Update to keylime-7.13.0+40 (CVE-2025-13609, bsc#1254199)

Signed-off-by: Alberto Planas <aplanas@suse.com>
2025-12-10 14:54:30 +01:00
8 changed files with 21 additions and 51 deletions
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/keylime/keylime.git</param>
-              <param name="changesrevision">af531bdbd127dbe2595ffcc80bdd9b447b09e705</param></service></servicedata>
+              <param name="changesrevision">dc75773679b1862e3b571f513e5aa9904efaf136</param></service></servicedata>
--- a/keylime-7.13.0+40.tar.xz
+++ b/keylime-7.13.0+40.tar.xz
--- a/keylime-7.13.0+55.tar.xz
+++ b/keylime-7.13.0+55.tar.xz
--- a/keylime.changes
+++ b/keylime.changes
@@ -1,30 +1,3 @@
-------------------------------------------------------------------
-Fri Jan  9 11:32:03 UTC 2026 - Alberto Planas Dominguez <aplanas@suse.com>
-
- Add missing pyasn1 dependency
-
-------------------------------------------------------------------
-Thu Jan 08 08:37:05 UTC 2026 - aplanas@suse.com
-
- Use tmpfiles.d for /var directories (PED-14735)
-
- Update to version 7.13.0+55:
-  * [Automatic] Update Keylime base image 2026-01-05
-  * docs: Document claims response from /verify/evidence
-  * verify/evidence: Use tee label for TEE verification
-  * verify/evidence: Change valid response to boolean
-  * tee/snp: Return SEV-SNP claims upon successful verification
-  * verify/evidence: Return TPM claims in response
-  * verify/evidence: Define empty response fields
-  * [Automatic] Update Keylime base image 2025-12-14
-  * Fix TypeError when using -m flag without IMA measurement list path
-  * Increase maximum_attestation_interval
-  * Do not require wheel for building
-  * Add session.refresh() before process_get_status()
-  * Fix PUSH mode attestation status race condition
-  * Add consecutive_attestation_failures column to legacy VerfierMain model
-  * Remove operational_state field from status response in push mode
-
 -------------------------------------------------------------------
 Tue Dec 09 13:34:39 UTC 2025 - aplanas@suse.com

--- a/keylime.conf
+++ b/keylime.conf
@@ -1,5 +0,0 @@
-#Type Path                            Mode User    Group Age Argument...
-d     /var/log/keylime                0750 keylime tss   -   -
-d     /var/lib/keylime                0700 keylime tss   -   -
-L     /var/lib/keylime/tpm_cert_store 0700 keylime tss   -   ../../../usr/lib/keylime/tpm_cert_store
-d     /run/keylime                    0700 keylime tss   -   -
--- a/keylime.obsinfo
+++ b/keylime.obsinfo
@@ -1,4 +1,4 @@
 name: keylime
-version: 7.13.0+55
-mtime: 1767609804
-commit: af531bdbd127dbe2595ffcc80bdd9b447b09e705
+version: 7.13.0+40
+mtime: 1764941702
+commit: dc75773679b1862e3b571f513e5aa9904efaf136
--- a/keylime.spec
+++ b/keylime.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package keylime
 #
-# Copyright (c) 2026 SUSE LLC and contributors
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -31,7 +31,7 @@
 %endif
 %{?sle15_python_module_pythons}
 Name:           keylime
-Version:        7.13.0+55
+Version:        7.13.0+40
 Release:        0
 Summary:        Open source TPM software for Bootstrapping and Maintaining Trust
 License:        Apache-2.0 AND MIT AND BSD-3-Clause
@@ -40,7 +40,7 @@ Source0:        %{name}-%{version}.tar.xz
 Source1:        keylime.xml
 Source2:        %{name}-user.conf
 Source3:        logrotate.%{name}
-Source4:        %{name}.conf
+Source4:        tmpfiles.%{name}
 # openSUSE adjustments for generated configuration files
 Source10:       registrar.conf.diff
 Source11:       verifier.conf.diff
@@ -65,8 +65,6 @@ Requires:       python3-jsonschema
 Requires:       python3-lark
 Requires:       python3-packaging
 Requires:       python3-psutil
-Requires:       python3-pyasn1
-Requires:       python3-pyasn1-modules
 Requires:       python3-pyzmq
 Requires:       python3-requests
 Requires:       python3-tornado
@@ -200,10 +198,11 @@ install -Dpm 0644 %{SOURCE1} %{buildroot}%{_prefix}/lib/firewalld/services/%{src
 install -Dpm 0644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}-user.conf
 install -Dpm 0644 %{SOURCE3} %{buildroot}%{_distconfdir}/logrotate.d/%{name}
 install -Dpm 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+install -d %{buildroot}%{_localstatedir}/log/%{name}

-mkdir -p %{buildroot}%{_prefix}/lib/%{srcname}
-cp -r ./tpm_cert_store %{buildroot}%{_prefix}/lib/%{srcname}/
-%fdupes %{buildroot}%{_prefix}/lib/%{srcname}/
+mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
+cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
+%fdupes %{buildroot}%{_sharedstatedir}/%{srcname}/

 # %%check
 # %%pyunittest -v
@@ -253,7 +252,7 @@ cp -r ./tpm_cert_store %{buildroot}%{_prefix}/lib/%{srcname}/
 %pre -n %{srcname}-tpm_cert_store -f %{srcname}.pre

 %post -n %{srcname}-tpm_cert_store
-%tmpfiles_create %{_tmpfilesdir}/%{srcname}.conf
+%tmpfiles_create %{srcname}.conf

 %pre -n %{srcname}-verifier
 %service_add_pre %{srcname}_verifier.service
@@ -307,12 +306,13 @@ cp -r ./tpm_cert_store %{buildroot}%{_prefix}/lib/%{srcname}/
 %{_prefix}/lib/firewalld/services/%{srcname}.xml

 %files -n %{srcname}-tpm_cert_store
-%dir %attr(0700,keylime,tss) %{_prefix}/lib/%{srcname}
-%dir %attr(0700,keylime,tss) %{_prefix}/lib/%{srcname}/tpm_cert_store
-%attr(0600,keylime,tss) %{_prefix}/lib/%{srcname}/tpm_cert_store/*
+%dir %attr(0700,keylime,tss) %{_sharedstatedir}/%{srcname}
+%dir %attr(0700,keylime,tss) %{_sharedstatedir}/%{srcname}/tpm_cert_store
+%attr(0600,keylime,tss) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*
 # We use this subpackage to store other unrelated things, as far as is
 # required by all the services
 %{_sysusersdir}/%{srcname}-user.conf
+%ghost %dir %attr(0700,keylime,tss) %{_rundir}/%{srcname}
 %{_tmpfilesdir}/%{srcname}.conf

 %files -n %{srcname}-registrar
@@ -331,5 +331,6 @@ cp -r ./tpm_cert_store %{buildroot}%{_prefix}/lib/%{srcname}/

 %files -n %{srcname}-logrotate
 %_config_norepl %{_distconfdir}/logrotate.d/%{srcname}
+%dir %attr(0750,keylime,tss) %{_localstatedir}/log/%{srcname}

 %changelog
--- a/tmpfiles.keylime
+++ b/tmpfiles.keylime
@@ -0,0 +1 @@
+d /run/keylime 0700 keylime tss