From 6d4888f7953cae549ea330e29a561d5f6aca4017 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 8 Mar 2022 18:13:02 +0000 Subject: [PATCH] Backport DoS fix from 115 Signed-off-by: Robbie Harwood --- ...fikeygen-Fix-the-build-with-nss-3.44.patch | 7 +-- 0002-pesigcheck-Fix-a-wrong-assignment.patch | 7 +-- ...t-and-server-work-with-the-113-proto.patch | 49 +++++++++---------- 0004-Rename-var-run-to-run.patch | 9 ++-- ...c-got-updated-and-the-token-name-cha.patch | 7 +-- ...-run-and-var-run-for-the-socket-path.patch | 13 ++--- 0007-client-remove-an-extra-debug-print.patch | 9 ++-- ...ros.pesign-to-pesign-rpmbuild-helper.patch | 17 +++---- 0009-pesign-authorize-shellcheck.patch | 9 ++-- ...ize-don-t-setfacl-etc-pki-pesign-foo.patch | 9 ++-- 0011-kernel-building-hack.patch | 9 ++-- 0012-Use-run-not-var-run.patch | 41 +++++++--------- 0013-Turn-off-Wfree-nonheap-object.patch | 32 ++++++++++++ 0014-Fix-bad-free-of-cms-data-DoS-only.patch | 39 +++++++++++++++ ...daemon-remove-always-true-comparison.patch | 25 ++++++++++ pesign.spec | 7 ++- 16 files changed, 177 insertions(+), 112 deletions(-) create mode 100644 0013-Turn-off-Wfree-nonheap-object.patch create mode 100644 0014-Fix-bad-free-of-cms-data-DoS-only.patch create mode 100644 0015-daemon-remove-always-true-comparison.patch diff --git a/0001-efikeygen-Fix-the-build-with-nss-3.44.patch b/0001-efikeygen-Fix-the-build-with-nss-3.44.patch index e583369..d9dd6d8 100644 --- a/0001-efikeygen-Fix-the-build-with-nss-3.44.patch +++ b/0001-efikeygen-Fix-the-build-with-nss-3.44.patch @@ -1,4 +1,4 @@ -From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 14 May 2019 11:28:38 -0400 Subject: [PATCH] efikeygen: Fix the build with nss 3.44 @@ -28,7 +28,7 @@ Signed-off-by: Peter Jones 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/efikeygen.c b/src/efikeygen.c -index ede76ef0b48..2cd953e9781 100644 +index 121a238..848480a 100644 --- a/src/efikeygen.c +++ b/src/efikeygen.c @@ -208,7 +208,7 @@ static int @@ -40,6 +40,3 @@ index ede76ef0b48..2cd953e9781 100644 if (is_ca) type |= NS_CERT_TYPE_SSL_CA | --- -2.23.0 - diff --git a/0002-pesigcheck-Fix-a-wrong-assignment.patch b/0002-pesigcheck-Fix-a-wrong-assignment.patch index 7df5f0b..d51a6d8 100644 --- a/0002-pesigcheck-Fix-a-wrong-assignment.patch +++ b/0002-pesigcheck-Fix-a-wrong-assignment.patch @@ -1,4 +1,4 @@ -From c555fd74c009242c3864576bd5f17a1f8f4fdffd Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 18 Feb 2020 16:28:56 -0500 Subject: [PATCH] pesigcheck: Fix a wrong assignment @@ -23,7 +23,7 @@ Signed-off-by: Peter Jones 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pesigcheck.c b/src/pesigcheck.c -index 524cce307bf..8fa0f1ad03d 100644 +index 524cce3..8fa0f1a 100644 --- a/src/pesigcheck.c +++ b/src/pesigcheck.c @@ -318,7 +318,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons, @@ -44,6 +44,3 @@ index 524cce307bf..8fa0f1ad03d 100644 nreason += 1; has_valid_cert = true; } --- -2.24.1 - diff --git a/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch b/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch index e639675..cb5dd57 100644 --- a/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch +++ b/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch @@ -1,4 +1,4 @@ -From 84547e6b7173e4b10a1931fd25f329ea9a8f68b0 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 11 Jun 2020 16:23:14 -0400 Subject: [PATCH] Make 0.112 client and server work with the 113 protocol and @@ -11,16 +11,16 @@ the file type was added. Signed-off-by: Peter Jones --- - src/client.c | 74 +++++++++++++++++++++++++++++++++++++--------------- - src/daemon.c | 63 +++++++++++++++++++++++++++++--------------- + src/client.c | 74 +++++++++++++++++++++++++++++++++++++++++++----------------- + src/daemon.c | 63 ++++++++++++++++++++++++++++++++++----------------- src/daemon.h | 2 ++ 3 files changed, 97 insertions(+), 42 deletions(-) diff --git a/src/client.c b/src/client.c -index aa373abd981..57bcc09cbe8 100644 +index 4a9a44e..a4f1d1d 100644 --- a/src/client.c +++ b/src/client.c -@@ -11,6 +11,7 @@ +@@ -23,6 +23,7 @@ #include #include #include @@ -28,7 +28,7 @@ index aa373abd981..57bcc09cbe8 100644 #include #include #include -@@ -84,8 +85,8 @@ connect_to_server(void) +@@ -96,8 +97,8 @@ connect_to_server(void) static int32_t check_response(int sd, char **srvmsg); @@ -39,7 +39,7 @@ index aa373abd981..57bcc09cbe8 100644 { struct msghdr msg; struct iovec iov[1]; -@@ -104,7 +105,7 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version) +@@ -116,7 +117,7 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version) ssize_t n; n = sendmsg(sd, &msg, 0); if (n < 0) { @@ -48,7 +48,7 @@ index aa373abd981..57bcc09cbe8 100644 exit(1); } -@@ -120,11 +121,17 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version) +@@ -132,11 +133,17 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version) char *srvmsg = NULL; int32_t rc = check_response(sd, &srvmsg); @@ -68,7 +68,7 @@ index aa373abd981..57bcc09cbe8 100644 } static void -@@ -134,7 +141,7 @@ send_kill_daemon(int sd) +@@ -146,7 +153,7 @@ send_kill_daemon(int sd) struct iovec iov; pesignd_msghdr pm; @@ -77,7 +77,7 @@ index aa373abd981..57bcc09cbe8 100644 pm.version = PESIGND_VERSION; pm.command = CMD_KILL_DAEMON; -@@ -276,7 +283,7 @@ unlock_token(int sd, char *tokenname, char *pin) +@@ -288,7 +295,7 @@ unlock_token(int sd, char *tokenname, char *pin) uint32_t size1 = pesignd_string_size(pin); @@ -86,7 +86,7 @@ index aa373abd981..57bcc09cbe8 100644 pm.version = PESIGND_VERSION; pm.command = CMD_UNLOCK_TOKEN; -@@ -353,7 +360,7 @@ is_token_unlocked(int sd, char *tokenname) +@@ -365,7 +372,7 @@ is_token_unlocked(int sd, char *tokenname) uint32_t size0 = pesignd_string_size(tokenname); @@ -95,7 +95,7 @@ index aa373abd981..57bcc09cbe8 100644 pm.version = PESIGND_VERSION; pm.command = CMD_IS_TOKEN_UNLOCKED; -@@ -452,6 +459,9 @@ static void +@@ -464,6 +471,9 @@ static void sign(int sd, char *infile, char *outfile, char *tokenname, char *certname, int attached, uint32_t format) { @@ -105,7 +105,7 @@ index aa373abd981..57bcc09cbe8 100644 int infd = open(infile, O_RDONLY); if (infd < 0) { fprintf(stderr, "pesign-client: could not open input file " -@@ -481,12 +491,28 @@ oom: +@@ -493,12 +503,28 @@ oom: exit(1); } @@ -138,7 +138,7 @@ index aa373abd981..57bcc09cbe8 100644 iov[0].iov_base = pm; iov[0].iov_len = sizeof (*pm); -@@ -503,25 +529,31 @@ oom: +@@ -515,25 +541,31 @@ oom: } char *buffer; @@ -178,7 +178,7 @@ index aa373abd981..57bcc09cbe8 100644 n = sendmsg(sd, &msg, 0); if (n < 0) { -@@ -535,7 +567,7 @@ oom: +@@ -547,7 +579,7 @@ oom: send_fd(sd, outfd); char *srvmsg = NULL; @@ -188,10 +188,10 @@ index aa373abd981..57bcc09cbe8 100644 fprintf(stderr, "pesign-client: signing failed: \"%s\"\n", srvmsg); diff --git a/src/daemon.c b/src/daemon.c -index 9374d59be30..494beb9af72 100644 +index 84b9ebc..8522250 100644 --- a/src/daemon.c +++ b/src/daemon.c -@@ -12,6 +12,7 @@ +@@ -25,6 +25,7 @@ #include #include #include @@ -199,7 +199,7 @@ index 9374d59be30..494beb9af72 100644 #include #include #include -@@ -561,7 +562,7 @@ out: +@@ -569,7 +570,7 @@ out: static void handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size, @@ -208,7 +208,7 @@ index 9374d59be30..494beb9af72 100644 { struct