import CS libtpms-0.9.1-3.20211126git1ff6fe1f43.el8

2025-08-07 11:42:21 +00:00 · 2025-08-07 11:42:21 +00:00 · 2e9a34e34d
commit 2e9a34e34d
parent 86b8f6f47d
2 changed files with 58 additions and 1 deletions
--- a/SOURCES/0001-tpm2-CVE-2025-49133-fix.patch
+++ b/SOURCES/0001-tpm2-CVE-2025-49133-fix.patch
@ -0,0 +1,52 @@
+From 0b1db4bd1c668c56f1d893c9ed19a94d46c228f7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Wed, 11 Jun 2025 23:05:08 +0400
+Subject: [PATCH] tpm2: CVE-2025-49133 fix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Based from upstream commit 04b2d8e9afc ("tpm2: Fix potential
+out-of-bound access & abort due to HMAC signing issue")
+
+Fix an HMAC signing issue that may causes an out-of-bounds access in a
+TPM2B that in turn was running into an assert() in libtpms causing an
+abort. The signing issue was due to an inconsistent pairing of the signKey
+and signScheme parameters, where the signKey is ALG_KEYEDHASH key and
+inScheme is an ECC or RSA scheme.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+---
+ src/tpm2/CryptUtil.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
+index 9879f91..4154d50 100644
+--- a/src/tpm2/CryptUtil.c
+++ b/src/tpm2/CryptUtil.c
+@@ -79,12 +79,16 @@ CryptHmacSign(
+ {
+     HMAC_STATE       hmacState;
+     UINT32           digestSize;
+-    digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg,
+-				  &signKey->sensitive.sensitive.bits.b);
+-    CryptDigestUpdate2B(&hmacState.hashState, &hashData->b);
+-    CryptHmacEnd(&hmacState, digestSize,
+-		 (BYTE *)&signature->signature.hmac.digest);
+-    return TPM_RC_SUCCESS;
+    if (signature->sigAlg == TPM_ALG_HMAC)
+    {
+        digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg,
+                                      &signKey->sensitive.sensitive.bits.b);
+        CryptDigestUpdate2B(&hmacState.hashState, &hashData->b);
+        CryptHmacEnd(&hmacState, digestSize,
+                     (BYTE *)&signature->signature.hmac.digest);
+        return TPM_RC_SUCCESS;
+    }
+    return TPM_RC_SCHEME;
+ }
+ /* 10.2.6.3.2 CryptHMACVerifySignature() */
+ /* This function will verify a signature signed by a HMAC key. Note that a caller needs to prepare
+-- 
+2.49.0
+
--- a/SPECS/libtpms.spec
+++ b/SPECS/libtpms.spec
@ -3,7 +3,7 @@

 Name:           libtpms
 Version:        0.9.1
-Release:        2.%{gitdate}git%{gitversion}%{?dist}
+Release:        3.%{gitdate}git%{gitversion}%{?dist}

 Summary: Library providing Trusted Platform Module (TPM) functionality
 License:        BSD
@ -12,6 +12,7 @@ Source0:        libtpms-%{gitdate}.tar.xz
 ExcludeArch:    i686
 Patch0003:      0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch
 Patch0004:      0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
+Patch0006:      0001-tpm2-CVE-2025-49133-fix.patch

 BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig gawk sed
@ -59,6 +60,10 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || :
 %{_mandir}/man3/*

 %changelog
+* Tue Jun 17 2025 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-3.20211126git1ff6fe1f43
+- Fix CVE-2025-49133
+  Resolves: RHEL-96251
+
 * Tue Mar 21 2023 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-2.20211126git1ff6fe1f43
 - Backport "tpm2: Check size of buffer before accessing it" (CVE-2023-1017 & CVE-2023-1018)
  Resolves: rhbz#2173964