Accepting request 229568 from home:gary_lin:branches:Base:System

- Add mokutil-check-corrupted-key-list.patch to check whether the
  key list is corrupted or not
- Add mokutil-no-invalid-x509.patch to avoid importing an invalid
  x509 certificate

OBS-URL: https://build.opensuse.org/request/show/229568
OBS-URL: https://build.opensuse.org/package/show/Base:System/mokutil?expand=0&rev=22
This commit is contained in:
Gary Ching-Pang Lin 2014-04-10 08:31:21 +00:00 committed by Git OBS Bridge
parent 1ac1ba5fd6
commit cc67a2e864
4 changed files with 74 additions and 0 deletions

View File

@ -0,0 +1,32 @@
From e2e549583543bb0d607670b25af75821f55d5538 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 10 Apr 2014 12:36:29 +0800
Subject: [PATCH] Check corrupted key list
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
src/mokutil.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
index eb563ca..6792823 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -237,6 +237,14 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
unsigned long count = 0;
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
+ if (CertList->SignatureListSize == 0 ||
+ CertList->SignatureListSize <= CertList->SignatureSize) {
+ fprintf (stderr, "Corrupted signature list\n");
+ if (list)
+ free (list);
+ return NULL;
+ }
+
if ((efi_guidcmp (CertList->SignatureType, EfiCertX509Guid) != 0) &&
(efi_guidcmp (CertList->SignatureType, EfiHashSha1Guid) != 0) &&
(efi_guidcmp (CertList->SignatureType, EfiHashSha224Guid) != 0) &&
--
1.8.4.5

View File

@ -0,0 +1,28 @@
From 0806111a850304a0490376d568ea5bf74fcdbd04 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 10 Apr 2014 12:37:54 +0800
Subject: [PATCH] Don't import an invalid x509 cert
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
src/mokutil.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/mokutil.c b/src/mokutil.c
index 6792823..cdb5739 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1265,8 +1265,9 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
goto error;
}
if (!is_valid_cert (ptr, read_size)) {
- fprintf (stderr, "Warning!!! %s is not a valid x509 certificate in DER format\n",
+ fprintf (stderr, "Abort!!! %s is not a valid x509 certificate in DER format\n",
files[i]);
+ goto error;
}
if (is_valid_request (EfiCertX509Guid, ptr, sizes[i], req)) {
--
1.8.4.5

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Thu Apr 10 04:44:22 UTC 2014 - glin@suse.com
- Add mokutil-check-corrupted-key-list.patch to check whether the
key list is corrupted or not
- Add mokutil-no-invalid-x509.patch to avoid importing an invalid
x509 certificate
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Mar 24 07:37:39 UTC 2014 - glin@suse.com Mon Mar 24 07:37:39 UTC 2014 - glin@suse.com

View File

@ -36,6 +36,10 @@ Patch4: mokutil-clean-request.patch
Patch5: mokutil-more-details-for-skipped-keys.patch Patch5: mokutil-more-details-for-skipped-keys.patch
# PATCH-FIX-UPSTREAM mokutil-check-secure-boot-support.patch glin@suse.com -- Check whether the system supports secure boot or not # PATCH-FIX-UPSTREAM mokutil-check-secure-boot-support.patch glin@suse.com -- Check whether the system supports secure boot or not
Patch6: mokutil-check-secure-boot-support.patch Patch6: mokutil-check-secure-boot-support.patch
# PATCH-FIX-UPSTREAM mokutil-check-corrupted-key-list.patch glin@suse.com -- Add a check for corrupted list
Patch7: mokutil-check-corrupted-key-list.patch
# PATCH-FIX-UPSTREAM mokutil-no-invalid-x509.patch glin@suse.com -- Don't import an invalid x509 certificate
Patch8: mokutil-no-invalid-x509.patch
# PATCH-FIX-OPENSUSE mokutil-support-revoke-builtin-cert.patch glin@suse.com -- Add an option to revoke the built-in certificate # PATCH-FIX-OPENSUSE mokutil-support-revoke-builtin-cert.patch glin@suse.com -- Add an option to revoke the built-in certificate
Patch100: mokutil-support-revoke-builtin-cert.patch Patch100: mokutil-support-revoke-builtin-cert.patch
BuildRequires: autoconf BuildRequires: autoconf
@ -63,6 +67,8 @@ Authors:
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1 %patch6 -p1
%patch7 -p1
%patch8 -p1
%patch100 -p1 %patch100 -p1
%build %build