- Apply patch to fix CVE-2023-38200

- Apply patch to fix CVE-2023-38201
2023-09-12 16:48:10 +03:00 · 2023-09-12 16:48:10 +03:00 · ae721c19bf
parent 39cf484682
commit ae721c19bf
3 changed files with 78 additions and 1 deletions
--- a/SOURCES/0004-CVE-2023-38200.patch
+++ b/SOURCES/0004-CVE-2023-38200.patch
@ -0,0 +1,47 @@
+diff -aruN keylime-6.5.2/keylime/registrar_common.py keylime-6.5.2.alma/keylime/registrar_common.py
+--- keylime-6.5.2/keylime/registrar_common.py	2022-11-11 00:48:51
+++ keylime-6.5.2.alma/keylime/registrar_common.py	2023-09-12 18:46:40
+@@ -2,7 +2,9 @@
+ import http.server
+ import ipaddress
+ import os
+import select
+ import signal
+import ssl
+ import sys
+ import threading
+ from http.server import BaseHTTPRequestHandler, HTTPServer
+@@ -30,6 +32,24 @@
+ 
+ 
+ class ProtectedHandler(BaseHTTPRequestHandler, SessionManager):
+    def handle(self) -> None:
+        """ Need to perform SSL handshake here, as do_handshake_on_connect=False for non-blocking SSL socket """
+        while True:
+            try:
+                self.request.do_handshake()
+                break
+            except ssl.SSLWantReadError:
+                select.select([self.request], [], [])
+            except ssl.SSLWantWriteError:
+                select.select([], [self.request], [])
+            except ssl.SSLError as e:
+                logger.error("SSL connection error: %s", e)
+                return
+            except Exception as e:
+                logger.error("General communication failure: %s", e)
+                return
+        BaseHTTPRequestHandler.handle(self)
+
+     def do_HEAD(self):
+         """HEAD not supported"""
+         web_util.echo_json_response(self, 405, "HEAD not supported")
+@@ -490,7 +510,7 @@
+     protected_server = RegistrarServer((host, tlsport), ProtectedHandler)
+     context = web_util.init_mtls("registrar", logger=logger)
+     if context is not None:
+-        protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True)
+        protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True, do_handshake_on_connect=False)
+     thread_protected_server = threading.Thread(target=protected_server.serve_forever)
+ 
+     # Set up the unprotected registrar server
--- a/SOURCES/0005-CVE-2023-38201.patch
+++ b/SOURCES/0005-CVE-2023-38201.patch
@ -0,0 +1,21 @@
+diff -aruN keylime-6.5.2/keylime/registrar_common.py keylime-6.5.2.alma/keylime/registrar_common.py
+--- keylime-6.5.2/keylime/registrar_common.py	2023-09-12 18:48:23
+++ keylime-6.5.2.alma/keylime/registrar_common.py	2023-09-12 18:49:21
+@@ -456,7 +456,16 @@
+                     logger.error("SQLAlchemy Error: %s", e)
+                     raise
+             else:
+-                raise Exception(f"Auth tag {auth_tag} does not match expected value {ex_mac}")
+                if agent_id and session.query(RegistrarMain).filter_by(agent_id=agent_id).delete():
+                    try:
+                        session.commit()
+                    except SQLAlchemyError as e:
+                        logger.error("SQLAlchemy Error: %s", e)
+                        raise
+
+                raise Exception(
+                    f"Auth tag {auth_tag} for agent {agent_id} does not match expected value. The agent has been deleted from database, and a restart of it will be required"
+                )
+ 
+             web_util.echo_json_response(self, 200, "Success")
+             logger.info("PUT activated: %s", agent_id)
--- a/SPECS/keylime.spec
+++ b/SPECS/keylime.spec
@ -9,7 +9,7 @@

 Name:    keylime
 Version: 6.5.2
-Release: 4%{?dist}
+Release: 6%{?dist}.alma.1
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust

 URL:            https://github.com/keylime/keylime
@ -21,6 +21,11 @@ Patch: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch
 Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch
 Patch: 0003-logging-remove-option-to-log-into-separate-file.patch

+# Patches were taken from and backported from:
+# https://gitlab.com/redhat/centos-stream/rpms/keylime/-/commit/2c457d5430d9ef9bca3bfb7867c21b739e652388
+Patch: 0004-CVE-2023-38200.patch	
+# https://gitlab.com/redhat/centos-stream/rpms/keylime/-/commit/6ac5a8f8e6768cd7bb245631dc67aab10b628d29
+Patch: 0005-CVE-2023-38201.patch
 License: ASL 2.0 and MIT

 BuildRequires: git-core
@ -342,6 +347,10 @@ fi
 %license LICENSE

 %changelog
+* Tue Sep 12 2023 Eduard Abdullin <eabdullin@almalinux.org> - 6.5.2-6.alma.1
+- Apply patch to fix CVE-2023-38200
+- Apply patch to fix CVE-2023-38201
+
 * Fri Jan 13 2023 Sergio Correia <scorreia@redhat.com> - 6.5.2-4
 - Backport upstream PR#1240 - logging: remove option to log into separate file
  Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime