Hello community,
here is the log from the commit of package ovmf for openSUSE:Leap:15.2 checked
in at 2020-03-01 08:51:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/ovmf (Old)
and /work/SRC/openSUSE:Leap:15.2/.ovmf.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ovmf"
Sun Mar 1 08:51:14 2020 rev:48 rq:779695 version:201911
Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/ovmf/ovmf.changes 2020-02-21
23:49:34.760593623 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.ovmf.new.26092/ovmf.changes 2020-03-01
08:51:33.797295856 +0100
@@ -1,0 +2,10 @@
+Mon Feb 24 04:00:24 UTC 2020 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Add ovmf-bsc1163969-fix-DxeImageVerificationHandler.patch to fix
+ dbx signature check (bsc#1163969, CVE-2019-14575)
+ + Also change the order of several patches to distinguish the
+ openssl patch
+- Add ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch to fix memory
+ leakage in Ip4Dxe and ArpDxe (bsc#1163927, CVE-2019-14559)
+
+-------------------------------------------------------------------
@@ -12,0 +23,5 @@
+
+-------------------------------------------------------------------
+Fri Dec 20 09:11:37 UTC 2019 - Dirk Mueller <dmuel...@suse.com>
+
+- only build -aarch32 Cortex-A15 EFI on armv7hl
New:
----
ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch
ovmf-bsc1163969-fix-DxeImageVerificationHandler.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ovmf.spec ++++++
--- /var/tmp/diff_new_pack.H9XxJg/_old 2020-03-01 08:51:34.609297471 +0100
+++ /var/tmp/diff_new_pack.H9XxJg/_new 2020-03-01 08:51:34.613297479 +0100
@@ -1,7 +1,7 @@
#
# spec file for package ovmf
#
-# Copyright (c) 2019 SUSE LLC
+# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -49,8 +49,10 @@
Patch3: %{name}-pie.patch
Patch4: %{name}-disable-ia32-firmware-piepic.patch
Patch5: %{name}-set-fixed-enroll-time.patch
-Patch6: openssl-fix-syntax-error.patch
-Patch7:
%{name}-bsc1163959-PiDxeS3BootScriptLib-fix-numeric-truncation.patch
+Patch6:
%{name}-bsc1163959-PiDxeS3BootScriptLib-fix-numeric-truncation.patch
+Patch7: %{name}-bsc1163969-fix-DxeImageVerificationHandler.patch
+Patch8: %{name}-bsc1163927-fix-ip4dxe-and-arpdxe.patch
+Patch100: openssl-fix-syntax-error.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bc
BuildRequires: fdupes
@@ -59,7 +61,7 @@
BuildRequires: iasl
BuildRequires: libuuid-devel
BuildRequires: python3
-%ifnarch %arm
+%ifnarch armv7hl
BuildRequires: nasm
%endif
%ifarch %{secureboot_archs}
@@ -76,7 +78,7 @@
%endif
BuildRequires: unzip
%endif
-ExclusiveArch: %ix86 x86_64 aarch64 %arm
+ExclusiveArch: %ix86 x86_64 aarch64 armv7hl
%description
The Open Virtual Machine Firmware (OVMF) project aims to support
@@ -145,7 +147,7 @@
virt board.
%endif
-%ifarch %arm
+%ifarch armv7hl
%package -n qemu-uefi-aarch32
Summary: UEFI QEMU rom image (AArch32)
Group: System/Emulators/PC
@@ -173,12 +175,14 @@
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
%patch7 -p1
+%patch8 -p1
# add openssl
pushd CryptoPkg/Library/OpensslLib/openssl
tar -xf %{SOURCE1} --strip 1
-%patch6 -p1
+%patch100 -p1
popd
# add berkeley-softfloat-3
@@ -233,7 +237,7 @@
BUILD_OPTIONS="$OVMF_FLAGS -a AARCH64 -p ArmVirtPkg/ArmVirtQemu.dsc -b
DEBUG -t $TOOL_CHAIN_TAG"
ARCH=AARCH64 make -C BaseTools
%else
-%ifarch %arm
+%ifarch armv7hl
# Flavors for arm
FLAVORS=("aavmf-aarch32")
BUILD_ARCH="AARCH32"
@@ -326,7 +330,7 @@
cp Build/ArmVirtQemu-AARCH64/DEBUG_*/AARCH64/EnrollDefaultKeys.efi .
%else
-%ifarch %arm
+%ifarch armv7hl
# Build the UEFI image
build $BUILD_OPTIONS
@@ -550,7 +554,7 @@
install -m 0644 -D descriptors/*-aarch64*.json \
-t %{buildroot}/%{_datadir}/qemu/firmware
%else
-%ifarch %arm
+%ifarch armv7hl
install -m 0644 -D qemu-uefi-aarch32.bin -t %{buildroot}/%{_datadir}/qemu/
install -m 0644 -D aavmf-aarch32-*.bin -t %{buildroot}/%{_datadir}/qemu/
install -m 0644 -D descriptors/*-aarch32*.json \
@@ -622,7 +626,7 @@
%{_datadir}/qemu/firmware/*-aarch64*.json
%endif
-%ifarch %arm
+%ifarch armv7hl
%files -n qemu-uefi-aarch32
%defattr(-,root,root)
%license License.txt
++++++ ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch ++++++
>From 7f9f7fccf58af2db5ac8c88801f56f4efe664fcb Mon Sep 17 00:00:00 2001
From: Jiaxin Wu <jiaxin...@intel.com>
Date: Mon, 29 Apr 2019 09:51:53 +0800
Subject: [PATCH 1/2] NetworkPkg/Ip4Dxe: Check the received package length
(CVE-2019-14559).
v3: correct the coding style.
v2: correct the commit message & add BZ number.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610
This patch is to check the received package length to make sure the package
has a valid length field.
