Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tpm2-0-tss for openSUSE:Factory checked in at 2023-01-21 19:10:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tpm2-0-tss (Old) and /work/SRC/openSUSE:Factory/.tpm2-0-tss.new.32243 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tpm2-0-tss" Sat Jan 21 19:10:13 2023 rev:31 rq:1059943 version:3.2.0 Changes: -------- --- /work/SRC/openSUSE:Factory/tpm2-0-tss/tpm2-0-tss.changes 2022-07-12 11:12:20.839691213 +0200 +++ /work/SRC/openSUSE:Factory/.tpm2-0-tss.new.32243/tpm2-0-tss.changes 2023-01-21 19:10:22.612892799 +0100 @@ -1,0 +2,9 @@ +Fri Jan 20 11:10:30 UTC 2023 - Matthias Gerstner <matthias.gerst...@suse.com> + +- add 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch: fixes + CVE-2023-22745 (bsc#1207325): Buffer Overlow in TSS2_RC_Decode. Overly large + RC values passed to the TSS2 function could lead to memory overread or + memory overread. + This patch is not yet part of any upstream git tag. + +------------------------------------------------------------------- New: ---- 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tpm2-0-tss.spec ++++++ --- /var/tmp/diff_new_pack.cEWG4C/_old 2023-01-21 19:10:23.208896201 +0100 +++ /var/tmp/diff_new_pack.cEWG4C/_new 2023-01-21 19:10:23.216896247 +0100 @@ -1,7 +1,7 @@ # # spec file for package tpm2-0-tss # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,6 +28,7 @@ # curl https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xd6b4d8bac7e0cc97dcd4ac7272e88b53f7a95d84 > tpm2-tss.keyring Source2: tpm2-tss.keyring Source3: baselibs.conf +Patch0: 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch BuildRequires: /usr/sbin/groupadd BuildRequires: acl BuildRequires: doxygen @@ -185,7 +186,7 @@ daemon hosting the TPM2 reference implementation. %prep -%autosetup -n tpm2-tss-%{version} +%autosetup -p1 -n tpm2-tss-%{version} %build # configure looks for groupadd on PATH ++++++ 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch ++++++ >From 306490c8d848c367faa2d9df81f5e69dab46ffb5 Mon Sep 17 00:00:00 2001 From: William Roberts <william.c.robe...@intel.com> Date: Thu, 19 Jan 2023 11:53:06 -0600 Subject: [PATCH] tss2_rc: ensure layer number is in bounds The layer handler array was defined as 255, the max number of uint8, which is the size of the layer field, however valid values are 0-255 allowing for 256 possibilities and thus the array was off by one and needed to be sized to 256 entries. Update the size and add tests. Note: previous implementations incorrectly dropped bits on unknown error output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF, but earlier implementations returned 255:0xFFFF, dropping the middle bits, this patch fixes that. Fixes: CVE-2023-22745 Signed-off-by: William Roberts <william.c.robe...@intel.com> --- src/tss2-rc/tss2_rc.c | 31 +++++++++++++++++++++---------- test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++- 2 files changed, 41 insertions(+), 11 deletions(-) Index: tpm2-tss-3.2.0/src/tss2-rc/tss2_rc.c =================================================================== --- tpm2-tss-3.2.0.orig/src/tss2-rc/tss2_rc.c +++ tpm2-tss-3.2.0/src/tss2-rc/tss2_rc.c @@ -1,5 +1,8 @@ /* SPDX-License-Identifier: BSD-2-Clause */ - +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include <assert.h> #include <stdarg.h> #include <stdbool.h> #include <stdio.h> @@ -834,7 +837,7 @@ tss_err_handler (TSS2_RC rc) static struct { char name[TSS2_ERR_LAYER_NAME_MAX]; TSS2_RC_HANDLER handler; -} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = { +} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = { ADD_HANDLER("tpm" , tpm2_ehandler), ADD_NULL_HANDLER, /* layer 1 is unused */ ADD_NULL_HANDLER, /* layer 2 is unused */ @@ -869,7 +872,7 @@ unknown_layer_handler(TSS2_RC rc) static __thread char buf[32]; clearbuf(buf); - catbuf(buf, "0x%X", tpm2_error_get(rc)); + catbuf(buf, "0x%X", rc); return buf; } @@ -966,19 +969,27 @@ Tss2_RC_Decode(TSS2_RC rc) catbuf(buf, "%u:", layer); } - handler = !handler ? unknown_layer_handler : handler; - /* * Handlers only need the error bits. This way they don't * need to concern themselves with masking off the layer * bits or anything else. */ - UINT16 err_bits = tpm2_error_get(rc); - const char *e = err_bits ? handler(err_bits) : "success"; - if (e) { - catbuf(buf, "%s", e); + if (handler) { + UINT16 err_bits = tpm2_error_get(rc); + const char *e = err_bits ? handler(err_bits) : "success"; + if (e) { + catbuf(buf, "%s", e); + } else { + catbuf(buf, "0x%X", err_bits); + } } else { - catbuf(buf, "0x%X", err_bits); + /* + * we don't want to drop any bits if we don't know what to do with it + * so drop the layer byte since we we already have that. + */ + const char *e = unknown_layer_handler(rc >> 8); + assert(e); + catbuf(buf, "%s", e); } return buf;
