Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Address CVE-2019-14584 (#977300), for which the security team has declined to release a DSA. [ Impact ] Possible firmware crash while validating signed payloads. [ Tests ] Regression tested by booting a Secure Boot guest. [ Risks ] It's a one-liner fix - if it introduced a regression, it could break certain secure boot guests. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] A clean cherry-pick from upstream to fix a potential NULL pointer dreference. [ Other info ] N/A -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.9.0-1-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru edk2-0~20181115.85588389/debian/changelog edk2-0~20181115.85588389/debian/changelog --- edk2-0~20181115.85588389/debian/changelog 2020-09-17 13:45:52.000000000 -0600 +++ edk2-0~20181115.85588389/debian/changelog 2020-12-15 12:30:28.000000000 -0700 @@ -1,3 +1,11 @@ +edk2 (0~20181115.85588389-3+deb10u3) buster; urgency=medium + + * CryptoPkg/BaseCryptLib: fix NULL dereference. (CVE-2019-14584) + (Closes: #977300) + - d/p/CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch + + -- dann frazier <da...@debian.org> Tue, 15 Dec 2020 12:30:28 -0700 + edk2 (0~20181115.85588389-3+deb10u2) buster; urgency=medium * Fix integer overflow in DxeImageVerificationHandler. (CVE-2019-14562) diff -Nru edk2-0~20181115.85588389/debian/patches/CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch edk2-0~20181115.85588389/debian/patches/CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch --- edk2-0~20181115.85588389/debian/patches/CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch 1969-12-31 17:00:00.000000000 -0700 +++ edk2-0~20181115.85588389/debian/patches/CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch 2020-12-15 12:30:28.000000000 -0700 @@ -0,0 +1,51 @@ +From 26442d11e620a9e81c019a24a4ff38441c64ba10 Mon Sep 17 00:00:00 2001 +From: Jian J Wang <jian.j.w...@intel.com> +Date: Thu, 25 Apr 2019 23:42:16 +0800 +Subject: [PATCH] CryptoPkg/BaseCryptLib: fix NULL dereference (CVE-2019-14584) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1914 + +AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded +signed authenticode pkcs#7 data. when this successfully returns, a type +check is done by calling PKCS7_type_is_signed() and then +Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1 +blob that successfully decodes and have d2i_PKCS7() return a valid pointer +and have PKCS7_type_is_signed() also return success but have Pkcs7->d.sign +be a NULL pointer. + +Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for +pkcs7 structs it does the following: +- call PKCS7_type_is_signed() +- call PKCS7_get_detached() +Looking into how PKCS7_get_detatched() is implemented, it checks to see if +p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL. + +As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7(). +- Add call to PKS7_get_detached() to existing error handling + +Cc: Xiaoyu Lu <xiaoyux...@intel.com> +Cc: Guomin Jiang <guomin.ji...@intel.com> +Cc: Jiewen Yao <jiewen....@intel.com> +Cc: Laszlo Ersek <ler...@redhat.com> +Signed-off-by: Jian J Wang <jian.j.w...@intel.com> +Reviewed-by: Laszlo Ersek <ler...@redhat.com> +Reviewed-by: Jiewen Yao <jiewen....@intel.com> + +Origin: upstream, https://github.com/tianocore/edk2/commit/26442d11e620a9e81c019a24a4ff38441c64ba10 +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1914 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977300 +Last-Update: 2020-12-15 + +Index: edk2/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c +=================================================================== +--- edk2.orig/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c ++++ edk2/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c +@@ -106,7 +106,7 @@ AuthenticodeVerify ( + // + // Check if it's PKCS#7 Signed Data (for Authenticode Scenario) + // +- if (!PKCS7_type_is_signed (Pkcs7)) { ++ if (!PKCS7_type_is_signed (Pkcs7) || PKCS7_get_detached (Pkcs7)) { + goto _Exit; + } + diff -Nru edk2-0~20181115.85588389/debian/patches/series edk2-0~20181115.85588389/debian/patches/series --- edk2-0~20181115.85588389/debian/patches/series 2020-09-17 13:45:52.000000000 -0600 +++ edk2-0~20181115.85588389/debian/patches/series 2020-12-15 12:30:28.000000000 -0700 @@ -27,3 +27,4 @@ 0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch 0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch 0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch +CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch