diff --git a/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch new file mode 100644 index 0000000000000000000000000000000000000000..c80e6064ace2bafe49c495e08d872f24c21e6e15 --- /dev/null +++ b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch @@ -0,0 +1,58 @@ +From 6ae8e947d8e3f3f03eeb7d9ad993e341791900bc Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Fri, 20 Dec 2024 04:25:15 +1100 +Subject: [PATCH] With SSL_VERIFY_PEER client RPK should abort on X509 error + +While RPK performs X.509 checks correctly, at the SSL layer the +SSL_VERIFY_PEER flag was not honoured and connections were allowed to +complete even when the server was not verified. The client can of +course determine this by calling SSL_get_verify_result(), but some +may not know to do this. + +Added tests to make sure this does not regress. + +Fixes CVE-2024-12797 + +Reviewed-by: Tomas Mraz +Reviewed-by: Matt Caswell +Reviewed-by: Neil Horman +--- + ssl/statem/statem_clnt.c | 15 +++++++++++-- + 1 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_clnt.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_clnt.c +index 436b397346..8716ed669f 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_clnt.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_clnt.c +@@ -1910,6 +1910,7 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, + { + size_t certidx; + const SSL_CERT_LOOKUP *clu; ++ int v_ok; + + if (sc->session->peer_rpk == NULL) { + SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, +@@ -1919,9 +1920,19 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, + + if (sc->rwstate == SSL_RETRY_VERIFY) + sc->rwstate = SSL_NOTHING; +- if (ssl_verify_rpk(sc, sc->session->peer_rpk) > 0 +- && sc->rwstate == SSL_RETRY_VERIFY) ++ ++ ERR_set_mark(); ++ v_ok = ssl_verify_rpk(sc, sc->session->peer_rpk); ++ if (v_ok <= 0 && sc->verify_mode != SSL_VERIFY_NONE) { ++ ERR_clear_last_mark(); ++ SSLfatal(sc, ssl_x509err2alert(sc->verify_result), ++ SSL_R_CERTIFICATE_VERIFY_FAILED); ++ return WORK_ERROR; ++ } ++ ERR_pop_to_mark(); /* but we keep s->verify_result */ ++ if (v_ok > 0 && sc->rwstate == SSL_RETRY_VERIFY) { + return WORK_MORE_A; ++ } + + if ((clu = ssl_cert_lookup_by_pkey(sc->session->peer_rpk, &certidx, + SSL_CONNECTION_GET_CTX(sc))) == NULL) { +-- +2.43.0 diff --git a/edk2.spec b/edk2.spec index 0fa6b76bfe1231b35640469cba3f89ef56c81e91..e062ed4afbcc80cfa7dbe2910c345644a89ac08f 100644 --- a/edk2.spec +++ b/edk2.spec @@ -7,7 +7,7 @@ Name: edk2 Version: %{stable_date} -Release: 18 +Release: 19 Summary: EFI Development Kit II License: BSD-2-Clause-Patent and OpenSSL and MIT URL: https://github.com/tianocore/edk2 @@ -135,6 +135,9 @@ patch83: 0083-Fix-timing-side-channel-CVE-2024-13176.patch patch84: 0084-Free-the-read-buffers-CVE-2024-4741.patch patch85: 0085-Process-key-length-CVE-2023-5363.patch +# Fix CVE-2024-12797 +patch86: 0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch + BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl %description @@ -404,6 +407,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Thu Mar 06 2025 zhihang - 202308-19 +- fix CVE-2024-12797 + * Sun Feb 23 2025 huyu - 202308-18 - fix CVE-2024-13176、CVE-2024-4741、CVE-2023-5363