!41 Update to 116

From: @chen-jan Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2023-05-05 01:30:37 +00:00 · 2023-05-05 01:30:37 +00:00 · f0ba22c593
commit f0ba22c593
parent 0bfe93394f e1150d5e13
9 changed files with 40 additions and 303 deletions
--- a/0001-cms_common-Fixed-Segmentation-fault.patch
+++ b/0001-cms_common-Fixed-Segmentation-fault.patch
@ -0,0 +1,27 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nicolas Frayer <nfrayer@redhat.com>
 Date: Mon, 20 Feb 2023 15:26:20 +0100
 Subject: [PATCH] cms_common: Fixed Segmentation fault
 When running efikeygen, the binary crashes with a segfault due
 to dereferencing a **ptr instead of a *ptr.
 Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
 (cherry picked from commit 227435af461f38fc4abeafe02884675ad4b1feb4)
 ---
 src/cms_common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/cms_common.c b/src/cms_common.c
 index 24576f2..89d946a 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -956,7 +956,7 @@ find_certificate_by_issuer_and_sn(cms_context *cms,
 	if (!ias)
 		cnreterr(-1, cms, "invalid issuer and serial number");
 -	return find_certificate_by_callback(cms, match_issuer_and_serial, &ias, cert);
 +	return find_certificate_by_callback(cms, match_issuer_and_serial, ias, cert);
 }
 int
--- a/115.tar.gz
+++ b/115.tar.gz
--- a/116.tar.gz
+++ b/116.tar.gz
--- a/Bugfix-Free-resources-if-certificate-cannot-be-found.patch
+++ b/Bugfix-Free-resources-if-certificate-cannot-be-found.patch
@ -1,39 +0,0 @@
 From d8ea40d773dc1bcd90d8fc3b1f71ce49044ccef0 Mon Sep 17 00:00:00 2001
 From: Chenxi Mao <chenxi.mao@suse.com>
 Date: Tue, 13 Dec 2022 22:12:29 +0800
 Subject: [PATCH 1/1] Free resources if certificate cannot be found
 In find_certificate_by_callback, function return -1 directly without
 free resource if node is null, that will lead to nss shut down failed.
 The error message as below:
 could not shut down NSS: NSS could not shutdown. Objects are still in use.
 To fix this issue, free all resources before function return -1.
 Signed-off-by: Chenxi Mao <chenxi.mao@suse.com>
 ---
 src/cms_common.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/src/cms_common.c b/src/cms_common.c
 index 1c54c90..24576f2 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -878,8 +878,12 @@ find_certificate_by_callback(cms_context *cms,
 		}
 	}
 -	if (!node)
 +	if (!node) {
 +		PK11_DestroySlotListElement(slots, &psle);
 +		PK11_FreeSlotList(slots);
 +		CERT_DestroyCertList(certlist);
 		cnreterr(-1, cms, "Could not find certificate");
 +	}
 	*cert = CERT_DupCertificate(node->cert);
 -- 
 2.33.0
--- a/Feature-pesign-support-SM2-signature-algorithm.patch
+++ b/Feature-pesign-support-SM2-signature-algorithm.patch
@ -1,112 +0,0 @@
 From 6c47b45347c946221a8acc3ea3a6a9cfcd734756 Mon Sep 17 00:00:00 2001
 From: godcansee <liu332084460@foxmail.com>
 Date: Sun, 2 Oct 2022 04:33:40 +0800
 Subject: [PATCH 2/2] pesign support SM2 signature algorithm.
 Co-authored-by:Huaxin Lu <luhuaxin1@huawei.com>
 ---
 src/signer_info.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 71 insertions(+), 1 deletion(-)
 diff --git a/src/signer_info.c b/src/signer_info.c
 index afa00e2..4aabf5d 100644
 --- a/src/signer_info.c
 +++ b/src/signer_info.c
@@ -157,6 +157,65 @@ err:
 	return -1;
 }
 +#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3)
 +static int sm2_sign(SECItem *sig, cms_context *cms, SECKEYPrivateKey *privkey,
 +		SECItem *content, SECOidData *oid)
 +{
 +	int ret = -1;
 +	SECKEYPublicKey *pubkey = NULL;
 +	unsigned char *buf = NULL;
 +	SECStatus status;
 +	SECItem sig_raw = { 0 };
 +
 +	pubkey = CERT_ExtractPublicKey(cms->cert);
 +	if (!pubkey) {
 +		cms->log(cms, LOG_ERR, "could not get public key");
 +		return -1;
 +	}
 +
 +	if (pubkey->keyType != ecKey) {
 +		cms->log(cms, LOG_ERR, "invalid key type for sm2");
 +		goto out;
 +	}
 +
 +	buf = malloc(content->len + SM3_LENGTH);
 +	if (!buf) {
 +		cms->log(cms, LOG_ERR, "fail to alloc item");
 +		goto out;
 +	}
 +
 +	status = SEC_CreateSM2Digest(buf, &pubkey->u.ec.publicValue);
 +	if (status != SECSuccess) {
 +		cms->log(cms, LOG_ERR, "fail to compute sm2 z digest");
 +		goto out;
 +	}
 +
 +	memcpy(buf + SM3_LENGTH, content->data, content->len);
 +	status = SEC_SignData(&sig_raw, buf, content->len + SM3_LENGTH,
 +			privkey, oid->offset);
 +	if (status != SECSuccess) {
 +		cms->log(cms, LOG_ERR, "fail to sign data with sm2");
 +		goto out;
 +	}
 +
 +	status = DSAU_EncodeDerSigWithLen(sig, &sig_raw, 64);
 +	if (status != SECSuccess) {
 +		cms->log(cms, LOG_ERR, "fail to encode sm2 sig");
 +		goto out;
 +	}
 +
 +	ret = 0;
 +out:
 +	SECKEY_DestroyPublicKey(pubkey);
 +	if (buf)
 +		free(buf);
 +	if (sig_raw.data)
 +		PORT_Free(sig_raw.data);
 +
 +	return ret;
 +}
 +#endif
 +
 static int
 sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
 {
@@ -169,7 +228,8 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
 		return -1;
 	}
 -	SECOidData *oid = SECOID_FindOIDByTag(digest_get_signature_oid(cms));
 +	SECOidTag oidt = digest_get_signature_oid(cms);
 +	SECOidData *oid = SECOID_FindOIDByTag(oidt);
 	if (!oid)
 		goto err;
@@ -186,8 +246,18 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
 	memset (&tmp, '\0', sizeof (tmp));
 	SECStatus status;
 +#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3)
 +	if (oidt == SEC_OID_SM2_WITH_SM3) {
 +		status = sm2_sign(&tmp, cms, privkey, sign_content, oid) ?
 +			SECFailure : SECSuccess;
 +	} else {
 +		status = SEC_SignData(&tmp, sign_content->data, sign_content->len,
 +				privkey, oid->offset);
 +	}
 +#else
 	status = SEC_SignData(&tmp, sign_content->data, sign_content->len,
 			privkey, oid->offset);
 +#endif
 	SECKEY_DestroyPrivateKey(privkey);
 	privkey = NULL;
 -- 
 2.33.0
--- a/Feature-pesign-support-SM3-digest-algorithm.patch
+++ b/Feature-pesign-support-SM3-digest-algorithm.patch
@ -1,32 +0,0 @@
 From fa5e86eca363b8d2bcf23feedcc86fdd076be7d4 Mon Sep 17 00:00:00 2001
 From: godcansee <liu332084460@foxmail.com>
 Date: Sun, 2 Oct 2022 04:23:35 +0800
 Subject: [PATCH 1/2] pesign support SM3 digest algorithm.
