3 changed files with 116 additions and 1 deletions
--- a/SOURCES/0001-tpm2-CVE-2025-49133-fix.patch
+++ b/SOURCES/0001-tpm2-CVE-2025-49133-fix.patch
@ -0,0 +1,52 @@
 From 0b1db4bd1c668c56f1d893c9ed19a94d46c228f7 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
 Date: Wed, 11 Jun 2025 23:05:08 +0400
 Subject: [PATCH] tpm2: CVE-2025-49133 fix
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Based from upstream commit 04b2d8e9afc ("tpm2: Fix potential
 out-of-bound access & abort due to HMAC signing issue")
 Fix an HMAC signing issue that may causes an out-of-bounds access in a
 TPM2B that in turn was running into an assert() in libtpms causing an
 abort. The signing issue was due to an inconsistent pairing of the signKey
 and signScheme parameters, where the signKey is ALG_KEYEDHASH key and
 inScheme is an ECC or RSA scheme.
 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
 ---
 src/tpm2/CryptUtil.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)
 diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
 index 9879f91..4154d50 100644
 --- a/src/tpm2/CryptUtil.c
 +++ b/src/tpm2/CryptUtil.c
@@ -79,12 +79,16 @@ CryptHmacSign(
 {
     HMAC_STATE       hmacState;
     UINT32           digestSize;
 -    digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg,
 -				  &signKey->sensitive.sensitive.bits.b);
 -    CryptDigestUpdate2B(&hmacState.hashState, &hashData->b);
 -    CryptHmacEnd(&hmacState, digestSize,
 -		 (BYTE *)&signature->signature.hmac.digest);
 -    return TPM_RC_SUCCESS;
 +    if (signature->sigAlg == TPM_ALG_HMAC)
 +    {
 +        digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg,
 +                                      &signKey->sensitive.sensitive.bits.b);
 +        CryptDigestUpdate2B(&hmacState.hashState, &hashData->b);
 +        CryptHmacEnd(&hmacState, digestSize,
 +                     (BYTE *)&signature->signature.hmac.digest);
 +        return TPM_RC_SUCCESS;
 +    }
 +    return TPM_RC_SCHEME;
 }
 /* 10.2.6.3.2 CryptHMACVerifySignature() */
 /* This function will verify a signature signed by a HMAC key. Note that a caller needs to prepare
 -- 
 2.49.0
--- a/SOURCES/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
+++ b/SOURCES/0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
@ -0,0 +1,52 @@
 From 324dbb4c27ae789c73b69dbf4611242267919dd4 Mon Sep 17 00:00:00 2001
 From: Stefan Berger <stefanb@linux.ibm.com>
 Date: Mon, 20 Feb 2023 14:41:10 -0500
 Subject: [PATCH] tpm2: Check size of buffer before accessing it (CVE-2023-1017
 & -1018)
 Check that there are sufficient bytes in the buffer before reading the
 cipherSize from it. Also, reduce the bufferSize variable by the number
 of bytes that make up the cipherSize to avoid reading and writing bytes
 beyond the buffer in subsequent steps that do in-place decryption.
 This fixes CVE-2023-1017 & CVE-2023-1018.
 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 ---
 src/tpm2/CryptUtil.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c
 index 002fde0..8fae5b6 100644
 --- a/src/tpm2/CryptUtil.c
 +++ b/src/tpm2/CryptUtil.c
@@ -830,6 +830,10 @@ CryptParameterDecryption(
 			  + sizeof(session->sessionKey.t.buffer)));
     TPM2B_HMAC_KEY          key;            // decryption key
     UINT32                  cipherSize = 0; // size of cipher text
 +
 +    if (leadingSizeInByte > bufferSize)
 +	return TPM_RC_INSUFFICIENT;
 +
     // Retrieve encrypted data size.
     if(leadingSizeInByte == 2)
 	{
@@ -837,6 +841,7 @@ CryptParameterDecryption(
 	    // data to be decrypted
 	    cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
 	    buffer = &buffer[2];   // advance the buffer
 +	    bufferSize -= 2;
 	}
 #ifdef  TPM4B
     else if(leadingSizeInByte == 4)
@@ -844,6 +849,7 @@ CryptParameterDecryption(
 	    // the leading size is four bytes so get the four byte size field
 	    cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
 	    buffer = &buffer[4];   //advance pointer
 +	    bufferSize -= 4;
 	}
 #endif
     else
 -- 
 2.39.2
--- a/SPECS/libtpms.spec
+++ b/SPECS/libtpms.spec
@ -3,7 +3,7 @@
 Name:           libtpms
 Version:        0.9.1
-Release:        1.%{gitdate}git%{gitversion}%{?dist}
+Release:        3.%{gitdate}git%{gitversion}%{?dist}
 Summary: Library providing Trusted Platform Module (TPM) functionality
 License:        BSD
@ -11,6 +11,8 @@ Url:            http://github.com/stefanberger/libtpms
 Source0:        libtpms-%{gitdate}.tar.xz
 ExcludeArch:    i686
 Patch0003:      0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch
 Patch0004:      0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
 Patch0006:      0001-tpm2-CVE-2025-49133-fix.patch
 BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig gawk sed
@ -58,6 +60,15 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || :
 %{_mandir}/man3/*
 %changelog
 * Tue Jun 17 2025 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-3.20211126git1ff6fe1f43
 - Fix CVE-2025-49133
  Resolves: RHEL-96251
 * Tue Mar 21 2023 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-2.20211126git1ff6fe1f43
 - Backport "tpm2: Check size of buffer before accessing it" (CVE-2023-1017 & CVE-2023-1018)
  Resolves: rhbz#2173964
  Resolves: rhbz#2173970
 * Thu Jul 28 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-1.20211126git1ff6fe1f43
 - Backport s_ContextSlotMask initialization fix
  Resolves: rhbz#2111433