From a253066f84613033949f68dd3103d23de9b97bdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Mon, 16 Jun 2025 12:36:23 +0400 Subject: [PATCH] Fix CVE-2025-49133, RHEL-96246 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marc-André Lureau --- 0001-tpm2-CVE-2025-49133-fix.patch | 52 ++++++++++++++++++++++++++++++ libtpms.spec | 7 +++- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 0001-tpm2-CVE-2025-49133-fix.patch diff --git a/0001-tpm2-CVE-2025-49133-fix.patch b/0001-tpm2-CVE-2025-49133-fix.patch new file mode 100644 index 0000000..0aa10de --- /dev/null +++ b/0001-tpm2-CVE-2025-49133-fix.patch @@ -0,0 +1,52 @@ +From 0b1db4bd1c668c56f1d893c9ed19a94d46c228f7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Wed, 11 Jun 2025 23:05:08 +0400 +Subject: [PATCH] tpm2: CVE-2025-49133 fix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Based from upstream commit 04b2d8e9afc ("tpm2: Fix potential +out-of-bound access & abort due to HMAC signing issue") + +Fix an HMAC signing issue that may causes an out-of-bounds access in a +TPM2B that in turn was running into an assert() in libtpms causing an +abort. The signing issue was due to an inconsistent pairing of the signKey +and signScheme parameters, where the signKey is ALG_KEYEDHASH key and +inScheme is an ECC or RSA scheme. + +Signed-off-by: Marc-André Lureau +--- + src/tpm2/CryptUtil.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c +index 8fae5b6..aadf7f6 100644 +--- a/src/tpm2/CryptUtil.c ++++ b/src/tpm2/CryptUtil.c +@@ -79,12 +79,16 @@ CryptHmacSign( + { + HMAC_STATE hmacState; + UINT32 digestSize; +- digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg, +- &signKey->sensitive.sensitive.bits.b); +- CryptDigestUpdate2B(&hmacState.hashState, &hashData->b); +- CryptHmacEnd(&hmacState, digestSize, +- (BYTE *)&signature->signature.hmac.digest); +- return TPM_RC_SUCCESS; ++ if (signature->sigAlg == TPM_ALG_HMAC) ++ { ++ digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg, ++ &signKey->sensitive.sensitive.bits.b); ++ CryptDigestUpdate2B(&hmacState.hashState, &hashData->b); ++ CryptHmacEnd(&hmacState, digestSize, ++ (BYTE *)&signature->signature.hmac.digest); ++ return TPM_RC_SUCCESS; ++ } ++ return TPM_RC_SCHEME; + } + /* 10.2.6.3.2 CryptHMACVerifySignature() */ + /* This function will verify a signature signed by a HMAC key. Note that a caller needs to prepare +-- +2.49.0 + diff --git a/libtpms.spec b/libtpms.spec index 931ac43..8aecb8c 100644 --- a/libtpms.spec +++ b/libtpms.spec @@ -1,6 +1,6 @@ Name: libtpms Version: 0.9.6 -Release: 10%{?dist} +Release: 11%{?dist} Summary: Library providing Trusted Platform Module (TPM) functionality License: BSD-3-Clause AND LicenseRef-TCGL @@ -11,6 +11,7 @@ Source1: %{url}/releases/download/v%{version}/v%{version}.tar.gz.asc#/%{n Source2: gpgkey-B818B9CADF9089C2D5CEC66B75AD65802A0B4211.asc Patch0001: 0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch +Patch0002: 0001-tpm2-CVE-2025-49133-fix.patch BuildRequires: autoconf BuildRequires: automake @@ -65,6 +66,10 @@ make check %{_mandir}/man3/TPM* %changelog +* Mon Jun 16 2025 Marc-André Lureau - 0.9.6-11 +- Fix CVE-2025-49133 + Resolves: RHEL-96247 + * Tue Oct 29 2024 Troy Dawson - 0.9.6-10 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018