 ---
 src/cms_common.c | 9 +++++++++
 1 file changed, 9 insertions(+)
 diff --git a/src/cms_common.c b/src/cms_common.c
 index d13b2cb..7b6dc0e 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -68,6 +68,15 @@ static struct digest_param digest_params[] = {
 	 .size = 20
 	},
 #endif
 +#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3)
 +	{.name = "sm3",
 +	 .digest_tag = SEC_OID_SM3,
 +	 .signature_tag = SEC_OID_SM2_WITH_SM3,
 +	 .digest_encryption_tag = SEC_OID_SM2_WITH_SM3,
 +	 .efi_guid = NULL,
 +	 .size = 32
 +	},
 +#endif
 };
 static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
 -- 
 2.33.0
--- a/Fix-CVE-2022-3560.patch
+++ b/Fix-CVE-2022-3560.patch
@ -1,80 +0,0 @@
 From d8a8c259994d0278c59b30b41758a8dd0abff998 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 18 Jan 2023 14:00:22 -0500
 Subject: [PATCH] Use normal file permissions instead of ACLs
 Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
 pesign-authorize is now deprecated and will be removed in a future
 release.
 Resolves: CVE-2022-3560
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 ---
 src/pesign-authorize.in | 50 +++--------------------------------------
 1 file changed, 3 insertions(+), 47 deletions(-)
 diff --git a/src/pesign-authorize.in b/src/pesign-authorize.in
 index 69797d5..b4e89e0 100644
 --- a/src/pesign-authorize.in
 +++ b/src/pesign-authorize.in
@@ -2,56 +2,12 @@
 set -e
 set -u
 -#
 -# With /run/pesign/socket on tmpfs, a simple way of restoring the
 -# acls for specific users is useful
 -#
 -#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
 -#
 -
 # License: GPLv2
 -declare -a fileusers=()
 -declare -a dirusers=()
 -while read -r user ; do
 -	dirusers[${#dirusers[@]}]=-m
 -	dirusers[${#dirusers[@]}]="u:$user:rwx"
 -	fileusers[${#fileusers[@]}]=-m
 -	fileusers[${#fileusers[@]}]="u:$user:rw"
 -done </etc/pesign/users
 -
 -declare -a filegroups=()
 -declare -a dirgroups=()
 -while read -r group ; do
 -	dirgroups[${#dirgroups[@]}]=-m
 -	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
 -	filegroups[${#filegroups[@]}]=-m
 -	filegroups[${#filegroups[@]}]="g:$group:rw"
 -done </etc/pesign/groups
 -
 -update_subdir() {
 -	subdir=$1 && shift
 -	setfacl -bk "${subdir}"
 -	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
 -	for x in "${subdir}"* ; do
 -		if [ -d "${x}" ]; then
 -			setfacl -bk "${x}"
 -			setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
 -			update_subdir "${x}/"
 -		elif [ -e "${x}" ]; then
 -			setfacl -bk "${x}"
 -			setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
 -		else
 -			:;
 -		fi
 -	done
 -}
 +# This script is deprecated and will be removed in a future release.