Cc: Fu Siyuan <siyuan...@intel.com>
Cc: Maciej Rabeda <maciej.rab...@linux.intel.com>
Signed-off-by: Wu Jiaxin <jiaxin...@intel.com>
Reviewed-by: Siyuan Fu <siyuan...@intel.com>
(cherry picked from commit 578bcdc2605e3438b9cbdac4e68339f90f5bf8af)
---
NetworkPkg/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++++++++++++++++-------
1 file changed, 37 insertions(+), 9 deletions(-)
diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input.c
index 24c584658803..fc1a892f14eb 100644
--- a/NetworkPkg/Ip4Dxe/Ip4Input.c
+++ b/NetworkPkg/Ip4Dxe/Ip4Input.c
@@ -1,7 +1,7 @@
/** @file
IP4 input process.
-Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -711,10 +711,6 @@ Ip4PreProcessPacket (
//
// Check if the IP4 header is correctly formatted.
//
- if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) {
- return EFI_INVALID_PARAMETER;
- }
-
HeadLen = (Head->HeadLen << 2);
TotalLen = NTOHS (Head->TotalLen);
@@ -808,6 +804,30 @@ Ip4PreProcessPacket (
return EFI_SUCCESS;
}
+/**
+ This function checks the IPv4 packet length.
+
+ @param[in] Packet Pointer to the IPv4 Packet to be checked.
+
+ @retval TRUE The input IPv4 packet length is valid.
+ @retval FALSE The input IPv4 packet length is invalid.
+
+**/
+BOOLEAN
+Ip4IsValidPacketLength (
+ IN NET_BUF *Packet
+ )
+{
+ //
+ // Check the IP4 packet length.
+ //
+ if (Packet->TotalSize < IP4_MIN_HEADLEN) {
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
/**
The IP4 input routine. It is called by the IP4_INTERFACE when a
IP4 fragment is received from MNP.
@@ -844,6 +864,10 @@ Ip4AccpetFrame (
goto DROP;
}
+ if (!Ip4IsValidPacketLength (Packet)) {
+ goto RESTART;
+ }
+
Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
ASSERT (Head != NULL);
OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN;
@@ -890,10 +914,14 @@ Ip4AccpetFrame (
//
ZeroMem (&ZeroHead, sizeof (IP4_HEAD));
if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) {
- // Packet may have been changed. Head, HeadLen, TotalLen, and
- // info must be reloaded bofore use. The ownership of the packet
- // is transfered to the packet process logic.
- //
+ // Packet may have been changed. Head, HeadLen, TotalLen, and
+ // info must be reloaded before use. The ownership of the packet
+ // is transferred to the packet process logic.
+ //
+ if (!Ip4IsValidPacketLength (Packet)) {
+ goto RESTART;
+ }
+
Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
ASSERT (Head != NULL);
Status = Ip4PreProcessPacket (
--
2.25.0
>From 03225826203c978146e4067e1d14fe66fcb75e22 Mon Sep 17 00:00:00 2001
From: Siyuan Fu <siyuan...@intel.com>
Date: Fri, 21 Feb 2020 10:14:18 +0800
Subject: [PATCH 2/2] NetworkPkg/ArpDxe: Recycle invalid ARP packets
(CVE-2019-14559)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2031
This patch triggers the RecycleEvent for invalid ARP packets.
Prior to this, we would just ignore invalid ARP packets,
and never free them.
Cc: Jiaxin Wu <jiaxin...@intel.com>
Cc: Maciej Rabeda <maciej.rab...@linux.intel.com>
Cc: Siyuan Fu <siyuan...@intel.com>
Signed-off-by: Nicholas Armour <nicholas.arm...@intel.com>
Reviewed-by: Siyuan Fu <siyuan...@intel.com>
(cherry picked from commit 1d3215fd24f47eaa4877542a59b4bbf5afc0cfe8)
---
NetworkPkg/ArpDxe/ArpImpl.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/NetworkPkg/ArpDxe/ArpImpl.c b/NetworkPkg/ArpDxe/ArpImpl.c
index 0e9ef103eff9..c7f770db0734 100644
--- a/NetworkPkg/ArpDxe/ArpImpl.c
+++ b/NetworkPkg/ArpDxe/ArpImpl.c
@@ -1,7 +1,7 @@
/** @file
The implementation of the ARP protocol.
-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -113,7 +113,7 @@ ArpOnFrameRcvdDpc (
//
// Restart the receiving if packet size is not correct.
//
- goto RESTART_RECEIVE;
+ goto RECYCLE_RXDATA;
}
//
@@ -125,7 +125,7 @@ ArpOnFrameRcvdDpc (
Head->OpCode = NTOHS (Head->OpCode);
if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 *
Head->ProtoAddrLen)) {
- goto RESTART_RECEIVE;
+ goto RECYCLE_RXDATA;
}
if ((Head->HwType != ArpService->SnpMode.IfType) ||
--
2.25.0
++++++ ovmf-bsc1163969-fix-DxeImageVerificationHandler.patch ++++++
++++ 1870 lines (skipped)
