Hello community, here is the log from the commit of package mokutil for openSUSE:Factory checked in at 2014-04-11 13:39:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mokutil (Old) and /work/SRC/openSUSE:Factory/.mokutil.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mokutil" Changes: -------- --- /work/SRC/openSUSE:Factory/mokutil/mokutil.changes 2014-03-25 13:23:54.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.mokutil.new/mokutil.changes 2014-04-11 13:39:59.000000000 +0200 @@ -1,0 +2,8 @@ +Thu Apr 10 04:44:22 UTC 2014 - g...@suse.com + +- Add mokutil-check-corrupted-key-list.patch to check whether the + key list is corrupted or not +- Add mokutil-no-invalid-x509.patch to avoid importing an invalid + x509 certificate + +------------------------------------------------------------------- New: ---- mokutil-check-corrupted-key-list.patch mokutil-no-invalid-x509.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mokutil.spec ++++++ --- /var/tmp/diff_new_pack.ROQ1Q0/_old 2014-04-11 13:40:00.000000000 +0200 +++ /var/tmp/diff_new_pack.ROQ1Q0/_new 2014-04-11 13:40:00.000000000 +0200 @@ -36,6 +36,10 @@ Patch5: mokutil-more-details-for-skipped-keys.patch # PATCH-FIX-UPSTREAM mokutil-check-secure-boot-support.patch g...@suse.com -- Check whether the system supports secure boot or not Patch6: mokutil-check-secure-boot-support.patch +# PATCH-FIX-UPSTREAM mokutil-check-corrupted-key-list.patch g...@suse.com -- Add a check for corrupted list +Patch7: mokutil-check-corrupted-key-list.patch +# PATCH-FIX-UPSTREAM mokutil-no-invalid-x509.patch g...@suse.com -- Don't import an invalid x509 certificate +Patch8: mokutil-no-invalid-x509.patch # PATCH-FIX-OPENSUSE mokutil-support-revoke-builtin-cert.patch g...@suse.com -- Add an option to revoke the built-in certificate Patch100: mokutil-support-revoke-builtin-cert.patch BuildRequires: autoconf @@ -63,6 +67,8 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 %patch100 -p1 %build ++++++ mokutil-check-corrupted-key-list.patch ++++++ >From e2e549583543bb0d607670b25af75821f55d5538 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <g...@suse.com> Date: Thu, 10 Apr 2014 12:36:29 +0800 Subject: [PATCH] Check corrupted key list Signed-off-by: Gary Ching-Pang Lin <g...@suse.com> --- src/mokutil.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/mokutil.c b/src/mokutil.c index eb563ca..6792823 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -237,6 +237,14 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num) unsigned long count = 0; while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { + if (CertList->SignatureListSize == 0 || + CertList->SignatureListSize <= CertList->SignatureSize) { + fprintf (stderr, "Corrupted signature list\n"); + if (list) + free (list); + return NULL; + } + if ((efi_guidcmp (CertList->SignatureType, EfiCertX509Guid) != 0) && (efi_guidcmp (CertList->SignatureType, EfiHashSha1Guid) != 0) && (efi_guidcmp (CertList->SignatureType, EfiHashSha224Guid) != 0) && -- 1.8.4.5 ++++++ mokutil-no-invalid-x509.patch ++++++ >From 0806111a850304a0490376d568ea5bf74fcdbd04 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <g...@suse.com> Date: Thu, 10 Apr 2014 12:37:54 +0800 Subject: [PATCH] Don't import an invalid x509 cert Signed-off-by: Gary Ching-Pang Lin <g...@suse.com> --- src/mokutil.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/mokutil.c b/src/mokutil.c index 6792823..cdb5739 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -1265,8 +1265,9 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, goto error; } if (!is_valid_cert (ptr, read_size)) { - fprintf (stderr, "Warning!!! %s is not a valid x509 certificate in DER format\n", + fprintf (stderr, "Abort!!! %s is not a valid x509 certificate in DER format\n", files[i]); + goto error; } if (is_valid_request (EfiCertX509Guid, ptr, sizes[i], req)) { -- 1.8.4.5 -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org