From 2e9a34e34d90066f87074df9e967ad0553e75931 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Thu, 7 Aug 2025 11:42:21 +0000 Subject: [PATCH] import CS libtpms-0.9.1-3.20211126git1ff6fe1f43.el8 --- SOURCES/0001-tpm2-CVE-2025-49133-fix.patch | 52 ++++++++++++++++++++++ SPECS/libtpms.spec | 7 ++- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-tpm2-CVE-2025-49133-fix.patch diff --git a/SOURCES/0001-tpm2-CVE-2025-49133-fix.patch b/SOURCES/0001-tpm2-CVE-2025-49133-fix.patch new file mode 100644 index 0000000..1360f37 --- /dev/null +++ b/SOURCES/0001-tpm2-CVE-2025-49133-fix.patch @@ -0,0 +1,52 @@ +From 0b1db4bd1c668c56f1d893c9ed19a94d46c228f7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Wed, 11 Jun 2025 23:05:08 +0400 +Subject: [PATCH] tpm2: CVE-2025-49133 fix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Based from upstream commit 04b2d8e9afc ("tpm2: Fix potential +out-of-bound access & abort due to HMAC signing issue") + +Fix an HMAC signing issue that may causes an out-of-bounds access in a +TPM2B that in turn was running into an assert() in libtpms causing an +abort. The signing issue was due to an inconsistent pairing of the signKey +and signScheme parameters, where the signKey is ALG_KEYEDHASH key and +inScheme is an ECC or RSA scheme. + +Signed-off-by: Marc-André Lureau +--- + src/tpm2/CryptUtil.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c +index 9879f91..4154d50 100644 +--- a/src/tpm2/CryptUtil.c ++++ b/src/tpm2/CryptUtil.c +@@ -79,12 +79,16 @@ CryptHmacSign( + { + HMAC_STATE hmacState; + UINT32 digestSize; +- digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg, +- &signKey->sensitive.sensitive.bits.b); +- CryptDigestUpdate2B(&hmacState.hashState, &hashData->b); +- CryptHmacEnd(&hmacState, digestSize, +- (BYTE *)&signature->signature.hmac.digest); +- return TPM_RC_SUCCESS; ++ if (signature->sigAlg == TPM_ALG_HMAC) ++ { ++ digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg, ++ &signKey->sensitive.sensitive.bits.b); ++ CryptDigestUpdate2B(&hmacState.hashState, &hashData->b); ++ CryptHmacEnd(&hmacState, digestSize, ++ (BYTE *)&signature->signature.hmac.digest); ++ return TPM_RC_SUCCESS; ++ } ++ return TPM_RC_SCHEME; + } + /* 10.2.6.3.2 CryptHMACVerifySignature() */ + /* This function will verify a signature signed by a HMAC key. Note that a caller needs to prepare +-- +2.49.0 + diff --git a/SPECS/libtpms.spec b/SPECS/libtpms.spec index 92e010d..1eb22d0 100644 --- a/SPECS/libtpms.spec +++ b/SPECS/libtpms.spec @@ -3,7 +3,7 @@ Name: libtpms Version: 0.9.1 -Release: 2.%{gitdate}git%{gitversion}%{?dist} +Release: 3.%{gitdate}git%{gitversion}%{?dist} Summary: Library providing Trusted Platform Module (TPM) functionality License: BSD @@ -12,6 +12,7 @@ Source0: libtpms-%{gitdate}.tar.xz ExcludeArch: i686 Patch0003: 0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch Patch0004: 0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch +Patch0006: 0001-tpm2-CVE-2025-49133-fix.patch BuildRequires: openssl-devel BuildRequires: pkgconfig gawk sed @@ -59,6 +60,10 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || : %{_mandir}/man3/* %changelog +* Tue Jun 17 2025 Marc-André Lureau - 0.9.1-3.20211126git1ff6fe1f43 +- Fix CVE-2025-49133 + Resolves: RHEL-96251 + * Tue Mar 21 2023 Marc-André Lureau - 0.9.1-2.20211126git1ff6fe1f43 - Backport "tpm2: Check size of buffer before accessing it" (CVE-2023-1017 & CVE-2023-1018) Resolves: rhbz#2173964