Hello community, here is the log from the commit of package mokutil for openSUSE:Factory checked in at 2014-11-12 00:20:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mokutil (Old) and /work/SRC/openSUSE:Factory/.mokutil.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mokutil" Changes: -------- --- /work/SRC/openSUSE:Factory/mokutil/mokutil.changes 2014-04-17 14:11:47.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.mokutil.new/mokutil.changes 2014-11-12 00:20:59.000000000 +0100 @@ -1,0 +2,17 @@ +Tue Nov 4 07:52:54 UTC 2014 - [email protected] + +- Update to 0.3.0 +- Add mokutil-fix-overflow.patch to fix the buffer overflow +- Drop upstreamed patches + + mokutil-upstream-fixes.patch + + mokutil-mokx-support.patch + + mokutil-check-corrupted-key-list.patch + + mokutil-check-secure-boot-support.patch + + mokutil-clean-request.patch + + mokutil-fix-hash-file-read.patch + + mokutil-fix-hash-list-size.patch + + mokutil-more-details-for-skipped-keys.patch + + mokutil-no-invalid-x509.patch +- Refresh mokutil-support-revoke-builtin-cert.patch + +------------------------------------------------------------------- Old: ---- mokutil-0.2.0.tar.bz2 mokutil-check-corrupted-key-list.patch mokutil-check-secure-boot-support.patch mokutil-clean-request.patch mokutil-fix-hash-file-read.patch mokutil-fix-hash-list-size.patch mokutil-mokx-support.patch mokutil-more-details-for-skipped-keys.patch mokutil-no-invalid-x509.patch mokutil-upstream-fixes.patch New: ---- mokutil-0.3.0.tar.bz2 mokutil-fix-overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mokutil.spec ++++++ --- /var/tmp/diff_new_pack.AFtjP7/_old 2014-11-12 00:21:00.000000000 +0100 +++ /var/tmp/diff_new_pack.AFtjP7/_new 2014-11-12 00:21:00.000000000 +0100 @@ -17,35 +17,21 @@ Name: mokutil -Version: 0.2.0 +Version: 0.3.0 Release: 0 Summary: Tools for manipulating machine owner keys License: GPL-3.0 Group: Productivity/Security Url: https://github.com/lcp/mokutil Source: %{name}-%{version}.tar.bz2 -# PATCH-FIX-UPSTREAM mokutil-upstream-fixes.patch [email protected] -- Include upstream fixes for db signature check, gcc warnings, error handling -Patch1: mokutil-upstream-fixes.patch -# PATCH-FIX-UPSTREAM mokutil-mokx-support.patch [email protected] -- Support the MOK blacklist -Patch2: mokutil-mokx-support.patch -# PATCH-FIX-UPSTREAM mokutil-fix-hash-list-size.patch [email protected] -- Update the list size after merging or deleting a hash -Patch3: mokutil-fix-hash-list-size.patch -# PATCH-FIX-UPSTREAM mokutil-clean-request.patch [email protected] -- Clear the request if all keys are removed -Patch4: mokutil-clean-request.patch -# PATCH-FIX-UPSTREAM mokutil-more-details-for-skipped-keys.patch [email protected] -- Be more verbose while skipping a key -Patch5: mokutil-more-details-for-skipped-keys.patch -# PATCH-FIX-UPSTREAM mokutil-check-secure-boot-support.patch [email protected] -- Check whether the system supports secure boot or not -Patch6: mokutil-check-secure-boot-support.patch -# PATCH-FIX-UPSTREAM mokutil-check-corrupted-key-list.patch [email protected] -- Add a check for corrupted list -Patch7: mokutil-check-corrupted-key-list.patch -# PATCH-FIX-UPSTREAM mokutil-no-invalid-x509.patch [email protected] -- Don't import an invalid x509 certificate -Patch8: mokutil-no-invalid-x509.patch -# PATCH-FIX-UPSTREAM mokutil-fix-hash-file-read.patch [email