diff --git a/debian/changelog b/debian/changelog index 3726512..8c80e6b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +s390-tools (2.16.0-0ubuntu1.1) hirsute; urgency=medium + + * debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch + Fix of genprotimg allowing the tool to verify the validity + of IBM Secure Execution host key documents. + (LP: #1942908) + + -- Frank Heimes Mon, 20 Sep 2021 14:01:06 +0200 + s390-tools (2.16.0-0ubuntu1) hirsute; urgency=medium * New upstream release. LP: #1914574 diff --git a/debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch b/debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch new file mode 100644 index 0000000..d790b5f --- /dev/null +++ b/debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch @@ -0,0 +1,72 @@ +genprotimg: check return value of BIO_reset + +Add missing return value checks for BIO_reset. Unfortunately, the OpenSSL +documentation says: + +"BIO_reset() normally returns 1 for success and 0 or -1 for failure. File BIOs +are an exception, they return 0 for success and -1 for failure." + +Github-ID: https://github.com/ibm-s390-linux/s390-tools/issues/112 +Reviewed-by: Patrick Steuer +Signed-off-by: Marc Hartmayer +Signed-off-by: Jan Höppner + +Author: Marc Hartmayer +Origin: upstream, https://github.com/ibm-s390-linux/s390-tools/commit/d90344a2d5ca3a0caacf7d0c12f981be86862d8c +Bug-IBM: Bugzilla 194437 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1942908 +Applied-Upstream: >= 2.17.0 +Reviewed-by: Frank Heimes +Last-Update: 2021-09-20 + +--- + genprotimg/src/utils/crypto.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c +index 81367b23..36379f06 100644 +--- a/genprotimg/src/utils/crypto.c ++++ b/genprotimg/src/utils/crypto.c +@@ -440,10 +440,14 @@ static int check_signature_algo_match(const EVP_PKEY *pkey, const X509 *subject, + static X509_CRL *load_crl_from_bio(BIO *bio) + { + g_autoptr(X509_CRL) crl = PEM_read_bio_X509_CRL(bio, NULL, 0, NULL); ++ gint rc; ++ + if (crl) + return g_steal_pointer(&crl); + ERR_clear_error(); +- BIO_reset(bio); ++ rc = BIO_reset(bio); ++ if (rc != 1 || (rc != 0 && BIO_method_type(bio) == BIO_TYPE_FILE)) ++ return NULL; + + /* maybe the CRL is stored in DER format */ + crl = d2i_X509_CRL_bio(bio, NULL); +@@ -514,6 +518,7 @@ X509 *load_cert_from_file(const char *path, GError **err) + { + g_autoptr(BIO) bio = bio_read_from_file(path); + g_autoptr(X509) cert = NULL; ++ gint rc; + + if (!bio) { + g_set_error(err, PV_CRYPTO_ERROR, +@@ -526,7 +531,12 @@ X509 *load_cert_from_file(const char *path, GError **err) + if (cert) + return g_steal_pointer(&cert); + ERR_clear_error(); +- BIO_reset(bio); ++ rc = BIO_reset(bio); ++ if (rc != 1 || (rc != 0 && BIO_method_type(bio) == BIO_TYPE_FILE)) { ++ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_READ_CERTIFICATE, ++ _("unable to load certificate: '%s'"), path); ++ return NULL; ++ } + + /* maybe the certificate is stored in DER format */ + cert = d2i_X509_bio(bio, NULL); +-- +2.25.1 + diff --git a/debian/patches/series b/debian/patches/series index c053675..cdb9adf 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ sg3-utils.patch 0001-zkey-on-Ubuntu-use-default-benchmarked-Argon2i-with-.patch 0001-dumpconf-Don-t-run-the-service-in-LXC.patch 0010-no-pie-is-not-a-valid-option-for-ld.patch +0001-genprotimg-check-return-value-of-BIO_reset.patch