--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package edk2/0~20181115.85588389-3+deb10u2
- From: dann frazier <dannf@dannf.org>
- Date: Tue, 15 Dec 2020 14:53:09 -0700
- Message-id: <160806918965.1212579.3978191154738087210.reportbug@xps13.dannf>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Address CVE-2019-14584 (#977300), for which the security team has declined to
release a DSA.
[ Impact ]
Possible firmware crash while validating signed payloads.
[ Tests ]
Regression tested by booting a Secure Boot guest.
[ Risks ]
It's a one-liner fix - if it introduced a regression, it could break
certain secure boot guests.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
A clean cherry-pick from upstream to fix a potential NULL pointer
dreference.
[ Other info ]
N/A
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.9.0-1-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru edk2-0~20181115.85588389/debian/changelog edk2-0~20181115.85588389/debian/changelog
--- edk2-0~20181115.85588389/debian/changelog 2020-09-17 13:45:52.000000000 -0600
+++ edk2-0~20181115.85588389/debian/changelog 2020-12-15 12:30:28.000000000 -0700
@@ -1,3 +1,11 @@
+edk2 (0~20181115.85588389-3+deb10u3) buster; urgency=medium
+
+ * CryptoPkg/BaseCryptLib: fix NULL dereference. (CVE-2019-14584)
+ (Closes: #977300)
+ - d/p/CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch
+
+ -- dann frazier <dannf@debian.org> Tue, 15 Dec 2020 12:30:28 -0700
+
edk2 (0~20181115.85588389-3+deb10u2) buster; urgency=medium
* Fix integer overflow in DxeImageVerificationHandler. (CVE-2019-14562)
diff -Nru edk2-0~20181115.85588389/debian/patches/CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch edk2-0~20181115.85588389/debian/patches/CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch
--- edk2-0~20181115.85588389/debian/patches/CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch 1969-12-31 17:00:00.000000000 -0700
+++ edk2-0~20181115.85588389/debian/patches/CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch 2020-12-15 12:30:28.000000000 -0700
@@ -0,0 +1,51 @@
+From 26442d11e620a9e81c019a24a4ff38441c64ba10 Mon Sep 17 00:00:00 2001
+From: Jian J Wang <jian.j.wang@intel.com>
+Date: Thu, 25 Apr 2019 23:42:16 +0800
+Subject: [PATCH] CryptoPkg/BaseCryptLib: fix NULL dereference (CVE-2019-14584)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1914
+
+AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded
+signed authenticode pkcs#7 data. when this successfully returns, a type
+check is done by calling PKCS7_type_is_signed() and then
+Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1
+blob that successfully decodes and have d2i_PKCS7() return a valid pointer
+and have PKCS7_type_is_signed() also return success but have Pkcs7->d.sign
+be a NULL pointer.
+
+Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for
+pkcs7 structs it does the following:
+- call PKCS7_type_is_signed()
+- call PKCS7_get_detached()
+Looking into how PKCS7_get_detatched() is implemented, it checks to see if
+p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL.
+
+As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7().
+- Add call to PKS7_get_detached() to existing error handling
+
+Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
+Cc: Guomin Jiang <guomin.jiang@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
+
+Origin: upstream, https://github.com/tianocore/edk2/commit/26442d11e620a9e81c019a24a4ff38441c64ba10
+Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=1914
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977300
+Last-Update: 2020-12-15
+
+Index: edk2/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
+===================================================================
+--- edk2.orig/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
++++ edk2/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
+@@ -106,7 +106,7 @@ AuthenticodeVerify (
+ //
+ // Check if it's PKCS#7 Signed Data (for Authenticode Scenario)
+ //
+- if (!PKCS7_type_is_signed (Pkcs7)) {
++ if (!PKCS7_type_is_signed (Pkcs7) || PKCS7_get_detached (Pkcs7)) {
+ goto _Exit;
+ }
+
diff -Nru edk2-0~20181115.85588389/debian/patches/series edk2-0~20181115.85588389/debian/patches/series
--- edk2-0~20181115.85588389/debian/patches/series 2020-09-17 13:45:52.000000000 -0600
+++ edk2-0~20181115.85588389/debian/patches/series 2020-12-15 12:30:28.000000000 -0700
@@ -27,3 +27,4 @@
0001-SecurityPkg-DxeImageVerificationLib-extract-SecDataD.patch
0002-SecurityPkg-DxeImageVerificationLib-assign-WinCertif.patch
0003-SecurityPkg-DxeImageVerificationLib-catch-alignment-.patch
+CryptoPkg-BaseCryptLib-fix-NULL-dereference-CVE-2019.patch
--- End Message ---