 sleep 3
 for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
 -	if [ -d "${x}" ]; then
 -		update_subdir "${x}"
 -	else
 -		:;
 -	fi
 +	chown -R pesign:pesign "${x}" || true
 +	chmod -R ug+rwX "${x}" || true
 done
--- a/Fix-build-error-of-gcc-version-too-low.patch
+++ b/Fix-build-error-of-gcc-version-too-low.patch
@ -4,36 +4,14 @@ Date: Mon, 7 Nov 2022 20:41:08 +0800
 Subject: [PATCH] fix build error of gcc version too low
 ---
 src/daemon.c   | 3 ---
 src/password.c | 3 ---
- 2 files changed, 6 deletions(-)
+ 1 file changed, 3 deletions(-)
 diff --git a/src/daemon.c b/src/daemon.c
 index 0a66deb..c5061bd 100644
 --- a/src/daemon.c
 +++ b/src/daemon.c
@@ -920,8 +920,6 @@ do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds)
 /* GCC -fanalyzer has trouble with realloc
  * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
 -#pragma GCC diagnostic push
 -#pragma GCC diagnostic ignored "-Wanalyzer-use-of-uninitialized-value"
 static int
 handle_events(context *ctx)
 {
@@ -1000,7 +998,6 @@ shutdown:
 	}
 	return 0;
 }
 -#pragma GCC diagnostic pop
 static int
 get_uid_and_gid(context *ctx, char **homedir)
 diff --git a/src/password.c b/src/password.c
-index 05add9a..0f359d2 100644
+index ac1866e..3436ea2 100644
 --- a/src/password.c
 +++ b/src/password.c
-@@ -304,14 +304,11 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
+@@ -312,14 +312,11 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
 		/* Workaround for -fanalzer/reallocarray() bug
 		 * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
@ -47,7 +25,7 @@ index 05add9a..0f359d2 100644
 -#pragma GCC diagnostic pop
 		span = strspn(start, whitespace_and_eol_chars);
- 		dprintf("whitespace span is %zd", span);
+ 		dbgprintf("whitespace span is %zd", span);
 -- 
-2.27.0
+2.39.1
--- a/pesign.spec
+++ b/pesign.spec
@ -1,11 +1,11 @@
 %global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
 Name:          pesign
 Summary:       Signing utility for UEFI binaries
-Version:       115
+Version:       116
-Release:       4
+Release:       1
 License:       GPLv2
 URL:           https://github.com/rhboot/pesign
-Source0:       https://github.com/rhboot/pesign/archive/refs/tags/115.tar.gz
+Source0:       https://github.com/rhboot/pesign/archive/refs/tags/116.tar.gz
 Source1:       certs.tar.xz
 Source2:       pesign.py
 Source3:       euleros-certs.tar.bz2
@ -17,13 +17,8 @@ BuildRequires: nss-devel >= 3.13.6-1 efivar-devel >= 31-1 libuuid-devel tar xz
 BuildRequires: python3-rpm-macros python3 systemd python3-devel gcc mandoc
 Patch0001:     Bugfix-cms_common-fix-cert-match-check.patch
-Patch0002:     Bugfix-Free-resources-if-certificate-cannot-be-found.patch
+Patch0002:     0001-cms_common-Fixed-Segmentation-fault.patch
 # Feature: support SM2 and SM3
 Patch9000:     Feature-pesign-support-SM3-digest-algorithm.patch
 Patch9001:     Feature-pesign-support-SM2-signature-algorithm.patch
 Patch9002:     Fix-build-error-of-gcc-version-too-low.patch
 Patch9003:     Fix-CVE-2022-3560.patch
 %description
 pesign is a command line tool for manipulating signatures and
@ -84,22 +79,22 @@ exit 0
 %config(noreplace)/%{_sysconfdir}/pesign/*
 %{_sysconfdir}/popt.d/pesign.popt
 %{macrosdir}/macros.pesign
 %dir %attr(0775,pesign,pesign) /etc/pki/pesign/euleros-pesign-db
 %attr(0644,pesign,pesign) /etc/pki/pesign/euleros-pesign-db/*
 %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
 %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
 %{_tmpfilesdir}/pesign.conf
 %{_unitdir}/pesign.service
 %{python3_sitelib}/mockbuild/plugins/*/pesign.*
 %{python3_sitelib}/mockbuild/plugins/pesign.*
 %exclude /boot
 %exclude %{_sysconfdir}/rpm
 %files help
-%doc README TODO
+%doc README.md TODO
 %{_mandir}/man*/*
 %changelog
 * Thu May 04 2023 chenchen <chen_aka_jan@163.com> - 116-1
 - Update to 116
 * Tue Feb 14 2023 luopihui <luopihui@ncti-gba.cn> - 115-4
 - Fix CVE-2022-3560