error; + } + if (!is_valid_cert (ptr, read_size)) { +- fprintf (stderr, "Warning!!! %s is not a valid x509 certificate in DER format\n", ++ fprintf (stderr, "Abort!!! %s is not a valid x509 certificate in DER format\n", + files[i]); ++ goto error; + } + + if (is_valid_request (EfiCertX509Guid, ptr, sizes[i], req)) { +-- +1.8.4.5 + diff --git a/mokutil.changes b/mokutil.changes index 60c606b..f2a4854 100644 --- a/mokutil.changes +++ b/mokutil.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Apr 10 04:44:22 UTC 2014 - glin@suse.com + +- Add mokutil-check-corrupted-key-list.patch to check whether the + key list is corrupted or not +- Add mokutil-no-invalid-x509.patch to avoid importing an invalid + x509 certificate + ------------------------------------------------------------------- Mon Mar 24 07:37:39 UTC 2014 - glin@suse.com diff --git a/mokutil.spec b/mokutil.spec index f6a41f2..8d1b3c5 100644 --- a/mokutil.spec +++ b/mokutil.spec @@ -36,6 +36,10 @@ Patch4: mokutil-clean-request.patch Patch5: mokutil-more-details-for-skipped-keys.patch # PATCH-FIX-UPSTREAM mokutil-check-secure-boot-support.patch glin@suse.com -- Check whether the system supports secure boot or not Patch6: mokutil-check-secure-boot-support.patch +# PATCH-FIX-UPSTREAM mokutil-check-corrupted-key-list.patch glin@suse.com -- Add a check for corrupted list +Patch7: mokutil-check-corrupted-key-list.patch +# PATCH-FIX-UPSTREAM mokutil-no-invalid-x509.patch glin@suse.com -- Don't import an invalid x509 certificate +Patch8: mokutil-no-invalid-x509.patch # PATCH-FIX-OPENSUSE mokutil-support-revoke-builtin-cert.patch glin@suse.com -- Add an option to revoke the built-in certificate Patch100: mokutil-support-revoke-builtin-cert.patch BuildRequires: autoconf @@ -63,6 +67,8 @@ Authors: %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 %patch100 -p1 %build