Fix CVE-2025-49133, RHEL-96246

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2025-06-16 12:36:23 +04:00 · 2025-06-16 12:36:23 +04:00 · a253066f84
commit a253066f84
parent e4d49dafd8
2 changed files with 58 additions and 1 deletions
--- a/0001-tpm2-CVE-2025-49133-fix.patch
+++ b/0001-tpm2-CVE-2025-49133-fix.patch
@ -0,0 +1,52 @@
+From 0b1db4bd1c668c56f1d893c9ed19a94d46c228f7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Wed, 11 Jun 2025 23:05:08 +0400
+Subject: [PATCH] tpm2: CVE-2025-49133 fix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Based from upstream commit 04b2d8e9afc ("tpm2: Fix potential
+out-of-bound access & abort due to HMAC signing issue")
+
+Fix an HMAC signing issue that may causes an out-of-bounds access in a
+TPM2B that in turn was running into an assert() in libtpms causing an
+abort. The signing issue was due to an inconsistent pairing of the signKey
+and signScheme parameters, where the signKey is ALG_KEYEDHASH key and
+inScheme is an ECC or RSA scheme.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+---
+ src/tpm2/CryptUtil.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
+index 8fae5b6..aadf7f6 100644
+--- a/src/tpm2/CryptUtil.c
+++ b/src/tpm2/CryptUtil.c
+@@ -79,12 +79,16 @@ CryptHmacSign(
+ {
+     HMAC_STATE       hmacState;
+     UINT32           digestSize;
+-    digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg,
+-				  &signKey->sensitive.sensitive.bits.b);
+-    CryptDigestUpdate2B(&hmacState.hashState, &hashData->b);
+-    CryptHmacEnd(&hmacState, digestSize,
+-		 (BYTE *)&signature->signature.hmac.digest);
+-    return TPM_RC_SUCCESS;
+    if (signature->sigAlg == TPM_ALG_HMAC)
+    {
+        digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg,
+                                      &signKey->sensitive.sensitive.bits.b);
+        CryptDigestUpdate2B(&hmacState.hashState, &hashData->b);
+        CryptHmacEnd(&hmacState, digestSize,
+                     (BYTE *)&signature->signature.hmac.digest);
+        return TPM_RC_SUCCESS;
+    }
+    return TPM_RC_SCHEME;
+ }
+ /* 10.2.6.3.2 CryptHMACVerifySignature() */
+ /* This function will verify a signature signed by a HMAC key. Note that a caller needs to prepare
+-- 
+2.49.0
+
--- a/libtpms.spec
+++ b/libtpms.spec
@ -1,6 +1,6 @@
 Name:           libtpms
 Version:        0.9.6
-Release:        10%{?dist}
+Release:        11%{?dist}
 Summary:        Library providing Trusted Platform Module (TPM) functionality
 License:        BSD-3-Clause AND LicenseRef-TCGL

@ -11,6 +11,7 @@ Source1:        %{url}/releases/download/v%{version}/v%{version}.tar.gz.asc#/%{n
 Source2:        gpgkey-B818B9CADF9089C2D5CEC66B75AD65802A0B4211.asc

 Patch0001:      0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch
+Patch0002:      0001-tpm2-CVE-2025-49133-fix.patch

 BuildRequires:  autoconf
 BuildRequires:  automake
@ -65,6 +66,10 @@ make check
 %{_mandir}/man3/TPM*

 %changelog
+* Mon Jun 16 2025 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.6-11
+- Fix CVE-2025-49133
+  Resolves: RHEL-96247
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.9.6-10
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018