Hello community, here is the log from the commit of package ovmf for openSUSE:Leap:15.2 checked in at 2020-03-01 08:51:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/ovmf (Old) and /work/SRC/openSUSE:Leap:15.2/.ovmf.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ovmf" Sun Mar 1 08:51:14 2020 rev:48 rq:779695 version:201911 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/ovmf/ovmf.changes 2020-02-21 23:49:34.760593623 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.ovmf.new.26092/ovmf.changes 2020-03-01 08:51:33.797295856 +0100 @@ -1,0 +2,10 @@ +Mon Feb 24 04:00:24 UTC 2020 - Gary Ching-Pang Lin <g...@suse.com> + +- Add ovmf-bsc1163969-fix-DxeImageVerificationHandler.patch to fix + dbx signature check (bsc#1163969, CVE-2019-14575) + + Also change the order of several patches to distinguish the + openssl patch +- Add ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch to fix memory + leakage in Ip4Dxe and ArpDxe (bsc#1163927, CVE-2019-14559) + +------------------------------------------------------------------- @@ -12,0 +23,5 @@ + +------------------------------------------------------------------- +Fri Dec 20 09:11:37 UTC 2019 - Dirk Mueller <dmuel...@suse.com> + +- only build -aarch32 Cortex-A15 EFI on armv7hl New: ---- ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch ovmf-bsc1163969-fix-DxeImageVerificationHandler.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ovmf.spec ++++++ --- /var/tmp/diff_new_pack.H9XxJg/_old 2020-03-01 08:51:34.609297471 +0100 +++ /var/tmp/diff_new_pack.H9XxJg/_new 2020-03-01 08:51:34.613297479 +0100 @@ -1,7 +1,7 @@ # # spec file for package ovmf # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -49,8 +49,10 @@ Patch3: %{name}-pie.patch Patch4: %{name}-disable-ia32-firmware-piepic.patch Patch5: %{name}-set-fixed-enroll-time.patch -Patch6: openssl-fix-syntax-error.patch -Patch7: %{name}-bsc1163959-PiDxeS3BootScriptLib-fix-numeric-truncation.patch +Patch6: %{name}-bsc1163959-PiDxeS3BootScriptLib-fix-numeric-truncation.patch +Patch7: %{name}-bsc1163969-fix-DxeImageVerificationHandler.patch +Patch8: %{name}-bsc1163927-fix-ip4dxe-and-arpdxe.patch +Patch100: openssl-fix-syntax-error.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bc BuildRequires: fdupes @@ -59,7 +61,7 @@ BuildRequires: iasl BuildRequires: libuuid-devel BuildRequires: python3 -%ifnarch %arm +%ifnarch armv7hl BuildRequires: nasm %endif %ifarch %{secureboot_archs} @@ -76,7 +78,7 @@ %endif BuildRequires: unzip %endif -ExclusiveArch: %ix86 x86_64 aarch64 %arm +ExclusiveArch: %ix86 x86_64 aarch64 armv7hl %description The Open Virtual Machine Firmware (OVMF) project aims to support @@ -145,7 +147,7 @@ virt board. %endif -%ifarch %arm +%ifarch armv7hl %package -n qemu-uefi-aarch32 Summary: UEFI QEMU rom image (AArch32) Group: System/Emulators/PC @@ -173,12 +175,14 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %patch7 -p1 +%patch8 -p1 # add openssl pushd CryptoPkg/Library/OpensslLib/openssl tar -xf %{SOURCE1} --strip 1 -%patch6 -p1 +%patch100 -p1 popd # add berkeley-softfloat-3 @@ -233,7 +237,7 @@ BUILD_OPTIONS="$OVMF_FLAGS -a AARCH64 -p ArmVirtPkg/ArmVirtQemu.dsc -b DEBUG -t $TOOL_CHAIN_TAG" ARCH=AARCH64 make -C BaseTools %else -%ifarch %arm +%ifarch armv7hl # Flavors for arm FLAVORS=("aavmf-aarch32") BUILD_ARCH="AARCH32" @@ -326,7 +330,7 @@ cp Build/ArmVirtQemu-AARCH64/DEBUG_*/AARCH64/EnrollDefaultKeys.efi . %else -%ifarch %arm +%ifarch armv7hl # Build the UEFI image build $BUILD_OPTIONS @@ -550,7 +554,7 @@ install -m 0644 -D descriptors/*-aarch64*.json \ -t %{buildroot}/%{_datadir}/qemu/firmware %else -%ifarch %arm +%ifarch armv7hl install -m 0644 -D qemu-uefi-aarch32.bin -t %{buildroot}/%{_datadir}/qemu/ install -m 0644 -D aavmf-aarch32-*.bin -t %{buildroot}/%{_datadir}/qemu/ install -m 0644 -D descriptors/*-aarch32*.json \ @@ -622,7 +626,7 @@ %{_datadir}/qemu/firmware/*-aarch64*.json %endif -%ifarch %arm +%ifarch armv7hl %files -n qemu-uefi-aarch32 %defattr(-,root,root) %license License.txt ++++++ ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch ++++++ >From 7f9f7fccf58af2db5ac8c88801f56f4efe664fcb Mon Sep 17 00:00:00 2001 From: Jiaxin Wu <jiaxin...@intel.com> Date: Mon, 29 Apr 2019 09:51:53 +0800 Subject: [PATCH 1/2] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559). v3: correct the coding style. v2: correct the commit message & add BZ number. