Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libtpms for openSUSE:Factory checked in at 2021-09-13 16:24:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libtpms (Old) and /work/SRC/openSUSE:Factory/.libtpms.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libtpms" Mon Sep 13 16:24:29 2021 rev:12 rq:917964 version:0.8.4 Changes: -------- --- /work/SRC/openSUSE:Factory/libtpms/libtpms.changes 2021-08-12 09:01:48.750137012 +0200 +++ /work/SRC/openSUSE:Factory/.libtpms.new.1899/libtpms.changes 2021-09-13 16:25:12.434791607 +0200 @@ -1,0 +2,8 @@ +Tue Aug 31 16:36:31 UTC 2021 - pgaj...@suse.com + +- security update +- added patches + fix CVE-2021-3746 [bsc#1189935], out-of-bounds access via specially crafted TPM 2 command packets + + libtpms-CVE-2021-3746.patch + +------------------------------------------------------------------- New: ---- libtpms-CVE-2021-3746.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libtpms.spec ++++++ --- /var/tmp/diff_new_pack.HuonFE/_old 2021-09-13 16:25:12.846792084 +0200 +++ /var/tmp/diff_new_pack.HuonFE/_new 2021-09-13 16:25:12.850792088 +0200 @@ -25,6 +25,8 @@ Group: Development/Libraries/C and C++ URL: https://github.com/stefanberger/libtpms Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz +# CVE-2021-3746 [bsc#1189935], out-of-bounds access via specially crafted TPM 2 command packets +Patch0: libtpms-CVE-2021-3746.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: fdupes @@ -57,7 +59,7 @@ Libtpms header files and documentation. %prep -%autosetup +%autosetup -p1 %build autoreconf -fiv ++++++ libtpms-CVE-2021-3746.patch ++++++ diff --git a/src/tpm2/NVMarshal.c b/src/tpm2/NVMarshal.c index 2b2d84a6..430f481f 100644 --- a/src/tpm2/NVMarshal.c +++ b/src/tpm2/NVMarshal.c @@ -4103,6 +4103,12 @@ INDEX_ORDERLY_RAM_Marshal(void *array, size_t array_size, datasize, buffer, size); } offset += nrh.size; + if (offset + sizeof(NV_RAM_HEADER) > array_size) { + /* nothing will fit anymore and there won't be a 0-sized + * terminating node (@1). + */ + break; + } } written += BLOCK_SKIP_WRITE_PUSH(TRUE, buffer, size); @@ -4144,6 +4150,16 @@ INDEX_ORDERLY_RAM_Unmarshal(void *array, size_t array_size, */ nrhp = array + offset; + if (offset + sizeof(NV_RAM_HEADER) > sourceside_size) { + /* this case can occur with the previous entry filling up the + * space; in this case there will not be a 0-sized terminating + * node (see @1 above). We clear the rest of our space. + */ + if (array_size > offset) + memset(nrhp, 0, array_size - offset); + break; + } + /* write the NVRAM header; nrh->size holds the complete size including data; nrh->size = 0 indicates the end */ diff --git a/src/tpm2/Object.c b/src/tpm2/Object.c index ab503487..967105f5 100644 --- a/src/tpm2/Object.c +++ b/src/tpm2/Object.c @@ -284,7 +284,8 @@ FindEmptyObjectSlot( if(handle) *handle = i + TRANSIENT_FIRST; // Initialize the object attributes - MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES)); + // MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES)); + MemorySet(object, 0, sizeof(*object)); // libtpms added: Initialize the whole object return object; } }