msghdr msg; struct iovec iov; -@@ -585,8 +586,12 @@ oom: +@@ -593,8 +594,12 @@ oom: n = recvmsg(pollfd->fd, &msg, MSG_WAITALL); @@ -223,7 +223,7 @@ index 9374d59be30..494beb9af72 100644 pesignd_string *tn = (pesignd_string *)(buffer + sizeof(uint32_t)); if (n < (long long)sizeof(tn->size)) { -@@ -666,34 +671,44 @@ finish: +@@ -674,34 +679,44 @@ finish: teardown_digests(ctx->cms); } @@ -286,7 +286,7 @@ index 9374d59be30..494beb9af72 100644 } static void -@@ -725,6 +740,12 @@ cmd_table_t cmd_table[] = { +@@ -733,6 +748,12 @@ cmd_table_t cmd_table[] = { { CMD_UNLOCK_TOKEN, handle_unlock_token, "unlock-token", 0 }, { CMD_SIGN_ATTACHED, handle_sign_attached, "sign-attached", 0 }, { CMD_SIGN_DETACHED, handle_sign_detached, "sign-detached", 0 }, @@ -300,10 +300,10 @@ index 9374d59be30..494beb9af72 100644 { CMD_IS_TOKEN_UNLOCKED, handle_is_token_unlocked, "is-token-unlocked", 0 }, diff --git a/src/daemon.h b/src/daemon.h -index dd430512f1a..834d62c72d0 100644 +index 69384ce..0368dc9 100644 --- a/src/daemon.h +++ b/src/daemon.h -@@ -33,6 +33,8 @@ typedef enum { +@@ -45,6 +45,8 @@ typedef enum { CMD_RESPONSE, CMD_IS_TOKEN_UNLOCKED, CMD_GET_CMD_VERSION, @@ -312,6 +312,3 @@ index dd430512f1a..834d62c72d0 100644 CMD_LIST_END } pesignd_cmd; --- -2.26.2 - diff --git a/0004-Rename-var-run-to-run.patch b/0004-Rename-var-run-to-run.patch index 593761b..70f3203 100644 --- a/0004-Rename-var-run-to-run.patch +++ b/0004-Rename-var-run-to-run.patch @@ -1,4 +1,4 @@ -From f886b7088dfea224e28c03b097c85c9bc20f5441 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 12 Jun 2020 11:49:44 -0400 Subject: [PATCH] Rename /var/run/ to /run/ @@ -10,7 +10,7 @@ Signed-off-by: Peter Jones 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/macros.pesign b/src/macros.pesign -index 56f75cafbc4..5a6da1c6809 100644 +index 7c5cba1..21bf391 100644 --- a/src/macros.pesign +++ b/src/macros.pesign @@ -45,14 +45,14 @@ @@ -35,12 +35,9 @@ index 56f75cafbc4..5a6da1c6809 100644 -c %{__pesign_client_cert} \\\ %{-i} %{-o} %{-e} %{-s} %{-C} \ diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf -index c1cf35597d8..3375ad52a44 100644 +index c1cf355..3375ad5 100644 --- a/src/tmpfiles.conf +++ b/src/tmpfiles.conf @@ -1 +1 @@ -D /var/run/pesign 0770 pesign pesign - +D /run/pesign 0770 pesign pesign - --- -2.26.2 - diff --git a/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch b/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch index 2b47880..b6c3998 100644 --- a/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch +++ b/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch @@ -1,4 +1,4 @@ -From 56eaa15e986d808c670381ca375216eb3abd1588 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 18 Feb 2020 16:37:53 -0500 Subject: [PATCH] Apparently opensc got updated and the token name changed @@ -13,7 +13,7 @@ Signed-off-by: Peter Jones 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/macros.pesign b/src/macros.pesign -index 7c5cba170e9..56f75cafbc4 100644 +index 21bf391..5a6da1c 100644 --- a/src/macros.pesign +++ b/src/macros.pesign @@ -9,7 +9,7 @@ @@ -25,6 +25,3 @@ index 7c5cba170e9..56f75cafbc4 100644 %__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"} %_pesign /usr/bin/pesign --- -2.26.2 - diff --git a/0006-client-try-run-and-var-run-for-the-socket-path.patch b/0006-client-try-run-and-var-run-for-the-socket-path.patch index 337faab..f34bb57 100644 --- a/0006-client-try-run-and-var-run-for-the-socket-path.patch +++ b/0006-client-try-run-and-var-run-for-the-socket-path.patch @@ -1,7 +1,7 @@ -From c662ad097eaa0d8c3691a22254f5d0e9622b26b7 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 