CVE-2023-40549 Authenticode: verify that the signature header is in bounds. - efi-boot-shim.git - (mirror of https://github.com/vyos/efi-boot-shim.git)

diff options

author	Peter Jones <pjones@redhat.com>	2023-07-27 14:58:55 -0400
committer	Peter Jones <pjones@redhat.com>	2023-12-05 13:20:00 -0500
commit	afdc5039de0a4a3a40162a32daa070f94a883f09 (patch)
tree	5d59ea0ee92348fa8e4c140fda82d2e44573eefb /Cryptlib/opensslconf-diff.patch
parent	e7f5fdf53ee68025f3ef2688e2f27ccb0082db83 (diff)
download	efi-boot-shim-afdc5039de0a4a3a40162a32daa070f94a883f09.tar.gz efi-boot-shim-afdc5039de0a4a3a40162a32daa070f94a883f09.zip

CVE-2023-40549 Authenticode: verify that the signature header is in bounds.

In the validation logic in verify_buffer_authenticode(), there is yet another case where we need to guarantee an object is in the binary but we're only validating the pointer to it. In this case, we're validating that the actual signature data is in the binary, but unfortunately we failed to validate that the header describing it is, so a malformed binary can cause us to take an out-of-bounds read (probably but not necessarily on the same page) past the end of the buffer. This patch adds a bounds check to verify that the signature is actually within the bounds. It seems unlikely this can be used for more than a denial of service, and if you can get shim to try to verify a malformed binary, you've effectively already accomplished a DoS. Resolves: CVE-2023-40549 Reported-by: gkirkpatrick@google.com Signed-off-by: Peter Jones <pjones@redhat.com>

Diffstat (limited to 'Cryptlib/opensslconf-diff.patch')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: