subject:"Bug#977511\: buster\-pu\: package edk2\/0\~20181115.85588389\-3\+deb10u2"

Bug#977511: buster-pu: package edk2/0~20181115.85588389-3+deb10u2

2021-01-16 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Tue, 2020-12-15 at 14:53 -0700, dann frazier wrote:
> Address CVE-2019-14584 (#977300), for which the security team has
> declined to
> release a DSA.
> 

Sorry for the delay. Please go ahead.

Regards,

Adam

Bug#977511: buster-pu: package edk2/0~20181115.85588389-3+deb10u2

2020-12-15 Thread dann frazier

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
Address CVE-2019-14584 (#977300), for which the security team has declined to
release a DSA.

[ Impact ]
Possible firmware crash while validating signed payloads.

[ Tests ]
Regression tested by booting a Secure Boot guest.

[ Risks ]
It's a one-liner fix - if it introduced a regression, it could break
certain secure boot guests.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
A clean cherry-pick from upstream to fix a potential NULL pointer
dreference.

[ Other info ]
N/A

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.9.0-1-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru edk2-0~20181115.85588389/debian/changelog 
edk2-0~20181115.85588389/debian/changelog
--- edk2-0~20181115.85588389/debian/changelog   2020-09-17 13:45:52.0 
-0600
+++ edk2-0~20181115.85588389/debian/changelog   2020-12-15 12:30:28.0 
-0700
@@ -1,3 +1,11 @@
+edk2 (0~20181115.85588389-3+deb10u3) buster; urgency=medium
+
+  * CryptoPkg/BaseCryptLib: fix NULL dereference. (CVE-2019-14584)
+(Closes: #977300)
+ - d/p/CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch
+
+ -- dann frazier   Tue, 15 Dec 2020 12:30:28 -0700
+
 edk2 (0~20181115.85588389-3+deb10u2) buster; urgency=medium
 
   * Fix integer overflow in DxeImageVerificationHandler. (CVE-2019-14562)
diff -Nru 
edk2-0~20181115.85588389/debian/patches/CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch
 
edk2-0~20181115.85588389/debian/patches/CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch
--- 
edk2-0~20181115.85588389/debian/patches/CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch
  1969-12-31 17:00:00.0 -0700
+++ 
edk2-0~20181115.85588389/debian/patches/CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch
  2020-12-15 12:30:28.0 -0700
@@ -0,0 +1,51 @@
+From 26442d11e620a9e81c019a24a4ff38441c64ba10 Mon Sep 17 00:00:00 2001
+From: Jian J Wang 
+Date: Thu, 25 Apr 2019 23:42:16 +0800
+Subject: [PATCH] CryptoPkg/BaseCryptLib: fix NULL dereference (CVE-2019-14584)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1914
+
+AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded
+signed authenticode pkcs#7 data. when this successfully returns, a type
+check is done by calling PKCS7_type_is_signed() and then
+Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1
+blob that successfully decodes and have d2i_PKCS7() return a valid pointer
+and have PKCS7_type_is_signed() also return success  but have Pkcs7->d.sign
+be a NULL pointer.
+
+Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for
+pkcs7 structs it does the following:
+- call PKCS7_type_is_signed()
+- call PKCS7_get_detached()
+Looking into how PKCS7_get_detatched() is implemented, it checks to see if
+p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL.
+
+As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7().
+- Add call to PKS7_get_detached() to existing error handling
+
+Cc: Xiaoyu Lu 
+Cc: Guomin Jiang 
+Cc: Jiewen Yao 
+Cc: Laszlo Ersek 
+Signed-off-by: Jian J Wang 
+Reviewed-by: Laszlo Ersek 
+Reviewed-by: Jiewen Yao 
+
+Origin: upstream, 
https://github.com/tianocore/edk2/commit/26442d11e620a9e81c019a24a4ff38441c64ba10
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1914
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977300
+Last-Update: 2020-12-15
+
+Index: edk2/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
+===
+--- edk2.orig/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
 edk2/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
+@@ -106,7 +106,7 @@ AuthenticodeVerify (
+   //
+   // Check if it's PKCS#7 Signed Data (for Authenticode Scenario)
+   //
+-  if (!PKCS7_type_is_signed (Pkcs7)) {
++  if (!PKCS7_type_is_signed (Pkcs7) || PKCS7_get_detached (Pkcs7)) {
+ goto _Exit;
+   }
+ 
diff -Nru edk2-0~20181115.85588389/debian/patches/series 
edk2-0~20181115.85588389/debian/patches/series
--- edk2-0~20181115.85588389/debian/patches/series  2020-09-17 
13:45:52.0 -0600
+++ edk2-0~20181115.85588389/debian/patches/series  2020-12-15 
12:30:28.0 -0700
@@ -27,3 +27,4 @@

Bug#977511: buster-pu: package edk2/0~20181115.85588389-3+deb10u2

Bug#977511: buster-pu: package edk2/0~20181115.85588389-3+deb10u2

2 matches

Site Navigation

Mail list logo

Footer information