Accepting request 229568 from home:gary_lin:branches:Base:System

- Add mokutil-check-corrupted-key-list.patch to check whether the
  key list is corrupted or not
- Add mokutil-no-invalid-x509.patch to avoid importing an invalid
  x509 certificate

OBS-URL: https://build.opensuse.org/request/show/229568
OBS-URL: https://build.opensuse.org/package/show/Base:System/mokutil?expand=0&rev=22

mokutil-check-corrupted-key-list.patch

@@ -0,0 +1,32 @@
+From e2e549583543bb0d607670b25af75821f55d5538 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Thu, 10 Apr 2014 12:36:29 +0800
+Subject: [PATCH] Check corrupted key list
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ src/mokutil.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index eb563ca..6792823 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -237,6 +237,14 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
+ 	unsigned long count = 0;
+ 
+ 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
++		if (CertList->SignatureListSize == 0 ||
++		    CertList->SignatureListSize <= CertList->SignatureSize) {
++			fprintf (stderr, "Corrupted signature list\n");
++			if (list)
++				free (list);
++			return NULL;
++		}
++
+ 		if ((efi_guidcmp (CertList->SignatureType, EfiCertX509Guid) != 0) &&
+ 		    (efi_guidcmp (CertList->SignatureType, EfiHashSha1Guid) != 0) &&
+ 		    (efi_guidcmp (CertList->SignatureType, EfiHashSha224Guid) != 0) &&
+-- 
+1.8.4.5
+

mokutil-no-invalid-x509.patch

@@ -0,0 +1,28 @@
+From 0806111a850304a0490376d568ea5bf74fcdbd04 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Thu, 10 Apr 2014 12:37:54 +0800
+Subject: [PATCH] Don't import an invalid x509 cert
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ src/mokutil.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 6792823..cdb5739 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -1265,8 +1265,9 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
+ 			goto error;
+ 		}
+ 		if (!is_valid_cert (ptr, read_size)) {
+-			fprintf (stderr, "Warning!!! %s is not a valid x509 certificate in DER format\n",
++			fprintf (stderr, "Abort!!! %s is not a valid x509 certificate in DER format\n",
+ 			         files[i]);
++			goto error;
+ 		}
+ 
+ 		if (is_valid_request (EfiCertX509Guid, ptr, sizes[i], req)) {
+-- 
+1.8.4.5
+

mokutil.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Apr 10 04:44:22 UTC 2014 - glin@suse.com
+
+- Add mokutil-check-corrupted-key-list.patch to check whether the
+  key list is corrupted or not
+- Add mokutil-no-invalid-x509.patch to avoid importing an invalid
+  x509 certificate
+
 -------------------------------------------------------------------
 Mon Mar 24 07:37:39 UTC 2014 - glin@suse.com
 

mokutil.spec

@@ -36,6 +36,10 @@ Patch4:         mokutil-clean-request.patch
 Patch5:         mokutil-more-details-for-skipped-keys.patch
 # PATCH-FIX-UPSTREAM mokutil-check-secure-boot-support.patch glin@suse.com -- Check whether the system supports secure boot or not
 Patch6:         mokutil-check-secure-boot-support.patch
+# PATCH-FIX-UPSTREAM mokutil-check-corrupted-key-list.patch glin@suse.com -- Add a check for corrupted list
+Patch7:         mokutil-check-corrupted-key-list.patch
+# PATCH-FIX-UPSTREAM mokutil-no-invalid-x509.patch glin@suse.com -- Don't import an invalid x509 certificate
+Patch8:         mokutil-no-invalid-x509.patch
 # PATCH-FIX-OPENSUSE mokutil-support-revoke-builtin-cert.patch glin@suse.com -- Add an option to revoke the built-in certificate
 Patch100:       mokutil-support-revoke-builtin-cert.patch
 BuildRequires:  autoconf
@@ -63,6 +67,8 @@ Authors:
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
 %patch100 -p1
 
 %build