Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 833635 (CVE-2022-23645)

Summary: <app-crypt/swtpm-0.7.1: Unchecked header size indicator against expected size
Product: Gentoo Security Reporter: Christopher Byrne <salah.coronya>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: proxy-maint, salah.coronya, virtualization
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/24265
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Christopher Byrne 2022-02-18 23:38:33 UTC 
From https://github.com/stefanberger/swtpm/commit/9f740868fc36761de27df3935513bdebf8852d19:

This fix addresses Coverity issue CID 375869.

Check the header size indicated in the header of the state against the
expected size and return an error code in case the header size indicator
is different. There was only one header size so far since blobheader was
introduced, so we don't need to deal with different sizes.

Without this fix a specially craft header could have cause out-of-bounds
accesses on the byte array containing the swtpm's state.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Changelog:

version 0.7.1:

    swtpm:
        Check header size indicator against expected size (CVE-2022-23645)
    swtpm_localca:
        Test for available issuercert before creating CA
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-19 02:39:04 UTC 
Thanks for reporting!
Comment 2 Larry the Git Cow gentoo-dev 2022-02-19 05:17:25 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2054e6abb31b24bbbeb272cd36337f50b10130e

commit d2054e6abb31b24bbbeb272cd36337f50b10130e
Author:     Christopher Byrne <salah.coronya@gmail.com>
AuthorDate: 2022-02-19 02:48:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-19 05:12:52 +0000

    app-crypt/swtpm: Remove old vulnerable versions
    
    Bug: https://bugs.gentoo.org/833635
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Christopher Byrne <salah.coronya@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/24265
    Signed-off-by: Sam James <sam@gentoo.org>

 app-crypt/swtpm/Manifest           |  2 --
 app-crypt/swtpm/swtpm-0.6.1.ebuild | 70 --------------------------------------
 app-crypt/swtpm/swtpm-0.7.0.ebuild | 70 --------------------------------------
 3 files changed, 142 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5605c2f8a4c2150f0f7caa679fc615c5f9731a5a

commit 5605c2f8a4c2150f0f7caa679fc615c5f9731a5a
Author:     Christopher Byrne <salah.coronya@gmail.com>
AuthorDate: 2022-02-19 02:47:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-19 05:12:51 +0000

    app-crypt/swtpm: Bump to fix CVE-2022-23645
    
    Bug: https://bugs.gentoo.org/833635
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Christopher Byrne <salah.coronya@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-crypt/swtpm/Manifest           |  1 +
 app-crypt/swtpm/swtpm-0.7.1.ebuild | 70 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)