833635 – (CVE-2022-23645) <app-crypt/swtpm-0.7.1: Unchecked header size indicator against expected size

Bug 833635 (CVE-2022-23645) - <app-crypt/swtpm-0.7.1: Unchecked header size indicator against expected size

Summary: <app-crypt/swtpm-0.7.1: Unchecked header size indicator against expected size

Status:	RESOLVED FIXED

Alias:	CVE-2022-23645

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~3 [noglsa]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2022-02-18 23:38 UTC by Christopher Byrne
Modified:	2022-02-19 05:20 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/24265
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Byrne 2022-02-18 23:38:33 UTC

From https://github.com/stefanberger/swtpm/commit/9f740868fc36761de27df3935513bdebf8852d19:

This fix addresses Coverity issue CID 375869.

Check the header size indicated in the header of the state against the
expected size and return an error code in case the header size indicator
is different. There was only one header size so far since blobheader was
introduced, so we don't need to deal with different sizes.

Without this fix a specially craft header could have cause out-of-bounds
accesses on the byte array containing the swtpm's state.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Changelog:

version 0.7.1:

    swtpm:
        Check header size indicator against expected size (CVE-2022-23645)
    swtpm_localca:
        Test for available issuercert before creating CA

Comment 1 John Helmert III archtester

2022-02-19 02:39:04 UTC

Thanks for reporting!

Comment 2 Larry the Git Cow gentoo-dev

2022-02-19 05:17:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2054e6abb31b24bbbeb272cd36337f50b10130e

commit d2054e6abb31b24bbbeb272cd36337f50b10130e
Author:     Christopher Byrne <salah.coronya@gmail.com>
AuthorDate: 2022-02-19 02:48:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-19 05:12:52 +0000

    app-crypt/swtpm: Remove old vulnerable versions
    
    Bug: https://bugs.gentoo.org/833635
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Christopher Byrne <salah.coronya@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/24265
    Signed-off-by: Sam James <sam@gentoo.org>

 app-crypt/swtpm/Manifest           |  2 --
 app-crypt/swtpm/swtpm-0.6.1.ebuild | 70 --------------------------------------
 app-crypt/swtpm/swtpm-0.7.0.ebuild | 70 --------------------------------------
 3 files changed, 142 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5605c2f8a4c2150f0f7caa679fc615c5f9731a5a

commit 5605c2f8a4c2150f0f7caa679fc615c5f9731a5a
Author:     Christopher Byrne <salah.coronya@gmail.com>
AuthorDate: 2022-02-19 02:47:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-19 05:12:51 +0000

    app-crypt/swtpm: Bump to fix CVE-2022-23645
    
    Bug: https://bugs.gentoo.org/833635
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Christopher Byrne <salah.coronya@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-crypt/swtpm/Manifest           |  1 +
 app-crypt/swtpm/swtpm-0.7.1.ebuild | 70 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)