Ubuntu
s390-tools package

Merge ~fheimes/ubuntu/+source/s390-tools:s390-tools-sru-lp1942908-hirsute into ubuntu/+source/s390-tools:ubuntu/hirsute-devel

  1. Git
  2. lp:~fheimes/ubuntu/+source/s390-tools
  3. s390-tools-sru-lp1942908-hirsute
  4. Merge into ubuntu/hirsute-devel
Proposed by Frank Heimes
Status: Needs review
Proposed branch: ~fheimes/ubuntu/+source/s390-tools:s390-tools-sru-lp1942908-hirsute
Merge into: ubuntu/+source/s390-tools:ubuntu/hirsute-devel
Diff against target: 104 lines (+82/-0)
3 files modified
debian/changelog (+9/-0)
debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch (+72/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Lukas Märdian (community) Approve
Review via email: mp+408943@code.launchpad.net

Description of the change

s390-tools-sru-lp1942908-hirsute
  * debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch
    Fix of genprotimg allowing the tool to verify the validity
    of IBM Secure Execution host key documents.
    (LP: #1942908)

Test build is available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1942908

To post a comment you must log in.
Revision history for this message
Lukas Märdian (slyon) :
Reply
Revision history for this message
Lukas Märdian (slyon) wrote :

Uploaded and commented on the bug.

review: Approve
Reply

Unmerged commits

f0800e2... by Frank Heimes

  * debian/changelog for
    debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch

cef5cc4... by Frank Heimes

  * debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch
    Fix of genprotimg allowing the tool to verify the validity
    of IBM Secure Execution host key documents.
    (LP: #1942908)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 3726512..8c80e6b 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,12 @@
6+s390-tools (2.16.0-0ubuntu1.1) hirsute; urgency=medium
7+
8+ * debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch
9+ Fix of genprotimg allowing the tool to verify the validity
10+ of IBM Secure Execution host key documents.
11+ (LP: #1942908)
12+
13+ -- Frank Heimes <frank.heimes@canonical.com> Mon, 20 Sep 2021 14:01:06 +0200
14+
15 s390-tools (2.16.0-0ubuntu1) hirsute; urgency=medium
16
17 * New upstream release. LP: #1914574
18diff --git a/debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch b/debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch
19new file mode 100644
20index 0000000..d790b5f
21--- /dev/null
22+++ b/debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch
23@@ -0,0 +1,72 @@
24+genprotimg: check return value of BIO_reset
25+
26+Add missing return value checks for BIO_reset. Unfortunately, the OpenSSL
27+documentation says:
28+
29+"BIO_reset() normally returns 1 for success and 0 or -1 for failure. File BIOs
30+are an exception, they return 0 for success and -1 for failure."
31+
32+Github-ID: https://github.com/ibm-s390-linux/s390-tools/issues/112
33+Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
34+Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
35+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
36+
37+Author: Marc Hartmayer <mhartmay@linux.ibm.com>
38+Origin: upstream, https://github.com/ibm-s390-linux/s390-tools/commit/d90344a2d5ca3a0caacf7d0c12f981be86862d8c
39+Bug-IBM: Bugzilla 194437
40+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1942908
41+Applied-Upstream: >= 2.17.0
42+Reviewed-by: Frank Heimes <frank.heimes@canonical.com>
43+Last-Update: 2021-09-20
44+
45+---
46+ genprotimg/src/utils/crypto.c | 14 ++++++++++++--
47+ 1 file changed, 12 insertions(+), 2 deletions(-)
48+
49+---
50+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
51+diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c
52+index 81367b23..36379f06 100644
53+--- a/genprotimg/src/utils/crypto.c
54++++ b/genprotimg/src/utils/crypto.c
55+@@ -440,10 +440,14 @@ static int check_signature_algo_match(const EVP_PKEY *pkey, const X509 *subject,
56+ static X509_CRL *load_crl_from_bio(BIO *bio)
57+ {
58+ g_autoptr(X509_CRL) crl = PEM_read_bio_X509_CRL(bio, NULL, 0, NULL);
59++ gint rc;
60++
61+ if (crl)
62+ return g_steal_pointer(&crl);
63+ ERR_clear_error();
64+- BIO_reset(bio);
65++ rc = BIO_reset(bio);
66++ if (rc != 1 || (rc != 0 && BIO_method_type(bio) == BIO_TYPE_FILE))
67++ return NULL;
68+
69+ /* maybe the CRL is stored in DER format */
70+ crl = d2i_X509_CRL_bio(bio, NULL);
71+@@ -514,6 +518,7 @@ X509 *load_cert_from_file(const char *path, GError **err)
72+ {
73+ g_autoptr(BIO) bio = bio_read_from_file(path);
74+ g_autoptr(X509) cert = NULL;
75++ gint rc;
76+
77+ if (!bio) {
78+ g_set_error(err, PV_CRYPTO_ERROR,
79+@@ -526,7 +531,12 @@ X509 *load_cert_from_file(const char *path, GError **err)
80+ if (cert)
81+ return g_steal_pointer(&cert);
82+ ERR_clear_error();
83+- BIO_reset(bio);
84++ rc = BIO_reset(bio);
85++ if (rc != 1 || (rc != 0 && BIO_method_type(bio) == BIO_TYPE_FILE)) {
86++ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_READ_CERTIFICATE,
87++ _("unable to load certificate: '%s'"), path);
88++ return NULL;
89++ }
90+
91+ /* maybe the certificate is stored in DER format */
92+ cert = d2i_X509_bio(bio, NULL);
93+--
94+2.25.1
95+
96diff --git a/debian/patches/series b/debian/patches/series
97index c053675..cdb9adf 100644
98--- a/debian/patches/series
99+++ b/debian/patches/series
100@@ -7,3 +7,4 @@ sg3-utils.patch
101 0001-zkey-on-Ubuntu-use-default-benchmarked-Argon2i-with-.patch
102 0001-dumpconf-Don-t-run-the-service-in-LXC.patch
103 0010-no-pie-is-not-a-valid-option-for-ld.patch
104+0001-genprotimg-check-return-value-of-BIO_reset.patch

Subscribers

People subscribed via source and target branches