- Apply patch to fix CVE-2023-38200
- Apply patch to fix CVE-2023-38201
This commit is contained in:
parent
39cf484682
commit
ae721c19bf
|
@ -0,0 +1,47 @@
|
||||||
|
diff -aruN keylime-6.5.2/keylime/registrar_common.py keylime-6.5.2.alma/keylime/registrar_common.py
|
||||||
|
--- keylime-6.5.2/keylime/registrar_common.py 2022-11-11 00:48:51
|
||||||
|
+++ keylime-6.5.2.alma/keylime/registrar_common.py 2023-09-12 18:46:40
|
||||||
|
@@ -2,7 +2,9 @@
|
||||||
|
import http.server
|
||||||
|
import ipaddress
|
||||||
|
import os
|
||||||
|
+import select
|
||||||
|
import signal
|
||||||
|
+import ssl
|
||||||
|
import sys
|
||||||
|
import threading
|
||||||
|
from http.server import BaseHTTPRequestHandler, HTTPServer
|
||||||
|
@@ -30,6 +32,24 @@
|
||||||
|
|
||||||
|
|
||||||
|
class ProtectedHandler(BaseHTTPRequestHandler, SessionManager):
|
||||||
|
+ def handle(self) -> None:
|
||||||
|
+ """ Need to perform SSL handshake here, as do_handshake_on_connect=False for non-blocking SSL socket """
|
||||||
|
+ while True:
|
||||||
|
+ try:
|
||||||
|
+ self.request.do_handshake()
|
||||||
|
+ break
|
||||||
|
+ except ssl.SSLWantReadError:
|
||||||
|
+ select.select([self.request], [], [])
|
||||||
|
+ except ssl.SSLWantWriteError:
|
||||||
|
+ select.select([], [self.request], [])
|
||||||
|
+ except ssl.SSLError as e:
|
||||||
|
+ logger.error("SSL connection error: %s", e)
|
||||||
|
+ return
|
||||||
|
+ except Exception as e:
|
||||||
|
+ logger.error("General communication failure: %s", e)
|
||||||
|
+ return
|
||||||
|
+ BaseHTTPRequestHandler.handle(self)
|
||||||
|
+
|
||||||
|
def do_HEAD(self):
|
||||||
|
"""HEAD not supported"""
|
||||||
|
web_util.echo_json_response(self, 405, "HEAD not supported")
|
||||||
|
@@ -490,7 +510,7 @@
|
||||||
|
protected_server = RegistrarServer((host, tlsport), ProtectedHandler)
|
||||||
|
context = web_util.init_mtls("registrar", logger=logger)
|
||||||
|
if context is not None:
|
||||||
|
- protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True)
|
||||||
|
+ protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True, do_handshake_on_connect=False)
|
||||||
|
thread_protected_server = threading.Thread(target=protected_server.serve_forever)
|
||||||
|
|
||||||
|
# Set up the unprotected registrar server
|
|
@ -0,0 +1,21 @@
|
||||||
|
diff -aruN keylime-6.5.2/keylime/registrar_common.py keylime-6.5.2.alma/keylime/registrar_common.py
|
||||||
|
--- keylime-6.5.2/keylime/registrar_common.py 2023-09-12 18:48:23
|
||||||
|
+++ keylime-6.5.2.alma/keylime/registrar_common.py 2023-09-12 18:49:21
|
||||||
|
@@ -456,7 +456,16 @@
|
||||||
|
logger.error("SQLAlchemy Error: %s", e)
|
||||||
|
raise
|
||||||
|
else:
|
||||||
|
- raise Exception(f"Auth tag {auth_tag} does not match expected value {ex_mac}")
|
||||||
|
+ if agent_id and session.query(RegistrarMain).filter_by(agent_id=agent_id).delete():
|
||||||
|
+ try:
|
||||||
|
+ session.commit()
|
||||||
|
+ except SQLAlchemyError as e:
|
||||||
|
+ logger.error("SQLAlchemy Error: %s", e)
|
||||||
|
+ raise
|
||||||
|
+
|
||||||
|
+ raise Exception(
|
||||||
|
+ f"Auth tag {auth_tag} for agent {agent_id} does not match expected value. The agent has been deleted from database, and a restart of it will be required"
|
||||||
|
+ )
|
||||||
|
|
||||||
|
web_util.echo_json_response(self, 200, "Success")
|
||||||
|
logger.info("PUT activated: %s", agent_id)
|
|
@ -9,7 +9,7 @@
|
||||||
|
|
||||||
Name: keylime
|
Name: keylime
|
||||||
Version: 6.5.2
|
Version: 6.5.2
|
||||||
Release: 4%{?dist}
|
Release: 6%{?dist}.alma.1
|
||||||
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
|
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
|
||||||
|
|
||||||
URL: https://github.com/keylime/keylime
|
URL: https://github.com/keylime/keylime
|
||||||
|
@ -21,6 +21,11 @@ Patch: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch
|
||||||
Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch
|
Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch
|
||||||
Patch: 0003-logging-remove-option-to-log-into-separate-file.patch
|
Patch: 0003-logging-remove-option-to-log-into-separate-file.patch
|
||||||
|
|
||||||
|
# Patches were taken from and backported from:
|
||||||
|
# https://gitlab.com/redhat/centos-stream/rpms/keylime/-/commit/2c457d5430d9ef9bca3bfb7867c21b739e652388
|
||||||
|
Patch: 0004-CVE-2023-38200.patch
|
||||||
|
# https://gitlab.com/redhat/centos-stream/rpms/keylime/-/commit/6ac5a8f8e6768cd7bb245631dc67aab10b628d29
|
||||||
|
Patch: 0005-CVE-2023-38201.patch
|
||||||
License: ASL 2.0 and MIT
|
License: ASL 2.0 and MIT
|
||||||
|
|
||||||
BuildRequires: git-core
|
BuildRequires: git-core
|
||||||
|
@ -342,6 +347,10 @@ fi
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Sep 12 2023 Eduard Abdullin <eabdullin@almalinux.org> - 6.5.2-6.alma.1
|
||||||
|
- Apply patch to fix CVE-2023-38200
|
||||||
|
- Apply patch to fix CVE-2023-38201
|
||||||
|
|
||||||
* Fri Jan 13 2023 Sergio Correia <scorreia@redhat.com> - 6.5.2-4
|
* Fri Jan 13 2023 Sergio Correia <scorreia@redhat.com> - 6.5.2-4
|
||||||
- Backport upstream PR#1240 - logging: remove option to log into separate file
|
- Backport upstream PR#1240 - logging: remove option to log into separate file
|
||||||
Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime
|
Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime
|
||||||
|
|
Loading…
Reference in New Issue