File CVE-2023-38201.patch of Package keylime
From 9e5ac9f25cd400b16d5969f531cee28290543f2a Mon Sep 17 00:00:00 2001
From: Marcio Silva <marcio.a.silva@ibm.com>
Date: Wed, 12 Jul 2023 12:05:47 -0300
Subject: [PATCH] Fix for CVE-2023-38201 (Security Advisory
GHSA-f4r5-q63f-gcww)
In addition to remove the offending message, this patch also ensures
deletion of an agent's record from the database in case of failure after
a single attempt.
Signed-off-by: Marcio Silva <marcio.a.silva@ibm.com>
---
keylime/registrar_common.py | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
Index: keylime-v6.3.2/keylime/registrar_common.py
===================================================================
--- keylime-v6.3.2.orig/keylime/registrar_common.py
+++ keylime-v6.3.2/keylime/registrar_common.py
@@ -378,7 +378,7 @@ class UnprotectedHandler(BaseHTTPRequest
try:
contact_port = int(contact_port)
if contact_port < 1 or contact_port > 65535:
- logger.warning("Contact port for agent %s is not a number between 1 and got: %s.",
+ logger.warning("Contact port for agent %s is not a number between 1 and 65535 got: %s.",
agent_id, contact_port)
contact_port = None
except ValueError:
@@ -495,8 +495,16 @@ class UnprotectedHandler(BaseHTTPRequest
logger.error('SQLAlchemy Error: %s', e)
raise
else:
+ if agent_id and session.query(RegistrarMain).filter_by(agent_id=agent_id).delete():
+ try:
+ session.commit()
+ except SQLAlchemyError as e:
+ logger.error("SQLAlchemy Error: %s", e)
+ raise
+
raise Exception(
- f"Auth tag {auth_tag} does not match expected value {ex_mac}")
+ f"Auth tag {auth_tag} for agent {agent_id} does not match expected value. The agent has been deleted from database, and a restart of it will be required"
+ )
web_util.echo_json_response(self, 200, "Success")
logger.info('PUT activated: %s', agent_id)