packages/shim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!76 shim:fix CVE-2023-0286 and add code check

Browse Source 
From: @jinlun123123 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
This commit is contained in:
openeuler-ci-bot 2023-02-14 15:01:35 +00:00 committed by Gitee
commit f53b61ce5e
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 47 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
backport-CVE-2023-0286.patch Normal file
View File

@ -0,0 +1,38 @@
From 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 Mon Sep 17 00:00:00 2001
From: Hugo Landau <hlandau@openssl.org>
Date: Tue, 17 Jan 2023 17:45:42 +0000
Subject: [PATCH] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
crypto/x509v3/v3_genn.c | 2 +-
include/openssl/x509v3.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
index 87a5eff47cd9..e54ddc55c957 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
return -1;
switch (a->type) {
case GEN_X400:
- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
break;
case GEN_EDIPARTY:
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 90fa3592ce58..e61c0f29d4b4 100644
--- a/Cryptlib/Include/openssl/x509v3.h
+++ b/Cryptlib/Include/openssl/x509v3.h
@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
OTHERNAME *otherName; /* otherName */
ASN1_IA5STRING *rfc822Name;
ASN1_IA5STRING *dNSName;
- ASN1_TYPE *x400Address;
+ ASN1_STRING *x400Address;
X509_NAME *directoryName;
EDIPARTYNAME *ediPartyName;
ASN1_IA5STRING *uniformResourceIdentifier;

11
shim.spec
View File

@ -25,7 +25,7 @@
Name: shim
Version: 15.6
Release: 8
Release: 9
Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64 aarch64
License: BSD
@ -46,6 +46,7 @@ Patch9:backport-0004-CVE-2020-1971.patch
Patch10:backport-CVE-2021-23841.patch
Patch11:backport-CVE-2021-3712.patch
Patch12:backport-CVE-2022-0778.patch
Patch13:backport-CVE-2023-0286.patch
# Feature for shim SMx support
Patch9000:Feature-shim-openssl-add-ec-support.patch
@ -54,7 +55,7 @@ Patch9002:Feature-shim-openssl-add-sm2-and-sm3-support.patch
Patch9003:Feature-shim-cryptlib-support-sm2-signature-verify.patch
Patch9004:Feature-shim-support-sm2-and-sm3-algorithm.patch
BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc
BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc vim-common efivar-devel
%ifarch aarch64
BuildRequires: binutils >= 2.37-7
%endif
@ -146,6 +147,9 @@ install -m 644 shim%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shime
cd ..
%check
make test
%files
%license COPYRIGHT
%{shimBOOT}/fb%{efi_arch}.efi
@ -166,6 +170,9 @@ cd ..
/usr/src/debug/%{name}-%{version}-%{release}/*
%changelog
* Tue Feb 14 2023 jinlun <jinlun@huawei.com> - 15.6-9
- fix CVE-2023-0286 and add code check
* Tue Dec 13 2022 jinlun <jinlun@huawei.com> - 15.6-8
- add edition number