6 Jul 2020 16:13:09 -0400 -Subject: [PATCH 6/7] client: try /run and /var/run for the socket path. +Subject: [PATCH] client: try /run and /var/run for the socket path. Signed-off-by: Peter Jones --- @@ -9,10 +9,10 @@ Signed-off-by: Peter Jones 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/src/client.c b/src/client.c -index 2119ef33bf8..a38383415d5 100644 +index a4f1d1d..0082be1 100644 --- a/src/client.c +++ b/src/client.c -@@ -49,24 +49,24 @@ print_flag_name(FILE *f, int flag) +@@ -61,24 +61,24 @@ print_flag_name(FILE *f, int flag) } static int @@ -45,7 +45,7 @@ index 2119ef33bf8..a38383415d5 100644 } socklen_t len = strlen(addr_un.sun_path) + -@@ -74,14 +74,32 @@ connect_to_server(void) +@@ -86,14 +86,32 @@ connect_to_server(void) rc = connect(sd, (struct sockaddr *)&addr_un, len); if (rc < 0) { @@ -81,6 +81,3 @@ index 2119ef33bf8..a38383415d5 100644 static int32_t check_response(int sd, char **srvmsg); --- -2.26.2 - diff --git a/0007-client-remove-an-extra-debug-print.patch b/0007-client-remove-an-extra-debug-print.patch index b094ea5..47082c4 100644 --- a/0007-client-remove-an-extra-debug-print.patch +++ b/0007-client-remove-an-extra-debug-print.patch @@ -1,7 +1,7 @@ -From ea81cec14d31cd0b0dbde5b42414bfae9daec9b8 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 14 Jul 2020 16:44:09 -0400 -Subject: [PATCH 07/11] client: remove an extra debug print +Subject: [PATCH] client: remove an extra debug print Signed-off-by: Peter Jones --- @@ -9,7 +9,7 @@ Signed-off-by: Peter Jones 1 file changed, 1 deletion(-) diff --git a/src/client.c b/src/client.c -index 0082be1f597..c9966295e5f 100644 +index 0082be1..c996629 100644 --- a/src/client.c +++ b/src/client.c @@ -536,7 +536,6 @@ oom: @@ -20,6 +20,3 @@ index 0082be1f597..c9966295e5f 100644 pm->version = PESIGND_VERSION; pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE : CMD_SIGN_ATTACHED) --- -2.26.2 - diff --git a/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch b/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch index 3a62cf6..73c2800 100644 --- a/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch +++ b/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch @@ -1,4 +1,4 @@ -From 6c16b978fd33f3611e9f7aaf4f9c44bce1679485 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 6 Jul 2020 13:54:35 -0400 Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper @@ -7,13 +7,13 @@ Signed-off-by: Peter Jones --- Make.defaults | 1 + src/Makefile | 8 +- - src/macros.pesign | 74 ++++-------- - src/pesign-rpmbuild-helper.in | 222 ++++++++++++++++++++++++++++++++++ + src/macros.pesign | 74 +++++--------- + src/pesign-rpmbuild-helper.in | 222 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 252 insertions(+), 53 deletions(-) create mode 100644 src/pesign-rpmbuild-helper.in diff --git a/Make.defaults b/Make.defaults -index 0bacafe0d01..d4cd626c11e 100644 +index 0bacafe..d4cd626 100644 --- a/Make.defaults +++ b/Make.defaults @@ -16,6 +16,7 @@ INSTALLROOT = $(DESTDIR) @@ -25,7 +25,7 @@ index 0bacafe0d01..d4cd626c11e 100644 PKG_CONFIG = $(CROSS_COMPILE)pkg-config CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC)) diff --git a/src/Makefile b/src/Makefile -index 74327ba13f3..a7ca89159c6 100644 +index 74327ba..a7ca891 100644 --- a/src/Makefile +++ b/src/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/Make.version @@ -58,7 +58,7 @@ index 74327ba13f3..a7ca89159c6 100644 $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups diff --git a/src/macros.pesign b/src/macros.pesign -index 5a6da1c6809..2e984b4eeb3 100644 +index 5a6da1c..34af57c 100644 --- a/src/macros.pesign +++ b/src/macros.pesign @@ -6,7 +6,7 @@ @@ -148,7 +148,7 @@ index 5a6da1c6809..2e984b4eeb3 100644 +%{nil} diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in new file mode 100644 -index 00000000000..c5287c27e0c +index 0000000..c5287c2 --- /dev/null +++ b/src/pesign-rpmbuild-helper.in @@ -0,0 +1,222 @@ @@ -374,6 +374,3 @@ index 00000000000..c5287c27e0c +main "${@}" + +# vim:filetype=sh:fenc=utf-8:tw=78:sts=4:sw=4 --- -2.26.2 - diff --git a/0009-pesign-authorize-shellcheck.patch b/0009-pesign-authorize-shellcheck.patch index 3597f5f..6b674e7 100644 --- a/0009-pesign-authorize-shellcheck.patch +++ b/0009-pesign-authorize-shellcheck.patch @@ -1,7 +1,7 @@ -From 3107894285164a3d25ca215a76593ebb6d4bc84c Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 14 Jul 2020 15:07:32 -0400 -Subject: [PATCH 09/11] pesign-authorize: shellcheck +Subject: [PATCH] pesign-authorize: shellcheck Signed-off-by: Peter Jones --- @@ -9,7 +9,7 @@ Signed-off-by: Peter Jones 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/pesign-authorize b/src/pesign-authorize -index a496f601ab4..55cd5c4e55b 100755 +index a496f60..55cd5c4 100755 --- a/src/pesign-authorize +++ b/src/pesign-authorize @@ -12,21 +12,21 @@ set -u @@ -55,6 +55,3 @@ index a496f601ab4..55cd5c4e55b 100755 else :; fi --- -2.26.2 - diff --git a/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch b/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch index d4a7b31..92cbabb 100644 --- a/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch +++ b/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch @@ -1,7 +1,7 @@ -From 24bb6e1471b16b6be82f13b5b5a302b4e98c1b4d Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 14 Jul 2020 15:08:15 -0400 -Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/ +Subject: [PATCH] pesign-authorize: don't setfacl /etc/pki/pesign-foo/ Signed-off-by: Peter Jones --- @@ -9,7 +9,7 @@ Signed-off-by: Peter Jones 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pesign-authorize b/src/pesign-authorize -index 55cd5c4e55b..c5448329c2c 100755 +index 55cd5c4..c544832 100755 --- a/src/pesign-authorize +++ b/src/pesign-authorize @@ -47,7 +47,7 @@ update_subdir() { @@ -21,6 +21,3 @@ index 55cd5c4e55b..c5448329c2c 100755 if [ -d "${x}" ]; then update_subdir "${x}" else --- -2.26.2 - diff --git a/0011-kernel-building-hack.patch b/0011-kernel-building-hack.patch index 69ffc56..ff32b68 100644 --- a/0011-kernel-building-hack.patch +++ b/0011-kernel-building-hack.patch @@ -1,7 +1,7 @@ -From 0b9048cbcc1cfc2afd9cbf781732882736cbe965 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 14 Jul 2020 16:42:39 -0400 -Subject: [PATCH 11/11] kernel building hack +Subject: [PATCH] kernel building hack Signed-off-by: Peter Jones --- @@ -9,7 +9,7 @@ Signed-off-by: Peter Jones 1 file changed, 17 insertions(+) diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in -index c5287c27e0c..27b8261bc17 100644 +index c5287c2..27b8261 100644 --- a/src/pesign-rpmbuild-helper.in +++ b/src/pesign-rpmbuild-helper.in @@ -202,6 +202,23 @@ main() { @@ -36,6 +36,3 @@ index c5287c27e0c..27b8261bc17 100644 "${client}" "${client_token[@]}" "${client_cert[@]}" \ "${sattrout[@]}" "${certout[@]}" \ ${sign} "${input[@]}" "${output[@]}" --- -2.26.2 - diff --git a/0012-Use-run-not-var-run.patch b/0012-Use-run-not-var-run.patch index 1b4e0c6..5ca5daf 100644 --- a/0012-Use-run-not-var-run.patch +++ b/0012-Use-run-not-var-run.patch @@ -1,19 +1,32 @@ -From db4c6e8cc57271dce6d204a3144982e544e55025 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 16 Jul 2020 16:28:26 -0400 Subject: [PATCH] Use /run not /var/run Signed-off-by: Peter Jones --- - src/daemon.h | 4 ++-- src/Makefile | 2 +- + src/daemon.h | 4 ++-- src/pesign-authorize | 2 +- src/pesign.service.in | 2 +- src/pesign.sysvinit.in | 10 +++++----- 5 files changed, 10 insertions(+), 10 deletions(-) +diff --git a/src/Makefile b/src/Makefile +index a7ca891..f7fb5fc 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -78,7 +78,7 @@ install_sysvinit: pesign.sysvinit + install : + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ +- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/ ++ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir) + $(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir) + $(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir) diff --git a/src/daemon.h b/src/daemon.h -index 0368dc9256c..5fcd97ea717 100644 +index 0368dc9..5fcd97e 100644 --- a/src/daemon.h +++ b/src/daemon.h @@ -51,8 +51,8 @@ typedef enum { @@ -27,21 +40,8 @@ index 0368dc9256c..5fcd97ea717 100644 static inline uint32_t UNUSED pesignd_string_size(char *buffer) -diff --git a/src/Makefile b/src/Makefile -index a7ca89159c6..f7fb5fc9ee5 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -78,7 +78,7 @@ install_sysvinit: pesign.sysvinit - install : - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ -- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/ -+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/ - $(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir) - $(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir) - $(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir) diff --git a/src/pesign-authorize b/src/pesign-authorize -index c5448329c2c..2381302440c 100755 +index c544832..2381302 100755 --- a/src/pesign-authorize +++ b/src/pesign-authorize @@ -47,7 +47,7 @@ update_subdir() { @@ -54,7 +54,7 @@ index c5448329c2c..2381302440c 100755 update_subdir "${x}" else diff --git a/src/pesign.service.in b/src/pesign.service.in -index c75a000892a..4ac2199bce2 100644 +index c75a000..4ac2199 100644 --- a/src/pesign.service.in +++ b/src/pesign.service.in @@ -4,6 +4,6 @@ Description=Pesign signing daemon @@ -66,7 +66,7 @@ index c75a000892a..4ac2199bce2 100644 ExecStart=/usr/bin/pesign --daemonize ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in -index b0e0f84ff0b..bf8edec8ff3 100644 +index b0e0f84..bf8edec 100644 --- a/src/pesign.sysvinit.in +++ b/src/pesign.sysvinit.in @@ -4,7 +4,7 @@ @@ -100,6 +100,3 @@ index b0e0f84ff0b..bf8edec8ff3 100644 RETVAL=$? echo rm -f /var/lock/subsys/pesign --- -2.26.2 - diff --git a/0013-Turn-off-Wfree-nonheap-object.patch b/0013-Turn-off-Wfree-nonheap-object.patch new file mode 100644 index 0000000..f477704 --- /dev/null +++ b/0013-Turn-off-Wfree-nonheap-object.patch @@ -0,0 +1,32 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jeff Law +Date: Mon, 16 Nov 2020 12:07:59 -0700 +Subject: [PATCH] Turn off -Wfree-nonheap-object + +authvar.c has a call to free (tokenname) where tokenname is set to a string constant +and never changed. That triggers GCC to issue a diagnostic that the value should not +be passed to free. + +This is a false positive from GCC as the call is guarded by a suitable condition that +always happens to be false. But pesign is being built without optimization and thus +the condition and free call are not optimized away. + +This patch just disables the warning. A better solution would be to fix the sources +or build with the optimizer enabled. +--- + Make.defaults | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Make.defaults b/Make.defaults +index d4cd626..705cc3a 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -40,7 +40,7 @@ gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches -flto + cflags = $(CFLAGS) $(ARCH3264) \ + -Wall -Wextra -Wsign-compare -Wno-unused-result \ + -Wno-unused-function -Wno-missing-field-initializers \ +- -Werror -Wno-error=cpp \ ++ -Werror -Wno-error=cpp -Wno-free-nonheap-object \ + -std=gnu11 -fshort-wchar -fPIC -fno-strict-aliasing \ + -D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \ + $(if $(filter $(CC),clang),$(clang_cflags), ) \ diff --git a/0014-Fix-bad-free-of-cms-data-DoS-only.patch b/0014-Fix-bad-free-of-cms-data-DoS-only.patch new file mode 100644 index 0000000..1dc6c90 --- /dev/null +++ b/0014-Fix-bad-free-of-cms-data-DoS-only.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 3 Mar 2022 15:37:02 -0500 +Subject: [PATCH] Fix bad free of cms data (DoS only) + +handle_unlock_token() set the CMS data to an offset of an allocated +buffer, rather than something allocated in its own right. +cms_set_pw_data() would then attempt to free this value. Additionally, +should pesignd not take SIGABRT at that point, handle_unlock_token() +would then also free buffer. + +Signed-off-by: Robbie Harwood +(cherry picked from commit 7b78af412dc0ca5db54c426a13550cf35caa9516) +--- + src/daemon.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/daemon.c b/src/daemon.c +index 8522250..3ae3c8d 100644 +--- a/src/daemon.c ++++ b/src/daemon.c +@@ -166,6 +166,7 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size) + struct msghdr msg; + struct iovec iov; + ssize_t n; ++ char *pin = NULL; + + int rc = cms_context_alloc(&ctx->cms); + if (rc < 0) { +@@ -233,7 +234,8 @@ malformed: + if (!ctx->cms->tokenname) + goto oom; + +- char *pin = (char *)tp->value; ++ if (!tp->value) ++ pin = strndup((char *)tp->value, tp->size); + if (!pin) + goto oom; + diff --git a/0015-daemon-remove-always-true-comparison.patch b/0015-daemon-remove-always-true-comparison.patch new file mode 100644 index 0000000..2edf943 --- /dev/null +++ b/0015-daemon-remove-always-true-comparison.patch @@ -0,0 +1,25 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 8 Mar 2022 12:59:34 -0500 +Subject: [PATCH] daemon: remove always-true comparison + +Signed-off-by: Robbie Harwood +(cherry picked from commit 500ee15d26630066baaa48dea1dbfd614d8ea225) +--- + src/daemon.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/daemon.c b/src/daemon.c +index 3ae3c8d..1179cb3 100644 +--- a/src/daemon.c ++++ b/src/daemon.c +@@ -234,8 +234,7 @@ malformed: + if (!ctx->cms->tokenname) + goto oom; + +- if (!tp->value) +- pin = strndup((char *)tp->value, tp->size); ++ pin = strndup((char *)tp->value, tp->size); + if (!pin) + goto oom; + diff --git a/pesign.spec b/pesign.spec index c1a004f..467b5fe 100644 --- a/pesign.spec +++ b/pesign.spec @@ -3,7 +3,7 @@ Name: pesign Summary: Signing utility for UEFI binaries Version: 113 -Release: 17%{?dist} +Release: 18%{?dist} License: GPLv2 URL: https://github.com/vathpela/pesign @@ -56,6 +56,8 @@ Patch0010: 0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch Patch0011: 0011-kernel-building-hack.patch Patch0012: 0012-Use-run-not-var-run.patch Patch0013: 0013-Turn-off-free-nonheap-object.patch +Patch0014: 0014-Fix-bad-free-of-cms-data-DoS-only.patch +Patch0015: 0015-daemon-remove-always-true-comparison.patch %description This package contains the pesign utility for signing UEFI binaries as @@ -168,6 +170,9 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null %{python3_sitelib}/mockbuild/plugins/pesign.* %changelog +* Tue Mar 08 2022 Robbie Harwood - 113-18 +- Backport DoS fix from 115 + * Fri Jul 23 2021 Fedora Release Engineering - 113-17 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild