Ubuntu
s390-tools package

Merge ~fheimes/ubuntu/+source/s390-tools:s390-tools-sru-lp1942908-hirsute into ubuntu/+source/s390-tools:ubuntu/hirsute-devel

  1. Git
  2. lp:~fheimes/ubuntu/+source/s390-tools
  3. s390-tools-sru-lp1942908-hirsute
  4. Merge into ubuntu/hirsute-devel
Proposed by Frank Heimes
Status: Needs review
Proposed branch: ~fheimes/ubuntu/+source/s390-tools:s390-tools-sru-lp1942908-hirsute
Merge into: ubuntu/+source/s390-tools:ubuntu/hirsute-devel
Diff against target: 104 lines (+82/-0)
3 files modified
debian/changelog (+9/-0)
debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch (+72/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Lukas Märdian (community) Approve
Review via email: mp+408943@code.launchpad.net

Description of the change

s390-tools-sru-lp1942908-hirsute
  * debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch
    Fix of genprotimg allowing the tool to verify the validity
    of IBM Secure Execution host key documents.
    (LP: #1942908)

Test build is available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1942908

To post a comment you must log in.
Revision history for this message
Lukas Märdian (slyon) :
Reply
Revision history for this message
Lukas Märdian (slyon) wrote :

Uploaded and commented on the bug.

review: Approve
Reply

Unmerged commits

f0800e2... by Frank Heimes

  * debian/changelog for
    debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch

cef5cc4... by Frank Heimes

  * debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch
    Fix of genprotimg allowing the tool to verify the validity
    of IBM Secure Execution host key documents.
    (LP: #1942908)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 3726512..8c80e6b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
1s390-tools (2.16.0-0ubuntu1.1) hirsute; urgency=medium
2
3 * debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch
4 Fix of genprotimg allowing the tool to verify the validity
5 of IBM Secure Execution host key documents.
6 (LP: #1942908)
7
8 -- Frank Heimes <frank.heimes@canonical.com> Mon, 20 Sep 2021 14:01:06 +0200
9
1s390-tools (2.16.0-0ubuntu1) hirsute; urgency=medium10s390-tools (2.16.0-0ubuntu1) hirsute; urgency=medium
211
3 * New upstream release. LP: #191457412 * New upstream release. LP: #1914574
diff --git a/debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch b/debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch
4new file mode 10064413new file mode 100644
index 0000000..d790b5f
--- /dev/null
+++ b/debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch
@@ -0,0 +1,72 @@
1genprotimg: check return value of BIO_reset
2
3Add missing return value checks for BIO_reset. Unfortunately, the OpenSSL
4documentation says:
5
6"BIO_reset() normally returns 1 for success and 0 or -1 for failure. File BIOs
7are an exception, they return 0 for success and -1 for failure."
8
9Github-ID: https://github.com/ibm-s390-linux/s390-tools/issues/112
10Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
11Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
12Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
13
14Author: Marc Hartmayer <mhartmay@linux.ibm.com>
15Origin: upstream, https://github.com/ibm-s390-linux/s390-tools/commit/d90344a2d5ca3a0caacf7d0c12f981be86862d8c
16Bug-IBM: Bugzilla 194437
17Bug-Ubuntu: https://bugs.launchpad.net/bugs/1942908
18Applied-Upstream: >= 2.17.0
19Reviewed-by: Frank Heimes <frank.heimes@canonical.com>
20Last-Update: 2021-09-20
21
22---
23 genprotimg/src/utils/crypto.c | 14 ++++++++++++--
24 1 file changed, 12 insertions(+), 2 deletions(-)
25
26---
27This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
28diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c
29index 81367b23..36379f06 100644
30--- a/genprotimg/src/utils/crypto.c
31+++ b/genprotimg/src/utils/crypto.c
32@@ -440,10 +440,14 @@ static int check_signature_algo_match(const EVP_PKEY *pkey, const X509 *subject,
33 static X509_CRL *load_crl_from_bio(BIO *bio)
34 {
35 g_autoptr(X509_CRL) crl = PEM_read_bio_X509_CRL(bio, NULL, 0, NULL);
36+ gint rc;
37+
38 if (crl)
39 return g_steal_pointer(&crl);
40 ERR_clear_error();
41- BIO_reset(bio);
42+ rc = BIO_reset(bio);
43+ if (rc != 1 || (rc != 0 && BIO_method_type(bio) == BIO_TYPE_FILE))
44+ return NULL;
45
46 /* maybe the CRL is stored in DER format */
47 crl = d2i_X509_CRL_bio(bio, NULL);
48@@ -514,6 +518,7 @@ X509 *load_cert_from_file(const char *path, GError **err)
49 {
50 g_autoptr(BIO) bio = bio_read_from_file(path);
51 g_autoptr(X509) cert = NULL;
52+ gint rc;
53
54 if (!bio) {
55 g_set_error(err, PV_CRYPTO_ERROR,
56@@ -526,7 +531,12 @@ X509 *load_cert_from_file(const char *path, GError **err)
57 if (cert)
58 return g_steal_pointer(&cert);
59 ERR_clear_error();
60- BIO_reset(bio);
61+ rc = BIO_reset(bio);
62+ if (rc != 1 || (rc != 0 && BIO_method_type(bio) == BIO_TYPE_FILE)) {
63+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_READ_CERTIFICATE,
64+ _("unable to load certificate: '%s'"), path);
65+ return NULL;
66+ }
67
68 /* maybe the certificate is stored in DER format */
69 cert = d2i_X509_bio(bio, NULL);
70--
712.25.1
72
diff --git a/debian/patches/series b/debian/patches/series
index c053675..cdb9adf 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ sg3-utils.patch
70001-zkey-on-Ubuntu-use-default-benchmarked-Argon2i-with-.patch70001-zkey-on-Ubuntu-use-default-benchmarked-Argon2i-with-.patch
80001-dumpconf-Don-t-run-the-service-in-LXC.patch80001-dumpconf-Don-t-run-the-service-in-LXC.patch
90010-no-pie-is-not-a-valid-option-for-ld.patch90010-no-pie-is-not-a-valid-option-for-ld.patch
100001-genprotimg-check-return-value-of-BIO_reset.patch

Subscribers

People subscribed via source and target branches