import Oracle_OSS keylime-7.14.1-5.el10_2.1

This commit is contained in:
AlmaLinux RelEng Bot 2026-07-17 05:40:37 -04:00
parent 64744e5570
commit f816193f3b
2 changed files with 111 additions and 6 deletions

View File

@ -0,0 +1,97 @@
From 5e1ac3f4d70e55cd72673ead3dcf88259798c33a Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Mon, 20 Apr 2026 15:32:50 +0200
Subject: [PATCH] verifier: Fix hardcoded attestation challenge nonce
(CVE-2026-6420)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Restore random nonce generation in
CertificationParameters.generate_challenge(), which was replaced with a
hardcoded constant, removing replay protection from push-mode TPM quote
attestation.
Remove misleading "pylint: disable=unused-argument" annotation from
EvidenceItem.generate_challenge() — the bit_length parameter is actively
used. The incorrect suppression and "reserved for future use" comment
may have masked the hardcoded nonce during review.
Add regression tests verifying challenge length and uniqueness.
For more information, see the advisory at:
https://github.com/keylime/keylime/security/advisories/GHSA-q8w6-w55c-ccv5
Backport of: https://github.com/keylime/keylime/commit/5e1ac3f4d70e55cd72673ead3dcf88259798c33a
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
keylime/models/verifier/evidence.py | 5 ++---
test/test_evidence_model.py | 30 +++++++++++++++++++++++++++++
2 files changed, 32 insertions(+), 3 deletions(-)
diff --git a/keylime/models/verifier/evidence.py b/keylime/models/verifier/evidence.py
index 833a3310d..f4c765e13 100644
--- a/keylime/models/verifier/evidence.py
+++ b/keylime/models/verifier/evidence.py
@@ -74,7 +74,7 @@ def validate_parameters(self):
self.chosen_parameters.validate_choices(check_against=self.capabilities)
self.refresh_metadata()
- def generate_challenge(self, bit_length): # pylint: disable=unused-argument # Parameter reserved for future use
+ def generate_challenge(self, bit_length):
if self.evidence_class != "certification": # pylint: disable=comparison-with-callable # ORM framework pattern
raise ValueError("challenge can only be generated for EvidenceItem with evidence_class 'certification'")
@@ -382,8 +382,7 @@ def validate_choices(self, check_against):
# fields can vary by evidence_type (even when the evidence_types belong to the same evidence_class)
def generate_challenge(self, bit_length):
- # self.challenge = Nonce.generate(bit_length)
- self.challenge = bytes.fromhex("49beed365aac777dae23564f5ad0ec")
+ self.challenge = Nonce.generate(bit_length)
def render(self, only=None):
output = super().render(only)
diff --git a/test/test_evidence_model.py b/test/test_evidence_model.py
index 88188c8c1..1c4b4337b 100644
--- a/test/test_evidence_model.py
+++ b/test/test_evidence_model.py
@@ -170,6 +170,36 @@ def test_generate_challenge_certification(self):
self.assertIsNotNone(evidence.chosen_parameters)
+ def test_generate_challenge_certification_length(self):
+ """Test that generate_challenge produces a challenge of the correct length"""
+ evidence = EvidenceItem.empty()
+ evidence.evidence_class = "certification"
+
+ with patch.object(evidence, "refresh_metadata"):
+ evidence.generate_challenge(128)
+
+ self.assertIsNotNone(evidence.chosen_parameters)
+ self.assertIsNotNone(evidence.chosen_parameters.challenge)
+ self.assertEqual(len(evidence.chosen_parameters.challenge), 16) # 128 bits = 16 bytes
+
+ def test_generate_challenge_is_random(self):
+ """Test that generate_challenge produces unique random nonces"""
+ evidence1 = EvidenceItem.empty()
+ evidence1.evidence_class = "certification"
+ evidence2 = EvidenceItem.empty()
+ evidence2.evidence_class = "certification"
+
+ with patch.object(evidence1, "refresh_metadata"), \
+ patch.object(evidence2, "refresh_metadata"):
+ evidence1.generate_challenge(128)
+ evidence2.generate_challenge(128)
+
+ self.assertNotEqual(
+ evidence1.chosen_parameters.challenge,
+ evidence2.chosen_parameters.challenge,
+ "Two separately generated challenges must not be identical",
+ )
+
def test_generate_challenge_non_certification_raises(self):
"""Test that generating challenge for non-certification raises ValueError"""
evidence = EvidenceItem.empty()
--
2.49.0

View File

@ -14,7 +14,7 @@
Name: keylime
Version: 7.14.1
Release: 5%{?dist}
Release: 5%{?dist}.1
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
URL: https://github.com/keylime/keylime
@ -36,15 +36,15 @@ Patch: 0009-db-Clean-up-scoped-session-after-each-request.patch
Patch: 0010-fix-Check-active-flag-in-_extract_identity-and-guard.patch
Patch: 0011-fix-Add-fork-safety-to-DBManager-via-dispose.patch
# RHEL-154295 - memleaks in verifier push-mode.
# RHEL-154776 - memleaks in verifier push-mode.
# Backport https://github.com/keylime/keylime/pull/1866
Patch: 0012-fix-mem-leak-remove-unbounded-functools.cache-from-l.patch
# RHEL-153121 - fix verifier race condition on agent delete.
# RHEL-167448 - fix verifier race condition on agent delete.
# Backport https://github.com/keylime/keylime/pulls/1874
Patch: 0013-fix-verifier-race-condition-on-agent-delete.patch
# RHEL-151493 - verifier graceful shutdown.
# RHEL-167447 - verifier graceful shutdown.
# Backport:
# - https://github.com/keylime/keylime/pull/1809
# - https://github.com/keylime/keylime/pull/1868
@ -59,6 +59,10 @@ Patch: 0017-verifier-graceful-shutdown.patch
Patch: 0018-ignore-sigterm-sigint-manager-parent-processes.patch
Patch: 0019-move-socket-var-run.patch
# RHEL-168795 - Fix hardcoded attestation challenge nonce (CVE-2026-6420).
# Backport https://github.com/keylime/keylime/commit/5e1ac3f4d70e55cd72673ead3dcf88259798c33a
Patch: 0020-verifier-Fix-hardcoded-attestation-challenge-nonce.patch
# Main program: Apache-2.0
# Icons: MIT
License: Apache-2.0 AND MIT
@ -500,16 +504,20 @@ fi
%changelog
## START: Generated by rpmautospec
* Tue Jun 02 2026 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.14.1-6
- keylime: Fix hardcoded attestation challenge nonce (CVE-2026-6420)
[RHEL-168795]
* Fri Apr 17 2026 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.14.1-5
- Implement verifier graceful shutdown
* Tue Apr 14 2026 Sergio Arroutbi <sarroutb@redhat.com> - 7.14.1-4
* Thu Apr 16 2026 Sergio Arroutbi <sarroutb@redhat.com> - 7.14.1-4
- Fix verifier race condition on agent delete
* Wed Apr 01 2026 Sergio Correia <scorreia@redhat.com> - 7.14.1-3
- Remove unbounded functools.cache from latest_attestation
* Mon Mar 23 2026 Sergio Arroutbi <sarroutb@redhat.com> - 7.14.1-2
* Tue Mar 31 2026 Sergio Arroutbi <sarroutb@redhat.com> - 7.14.1-2
- Add patches to fix DB connection leaks
* Fri Feb 13 2026 Sergio Correia <scorreia@redhat.com> - 7.14.1-1