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610 This patch is to check the received package length to make sure the package has a valid length field. Cc: Fu Siyuan <siyuan...@intel.com> Cc: Maciej Rabeda <maciej.rab...@linux.intel.com> Signed-off-by: Wu Jiaxin <jiaxin...@intel.com> Reviewed-by: Siyuan Fu <siyuan...@intel.com> (cherry picked from commit 578bcdc2605e3438b9cbdac4e68339f90f5bf8af) --- NetworkPkg/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++++++++++++++++------- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input.c index 24c584658803..fc1a892f14eb 100644 --- a/NetworkPkg/Ip4Dxe/Ip4Input.c +++ b/NetworkPkg/Ip4Dxe/Ip4Input.c @@ -1,7 +1,7 @@ /** @file IP4 input process. -Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR> +Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.<BR> (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR> SPDX-License-Identifier: BSD-2-Clause-Patent @@ -711,10 +711,6 @@ Ip4PreProcessPacket ( // // Check if the IP4 header is correctly formatted. // - if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) { - return EFI_INVALID_PARAMETER; - } - HeadLen = (Head->HeadLen << 2); TotalLen = NTOHS (Head->TotalLen); @@ -808,6 +804,30 @@ Ip4PreProcessPacket ( return EFI_SUCCESS; } +/** + This function checks the IPv4 packet length. + + @param[in] Packet Pointer to the IPv4 Packet to be checked. + + @retval TRUE The input IPv4 packet length is valid. + @retval FALSE The input IPv4 packet length is invalid. + +**/ +BOOLEAN +Ip4IsValidPacketLength ( + IN NET_BUF *Packet + ) +{ + // + // Check the IP4 packet length. + // + if (Packet->TotalSize < IP4_MIN_HEADLEN) { + return FALSE; + } + + return TRUE; +} + /** The IP4 input routine. It is called by the IP4_INTERFACE when a IP4 fragment is received from MNP. @@ -844,6 +864,10 @@ Ip4AccpetFrame ( goto DROP; } + if (!Ip4IsValidPacketLength (Packet)) { + goto RESTART; + } + Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); ASSERT (Head != NULL); OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN; @@ -890,10 +914,14 @@ Ip4AccpetFrame ( // ZeroMem (&ZeroHead, sizeof (IP4_HEAD)); if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) { - // Packet may have been changed. Head, HeadLen, TotalLen, and - // info must be reloaded bofore use. The ownership of the packet - // is transfered to the packet process logic. - // + // Packet may have been changed. Head, HeadLen, TotalLen, and + // info must be reloaded before use. The ownership of the packet + // is transferred to the packet process logic. + // + if (!Ip4IsValidPacketLength (Packet)) { + goto RESTART; + } + Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); ASSERT (Head != NULL); Status = Ip4PreProcessPacket ( -- 2.25.0 >From 03225826203c978146e4067e1d14fe66fcb75e22 Mon Sep 17 00:00:00 2001 From: Siyuan Fu <siyuan...@intel.com> Date: Fri, 21 Feb 2020 10:14:18 +0800 Subject: [PATCH 2/2] NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559) REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2031 This patch triggers the RecycleEvent for invalid ARP packets. Prior to this, we would just ignore invalid ARP packets, and never free them. Cc: Jiaxin Wu <jiaxin...@intel.com> Cc: Maciej Rabeda <maciej.rab...@linux.intel.com> Cc: Siyuan Fu <siyuan...@intel.com> Signed-off-by: Nicholas Armour <nicholas.arm...@intel.com> Reviewed-by: Siyuan Fu <siyuan...@intel.com> (cherry picked from commit 1d3215fd24f47eaa4877542a59b4bbf5afc0cfe8) --- NetworkPkg/ArpDxe/ArpImpl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/NetworkPkg/ArpDxe/ArpImpl.c b/NetworkPkg/ArpDxe/ArpImpl.c index 0e9ef103eff9..c7f770db0734 100644 --- a/NetworkPkg/ArpDxe/ArpImpl.c +++ b/NetworkPkg/ArpDxe/ArpImpl.c @@ -1,7 +1,7 @@ /** @file The implementation of the ARP protocol. -Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR> +Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR> SPDX-License-Identifier: BSD-2-Clause-Patent **/ @@ -113,7 +113,7 @@ ArpOnFrameRcvdDpc ( // // Restart the receiving if packet size is not correct. // - goto RESTART_RECEIVE; + goto RECYCLE_RXDATA; } // @@ -125,7 +125,7 @@ ArpOnFrameRcvdDpc ( Head->OpCode = NTOHS (Head->OpCode); if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 * Head->ProtoAddrLen)) { - goto RESTART_RECEIVE; + goto RECYCLE_RXDATA; } if ((Head->HwType != ArpService->SnpMode.IfType) || -- 2.25.0 ++++++ ovmf-bsc1163969-fix-DxeImageVerificationHandler.patch ++++++ ++++ 1870 lines (skipped)