protected] -- Fix the error handling of reading a hash file -Patch9: mokutil-fix-hash-file-read.patch +# PATCH-FIX-UPSTREAM mokutil-fix-overflow.patch [email protected] -- Fix the potential buffer overflow +Patch1: mokutil-fix-overflow.patch +# OPENSUSE ONLY # PATCH-FIX-OPENSUSE mokutil-support-revoke-builtin-cert.patch [email protected] -- Add an option to revoke the built-in certificate Patch100: mokutil-support-revoke-builtin-cert.patch BuildRequires: autoconf BuildRequires: automake +BuildRequires: efivar-devel >= 0.12 BuildRequires: libopenssl-devel >= 0.9.8 BuildRequires: pkg-config BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -64,14 +50,6 @@ %prep %setup -q %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 %patch100 -p1 %build ++++++ mokutil-0.2.0.tar.bz2 -> mokutil-0.3.0.tar.bz2 ++++++ ++++ 6812 lines of diff (skipped) ++++++ mokutil-fix-overflow.patch ++++++ >From 1313fa02a5b2bfe61ee6702696600fc148ec2d6e Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Tue, 4 Nov 2014 15:50:03 +0800 Subject: [PATCH] Fix the potential buffer overflow Signed-off-by: Gary Ching-Pang Lin <[email protected]> --- src/mokutil.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c index 5b34f22..93fb6fa 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state) MokToggleVar tvar; char *password = NULL; unsigned int pw_len; - efi_char16_t efichar_pass[SB_PASSWORD_MAX]; + efi_char16_t efichar_pass[SB_PASSWORD_MAX+1]; int ret = -1; printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX); @@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state) efichar_from_char (efichar_pass, password, SB_PASSWORD_MAX * sizeof(efi_char16_t)); - memcpy(tvar.password, efichar_pass, - SB_PASSWORD_MAX * sizeof(efi_char16_t)); + memcpy(tvar.password, efichar_pass, sizeof(tvar.password)); tvar.mok_toggle_state = state; -- 1.8.4.5 ++++++ mokutil-support-revoke-builtin-cert.patch ++++++ --- /var/tmp/diff_new_pack.AFtjP7/_old 2014-11-12 00:21:00.000000000 +0100 +++ /var/tmp/diff_new_pack.AFtjP7/_new 2014-11-12 00:21:00.000000000 +0100 @@ -1,7 +1,7 @@ -From 0ebfada39e35d3366dfce45158a33f7624907d1f Mon Sep 17 00:00:00 2001 +From fe695869306567a1ae6c7ddbd87c2fbdc4a5bba1 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Fri, 21 Feb 2014 17:56:55 +0800 -Subject: [PATCH] Add the option to revoke the built-in certificate +Subject: [PATCH 1/2] Add the option to revoke the built-in certificate This is an openSUSE-only patch. @@ -13,10 +13,10 @@ 1 file changed, 82 insertions(+) diff --git a/src/mokutil.c b/src/mokutil.c -index 1c32313..14adae7 100644 +index 5b34f22..ab3d04f 100644 --- a/src/mokutil.c +++ b/src/mokutil.c -@@ -83,6 +83,7 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, +@@ -83,6 +83,7 @@ #define IMPORT_HASH (1 << 21) #define DELETE_HASH (1 << 22) #define VERBOSITY (1 << 23) @@ -24,7 +24,7 @@ #define DEFAULT_CRYPT_METHOD SHA512_BASED #define DEFAULT_SALT_SIZE SHA512_SALT_MAX -@@ -151,6 +152,7 @@ print_help () +@@ -156,6 +157,7 @@ print_help () printf (" --kek\t\t\t\t\tList the keys in KEK\n"); printf (" --db\t\t\t\t\tList the keys in db\n"); printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); @@ -32,7 +32,7 @@ printf ("\n"); printf ("Supplimentary Options:\n"); printf (" --hash-file <hash file>\t\tUse the specific password hash\n"); -@@ -1903,6 +1905,79 @@ set_verbosity (uint8_t verbosity) +@@ -1994,6 +1996,79 @@ set_verbosity (uint8_t verbosity) return 0; } @@ -112,7 +112,7 @@ static inline int list_db (DBName db_name) { -@@ -1974,6 +2049,7 @@ main (int argc, char *argv[]) +@@ -2070,6 +2145,7 @@ main (int argc, char *argv[]) {"kek", no_argument, 0, 0 }, {"db", no_argument, 0, 0 }, {"dbx", no_argument, 0, 0 }, @@ -120,7 +120,7 @@ {0, 0, 0, 0} }; -@@ -2061,6 +2137,8 @@ main (int argc, char *argv[]) +@@ -2157,6 +2233,8 @@ main (int argc, char *argv[]) command |= LIST_ENROLLED; db_name = DBX; } @@ -129,7 +129,7 @@ } break; -@@ -2303,6 +2381,10 @@ main (int argc, char *argv[]) +@@ -2416,6 +2494,10 @@ main (int argc, char *argv[]) case VERBOSITY: ret = set_verbosity (verbosity); break; @@ -143,3 +143,98 @@ -- 1.8.4.5 + +From 09ac7c76b0c313abc664fe104bc32d89df0e0976 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin <[email protected]> +Date: Tue, 4 Nov 2014 14:50:36 +0800 +Subject: [PATCH 2/2] Use the efivar functions to access UEFI variables + +This is an openSUSE-only patch. + +Adapt the changes in the mainline. +--- + src/mokutil.c | 45 +++++++++++++++++++++++++-------------------- + 1 file changed, 25 insertions(+), 20 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index ab3d04f..9dcf4f1 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1999,28 +1999,35 @@ set_verbosity (uint8_t verbosity) + static int + revoke_builtin_cert (void) + { +- efi_variable_t var; ++ uint32_t attributes; ++ size_t data_size; ++ uint8_t *data; + pw_crypt_t pw_crypt; + uint8_t auth[SHA256_DIGEST_LENGTH]; + char *password = NULL; +- int pw_len; ++ unsigned int pw_len; + int auth_ret; + int ret = -1; + + /* Check use_openSUSE_cert */ +- memset (&var, 0, sizeof(var)); +- var.VariableName = "use_openSUSE_cert"; +- var.VendorGuid = SHIM_LOCK_GUID; ++ if (efi_get_variable (efi_guid_shim, "use_openSUSE_cert", ++ &data, &data_size, &attributes) < 0) { ++ fprintf (stderr, "Failed to get use_openSUSE_cert\n"); ++ return 0; ++ } + +- if (read_variable (&var) != EFI_SUCCESS) ++ if (data_size != 1) { ++ free (data); ++ fprintf (stderr, "Invalid variable: use_openSUSE_cert\n"); + return 0; ++ } + +- if ((uint8_t)*var.Data != 1) { +- free (var.Data); ++ if (*data != 1) { ++ free (data); + fprintf (stderr, "The built-in certificate is already revoked.\n"); + return 0; + } +- free (var.Data); ++ free (data); + + memset (&pw_crypt, 0, sizeof(pw_crypt_t)); + memset (auth, 0, SHA256_DIGEST_LENGTH); +@@ -2043,20 +2050,18 @@ revoke_builtin_cert (void) + } + + if (!use_simple_hash) { +- var.Data = (void *)&pw_crypt; +- var.DataSize = PASSWORD_CRYPT_SIZE; ++ data = (uint8_t *)&pw_crypt; ++ data_size = PASSWORD_CRYPT_SIZE; + } else { +- var.Data = (void *)auth; +- var.DataSize = SHA256_DIGEST_LENGTH; ++ data = auth; ++ data_size = SHA256_DIGEST_LENGTH; + } +- var.VariableName = "ClearVerify"; +- +- var.VendorGuid = SHIM_LOCK_GUID; +- var.Attributes = EFI_VARIABLE_NON_VOLATILE +- | EFI_VARIABLE_BOOTSERVICE_ACCESS +- | EFI_VARIABLE_RUNTIME_ACCESS; ++ attributes = EFI_VARIABLE_NON_VOLATILE ++ | EFI_VARIABLE_BOOTSERVICE_ACCESS ++ | EFI_VARIABLE_RUNTIME_ACCESS; + +- if (edit_protected_variable (&var) != EFI_SUCCESS) { ++ if (efi_set_variable (efi_guid_shim, "ClearVerify", ++ data, data_size, attributes) < 0) { + fprintf (stderr, "Failed to write ClearVerify\n"); + goto error; + } +-- +1.8.4.5 + -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
