diff --git a/SOURCES/0014-tpm_util-Replace-a-logger.error-with-an-Exception-in.patch b/SOURCES/0014-tpm_util-Replace-a-logger.error-with-an-Exception-in.patch new file mode 100644 index 0000000..7b1ee26 --- /dev/null +++ b/SOURCES/0014-tpm_util-Replace-a-logger.error-with-an-Exception-in.patch @@ -0,0 +1,80 @@ +From add9847988e963fd124863736592fc16cc8c716b Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Tue, 11 Jul 2023 18:03:28 -0400 +Subject: [PATCH 14/14] tpm_util: Replace a logger.error with an Exception in + case of invalid signature + +This fixes a possibly severe issue in 7.2.5 & 7.3.0. + +Signed-off-by: Stefan Berger +--- + keylime/tpm/tpm_util.py | 6 +----- + keylime/tpm/tpm_util_test.py | 21 +++++++++++++++++++++ + 2 files changed, 22 insertions(+), 5 deletions(-) + +diff --git a/keylime/tpm/tpm_util.py b/keylime/tpm/tpm_util.py +index ce2ce0f..58a1a04 100644 +--- a/keylime/tpm/tpm_util.py ++++ b/keylime/tpm/tpm_util.py +@@ -3,7 +3,6 @@ import string + import struct + from typing import Any, Dict, List, Optional, Tuple, Union + +-from cryptography.exceptions import InvalidSignature + from cryptography.hazmat import backends + from cryptography.hazmat.primitives import hashes, hmac, serialization + from cryptography.hazmat.primitives.asymmetric import ec, padding +@@ -155,10 +154,7 @@ def checkquote( + digest.update(quoteblob) + quote_digest = digest.finalize() + +- try: +- verify(pubkey, signature, quote_digest, hashfunc) +- except InvalidSignature: +- logger.error("Invalid quote signature!") ++ verify(pubkey, signature, quote_digest, hashfunc) + + # Check that reported nonce is expected one + retDict = tpm2_objects.unmarshal_tpms_attest(quoteblob) +diff --git a/keylime/tpm/tpm_util_test.py b/keylime/tpm/tpm_util_test.py +index aaf16cd..2c73997 100644 +--- a/keylime/tpm/tpm_util_test.py ++++ b/keylime/tpm/tpm_util_test.py +@@ -2,6 +2,7 @@ import base64 + import unittest + from unittest import mock + ++from cryptography.exceptions import InvalidSignature + from cryptography.hazmat.primitives.asymmetric.ec import ( + SECP256R1, + EllipticCurve, +@@ -60,6 +61,26 @@ class TestTpmUtil(unittest.TestCase): + except Exception as e: + self.fail(f"checkquote failed with {e}") + ++ # test bad input ++ bad_quoteblob = bytearray(quoteblob) ++ bad_quoteblob[5] ^= 0x1 ++ with self.assertRaises(InvalidSignature): ++ checkquote(aikblob, nonce, sigblob, bad_quoteblob, pcrblob, "sha256") ++ ++ l = list(nonce) ++ l[0] = "a" ++ bad_nonce = "".join(l) ++ with self.assertRaises(Exception): ++ checkquote(aikblob, bad_nonce, sigblob, quoteblob, pcrblob, "sha256") ++ ++ bad_pcrblob = bytearray(pcrblob) ++ bad_pcrblob[5] ^= 0x1 ++ with self.assertRaises(Exception): ++ checkquote(aikblob, nonce, sigblob, quoteblob, bad_pcrblob, "sha256") ++ ++ with self.assertRaises(ValueError): ++ checkquote(aikblob, nonce, sigblob, quoteblob, pcrblob, "sha1") ++ + @staticmethod + def not_random(numbytes: int) -> bytes: + return b"\x12" * numbytes +-- +2.41.0 + diff --git a/SPECS/keylime.spec b/SPECS/keylime.spec index 38481f7..2ccec88 100644 --- a/SPECS/keylime.spec +++ b/SPECS/keylime.spec @@ -9,7 +9,7 @@ Name: keylime Version: 7.3.0 -Release: 12%{?dist} +Release: 13%{?dist} Summary: Open source TPM software for Bootstrapping and Maintaining Trust URL: https://github.com/keylime/keylime @@ -30,6 +30,7 @@ Patch: 0010-CVE-2023-38200.patch Patch: 0011-Automatically-update-agent-API-version.patch Patch: 0012-Restore-create-allowlist.patch Patch: 0013-Set-generator-and-timestamp-in-create-policy.patch +Patch: 0014-tpm_util-Replace-a-logger.error-with-an-Exception-in.patch License: ASL 2.0 and MIT @@ -370,6 +371,10 @@ fi %license LICENSE %changelog +* Fri Jan 05 2024 Sergio Correia - 7.3.0-13 +- Backport fix for CVE-2023-3674 + Resolves: RHEL-21013 + * Tue Oct 17 2023 Anderson Toshiyuki Sasaki - 7.3.0-12 - Set the generator and timestamp in create_policy.py Related: RHEL-11866