diff --git a/0026-CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch b/0026-CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch new file mode 100644 index 0000000000000000000000000000000000000000..0cd0b124f5103e97449cbcf32810771bbe290691 --- /dev/null +++ b/0026-CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch @@ -0,0 +1,61 @@ +From 26442d11e620a9e81c019a24a4ff38441c64ba10 Mon Sep 17 00:00:00 2001 +From: Jian J Wang +Date: Thu, 25 Apr 2019 23:42:16 +0800 +Subject: [PATCH] CryptoPkg/BaseCryptLib: fix NULL dereference (CVE-2019-14584) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1914 + +AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded +signed authenticode pkcs#7 data. when this successfully returns, a type +check is done by calling PKCS7_type_is_signed() and then +Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1 +blob that successfully decodes and have d2i_PKCS7() return a valid pointer +and have PKCS7_type_is_signed() also return success but have Pkcs7->d.sign +be a NULL pointer. + +Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for +pkcs7 structs it does the following: +- call PKCS7_type_is_signed() +- call PKCS7_get_detached() +Looking into how PKCS7_get_detatched() is implemented, it checks to see if +p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL. + +As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7(). +- Add call to PKS7_get_detached() to existing error handling + +Cc: Xiaoyu Lu +Cc: Guomin Jiang +Cc: Jiewen Yao +Cc: Laszlo Ersek +Signed-off-by: Jian J Wang +Reviewed-by: Laszlo Ersek +Reviewed-by: Jiewen Yao +--- + CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c +index 2772b1e2be..3c2d14a88b 100644 +--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c ++++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c +@@ -9,7 +9,7 @@ + AuthenticodeVerify() will get PE/COFF Authenticode and will do basic check for + data structure. + +-Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.
++Copyright (c) 2011 - 2020, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -100,7 +100,7 @@ AuthenticodeVerify ( + // + // Check if it's PKCS#7 Signed Data (for Authenticode Scenario) + // +- if (!PKCS7_type_is_signed (Pkcs7)) { ++ if (!PKCS7_type_is_signed (Pkcs7) || PKCS7_get_detached (Pkcs7)) { + goto _Exit; + } + +-- +2.27.0 + diff --git a/edk2.spec b/edk2.spec index 118573dd4402d441269dc166a80ab0af2f671777..62286f5c9e4d62603858e58307a1a10029ed285f 100644 --- a/edk2.spec +++ b/edk2.spec @@ -5,7 +5,7 @@ Name: edk2 Version: %{stable_date} -Release: 8 +Release: 9 Summary: EFI Development Kit II License: BSD-2-Clause-Patent URL: https://github.com/tianocore/edk2 @@ -39,6 +39,7 @@ Patch0024: 0022-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch Patch0025: 0023-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch Patch0026: 0024-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch Patch0027: 0025-SecurityPkg-Add-references-to-header-and-inf-files-t.patch +Patch0028: 0026-CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python2 @@ -234,6 +235,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Thu Sep 29 2022 chenhuiying - 202002-9 +* fix CVE-2019-14584 + * Fri Jan 28 2022 Jinhua Cao - 202002-8 - fix CVE-2021-38576