Control: tags 1032420 + patch Control: tags 1032420 + pending
Dear maintainer, I've prepared an NMU for libtpms (versioned as 0.9.2-3.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Additionally the changes can be fetches as MR on salsa: https://salsa.debian.org/debian/libtpms/-/merge_requests/5 Regards, Salvatore
diff -Nru libtpms-0.9.2/debian/changelog libtpms-0.9.2/debian/changelog --- libtpms-0.9.2/debian/changelog 2022-03-08 09:34:16.000000000 +0100 +++ libtpms-0.9.2/debian/changelog 2023-03-07 22:32:00.000000000 +0100 @@ -1,3 +1,11 @@ +libtpms (0.9.2-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * tpm2: Check size of buffer before accessing it (CVE-2023-1017, + CVE-2023-1018) (Closes: #1032420) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 07 Mar 2023 22:32:00 +0100 + libtpms (0.9.2-3) unstable; urgency=medium * Fix ppc64el build errors (Closes: #997969) diff -Nru libtpms-0.9.2/debian/patches/series libtpms-0.9.2/debian/patches/series --- libtpms-0.9.2/debian/patches/series 2022-03-08 09:33:30.000000000 +0100 +++ libtpms-0.9.2/debian/patches/series 2023-03-07 22:32:00.000000000 +0100 @@ -2,3 +2,4 @@ 0004-fix-ftbfs-bug.patch do_not_inline_makeiv.patch no_local_check.patch +tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch diff -Nru libtpms-0.9.2/debian/patches/tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch libtpms-0.9.2/debian/patches/tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch --- libtpms-0.9.2/debian/patches/tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch 1970-01-01 01:00:00.000000000 +0100 +++ libtpms-0.9.2/debian/patches/tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch 2023-03-07 22:32:00.000000000 +0100 @@ -0,0 +1,55 @@ +From: Stefan Berger <stef...@linux.ibm.com> +Date: Mon, 20 Feb 2023 14:41:10 -0500 +Subject: tpm2: Check size of buffer before accessing it (CVE-2023-1017 & + -1018) +Origin: https://github.com/stefanberger/libtpms/commit/324dbb4c27ae789c73b69dbf4611242267919dd4 +Bug-Debian: https://bugs.debian.org/1032420 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-1018 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-1017 + +Check that there are sufficient bytes in the buffer before reading the +cipherSize from it. Also, reduce the bufferSize variable by the number +of bytes that make up the cipherSize to avoid reading and writing bytes +beyond the buffer in subsequent steps that do in-place decryption. + +This fixes CVE-2023-1017 & CVE-2023-1018. + +Signed-off-by: Stefan Berger <stef...@linux.ibm.com> +--- + src/tpm2/CryptUtil.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c +index 002fde0987a9..8fae5b6903ca 100644 +--- a/src/tpm2/CryptUtil.c ++++ b/src/tpm2/CryptUtil.c +@@ -830,6 +830,10 @@ CryptParameterDecryption( + + sizeof(session->sessionKey.t.buffer))); + TPM2B_HMAC_KEY key; // decryption key + UINT32 cipherSize = 0; // size of cipher text ++ ++ if (leadingSizeInByte > bufferSize) ++ return TPM_RC_INSUFFICIENT; ++ + // Retrieve encrypted data size. + if(leadingSizeInByte == 2) + { +@@ -837,6 +841,7 @@ CryptParameterDecryption( + // data to be decrypted + cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer); + buffer = &buffer[2]; // advance the buffer ++ bufferSize -= 2; + } + #ifdef TPM4B + else if(leadingSizeInByte == 4) +@@ -844,6 +849,7 @@ CryptParameterDecryption( + // the leading size is four bytes so get the four byte size field + cipherSize = BYTE_ARRAY_TO_UINT32(buffer); + buffer = &buffer[4]; //advance pointer ++ bufferSize -= 4; + } + #endif + else +-- +2.39.2 +