From 859de7f2e4f98dee2aab1ef0f32d9cba4f2d9a12 Mon Sep 17 00:00:00 2001 From: Linux_zhang Date: Wed, 25 Jun 2025 13:49:24 +0800 Subject: [PATCH] fix CVE-2024-0727 --- backport-CVE-2024-0727.patch | 128 +++++++++++++++++++++++++++++++++++ shim.spec | 6 +- 2 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-0727.patch diff --git a/backport-CVE-2024-0727.patch b/backport-CVE-2024-0727.patch new file mode 100644 index 0000000..d353736 --- /dev/null +++ b/backport-CVE-2024-0727.patch @@ -0,0 +1,128 @@ +From 041962b429ebe748c8b6b7922980dfb6decfef26 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 19 Jan 2024 11:28:58 +0000 +Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL + +PKCS12 structures contain PKCS7 ContentInfo fields. These fields are +optional and can be NULL even if the "type" is a valid value. OpenSSL +was not properly accounting for this and a NULL dereference can occur +causing a crash. + +CVE-2024-0727 + +Reference:https://gitee.com/openeuler/openssl/commit/09015a582baa980dc04f635504b16fe95dc3790b +Conflict:crypto/pkcs12/p12_add.c,test/recipes/80-test_pkcs12.t,data/bad1.p12,data/bad2.p12,data/bad3.p12 + +Reviewed-by: Tomas Mraz +Reviewed-by: Hugo Landau +Reviewed-by: Neil Horman +(Merged from https://github.com/openssl/openssl/pull/23361) + +--- + Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ + Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c | 5 +++++ + Cryptlib/OpenSSL/crypto/pkcs12/p12_npas.c | 5 +++-- + Cryptlib/OpenSSL/crypto/pkcs7/pk7_mime.c | 10 +++++++--- + 4 files changed, 33 insertions(+), 5 deletions(-) + +diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c +index d9f03a3..052e9f1 100644 +--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c ++++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c +@@ -171,6 +171,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) + PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p7->d.data == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); + } + +@@ -226,6 +232,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, + { + if (!PKCS7_type_is_encrypted(p7)) + return NULL; ++ ++ if (p7->d.encrypted == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, + ASN1_ITEM_rptr(PKCS12_SAFEBAGS), + pass, passlen, +@@ -253,6 +265,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12) + PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p12->authsafes->d.data == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return ASN1_item_unpack(p12->authsafes->d.data, + ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); + } +diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c +index cbf34da..bda3c28 100644 +--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c ++++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c +@@ -80,6 +80,11 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, + return 0; + } + ++ if (p12->authsafes->d.data == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR); ++ return 0; ++ } ++ + salt = p12->mac->salt->data; + saltlen = p12->mac->salt->length; + if (!p12->mac->iter) +diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_npas.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_npas.c +index 9e8ebb2..19a855b 100644 +--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_npas.c ++++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_npas.c +@@ -126,8 +126,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) + bags = PKCS12_unpack_p7data(p7); + } else if (bagnid == NID_pkcs7_encrypted) { + bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); +- if (!alg_get(p7->d.encrypted->enc_data->algorithm, +- &pbe_nid, &pbe_iter, &pbe_saltlen)) ++ if (p7->d.encrypted == NULL ++ || !alg_get(p7->d.encrypted->enc_data->algorithm, ++ &pbe_nid, &pbe_iter, &pbe_saltlen)) + goto err; + } else { + continue; +diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_mime.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_mime.c +index 62fb299..5cf7a87 100644 +--- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_mime.c ++++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_mime.c +@@ -78,11 +78,15 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) + { + STACK_OF(X509_ALGOR) *mdalgs; + int ctype_nid = OBJ_obj2nid(p7->type); +- if (ctype_nid == NID_pkcs7_signed) ++ ++ if (ctype_nid == NID_pkcs7_signed) { ++ if (p7->d.sign == NULL) ++ return 0; + mdalgs = p7->d.sign->md_algs; +- else ++ } else { + mdalgs = NULL; +- ++ } ++ + flags ^= SMIME_OLDMIME; + + return SMIME_write_ASN1(bio, (ASN1_VALUE *)p7, data, flags, +-- +2.43.0 + diff --git a/shim.spec b/shim.spec index e585ae3..abf0f3f 100644 --- a/shim.spec +++ b/shim.spec @@ -22,7 +22,7 @@ Name: shim Version: 15 -Release: 36 +Release: 37 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 aarch64 License: BSD @@ -62,6 +62,7 @@ Patch27: backport-CVE-2023-3446.patch Patch28: backport-CVE-2023-0465.patch Patch29: backport-CVE-2023-2650.patch Patch30: backport-Fix-the-issue-that-the-gBS-LoadImage-pointer-was-emp.patch +Patch31: backport-CVE-2024-0727.patch # Feature Patch9000: Feature-add-tpcm-support-with-ipmi-channel.patch @@ -166,6 +167,9 @@ cd .. /usr/src/debug/%{name}-%{version}-%{release}/* %changelog +* Wed Jun 25 2025 Linux_zhang - 15-37 +- fix CVE-2024-0727 + * Tue Feb 11 2025 fuanan - 15-36 - fix the issue that the gBS->LoadImage pointer was empty. -- Gitee