Accepting request 498707 from security

1

OBS-URL: https://build.opensuse.org/request/show/498707
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tpm2-0-tss?expand=0&rev=7

reproducible.patch

@@ -0,0 +1,31 @@
+From 010ebd4a161e424e09e5d89a336a84a0a42c456e Mon Sep 17 00:00:00 2001
+From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
+Date: Sat, 27 May 2017 07:08:56 +0200
+Subject: [PATCH] sort input files
+
+when building packages (e.g. for openSUSE Linux)
+(random) filesystem order of input files
+influences ordering of functions in the output,
+thus without the patch, builds (in disposable VMs) would differ.
+
+See https://reproducible-builds.org/ for why this matters.
+---
+ bootstrap | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bootstrap b/bootstrap
+index 95a6dda..610e817 100755
+--- a/bootstrap
++++ b/bootstrap
+@@ -8,7 +8,7 @@ src_listvar () {
+     suffix=$2
+     var=$3
+ 
+-    find "${basedir}" -name "${suffix}" | tr '\n' ' ' | (echo -n "${var} = " && cat)
++    find "${basedir}" -name "${suffix}" | LC_ALL=C sort | tr '\n' ' ' | (echo -n "${var} = " && cat)
+     echo ""
+ }
+ 
+-- 
+2.12.0
+

tpm2-0-tss.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Sat May 27 05:07:22 UTC 2017 - bwiedemann@suse.com
+
+- Add reproducible.patch to sort input files to make build reproducible
+  (boo#1041090)
+
+-------------------------------------------------------------------
+Thu May 11 15:13:49 UTC 2017 - matthias.gerstner@suse.com
+
+- create tss user account and install udev rule to fix startup of resourcemgr
+  (bnc#1038586)
+
+-------------------------------------------------------------------
+Wed May 10 13:33:16 CEST 2017 - mgerstner@suse.com
+
+- remove unnecessary dependency of libsapi0 to trousers. trousers has nothing
+  to do with tpm2-tss.
+
 -------------------------------------------------------------------
 Tue Apr 11 14:26:14 UTC 2017 - meissner@suse.com
 

tpm2-0-tss.spec

@@ -26,6 +26,8 @@ Url:            https://github.com/01org/TPM2.0-TSS
 Source0:        https://github.com/01org/TPM2.0-TSS/archive/%{version}.tar.gz
 Source2:        baselibs.conf
 Patch0:         tpm2-0-tss-configure.patch
+# PATCH-FIX-UPSTREAM bmwiedemann https://github.com/01org/TPM2.0-TSS/pull/419
+Patch1:         reproducible.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  gcc-c++
@@ -36,7 +38,10 @@ Requires(pre):  pwdutils
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
-The tpm2-0-tss package provides a TPM 2.0 TSS implementation.
+The tpm2-0-tss package provides a TPM 2.0 TSS implementation. This
+implementation is developed by INTEL. Note that the current resource manager
+implementation is considered deprecated (a prototype, probably buggy and
+insecure) by its developers.
 
 %package devel
 Summary:        Development headers for the Intel TSS library for TPM 2.0 chips
@@ -53,7 +58,6 @@ for accessing TPM 2.0 chips.
 %package -n libsapi0
 Summary:        TPM2 System API library
 Group:          System/Libraries
-Requires:       trousers
 # Non-SLPP package name from earlier
 Obsoletes:      libtss2 < %version-%release
 Provides:       libtss2 = %version-%release
@@ -81,6 +85,7 @@ TPM over a socket.
 %prep
 %setup -q -n TPM2.0-TSS-%{version}
 %patch0 -p1
+%patch1 -p1
 
 %build
 bash bootstrap
@@ -93,6 +98,8 @@ find %{buildroot} -type f -name "*.la" -delete -print
 install -D -m 0644 contrib/resourcemgr.service %{buildroot}/%{_unitdir}/resourcemgr.service
 sed -e 's#usr/local/sbin/#usr/sbin/#;' -i %{buildroot}/%{_unitdir}/resourcemgr.service
 ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr
+%define udev_rule_file 90-tpm.rules
+install -D -m 0644 contrib/tpm-udev.rules %{buildroot}%{_udevrulesdir}/%{udev_rule_file}
 
 %post -n libsapi0 -p /sbin/ldconfig
 %postun -n libsapi0 -p /sbin/ldconfig
@@ -102,6 +109,26 @@ ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr
 %postun -n libtcti-socket0 -p /sbin/ldconfig
 
 %pre
+# the same user is employed by trousers:
+#
+# trousers just needs those accounts for dropping privileges to. The service
+# starts as root and uses set*id to drop to tss, after the tpm device has been
+# opened.
+#
+# resourcemgr has no set*id handling and thus requires /dev/tpm to be owned
+# by the tss user. Therefore we also need to install a udev rule file.
+#
+# trousers was here first and created the user like this, also giving it a
+# home in /var/lib/tpm. I don't think the home directory is used by any of
+# both packages ATM. Trousers is keeping state there, but the directory is
+# owned by root and files are opened before dropping privileges. The passwd
+# entry seems not to be evaluated.
+#
+# so I guess we can share the account between the two packages for now.
+%_bindir/getent group tss >/dev/null || %{_sbindir}/groupadd -g 98 tss
+%_bindir/getent passwd tss >/dev/null || \
+	%{_sbindir}/useradd -u 98 -o -g tss -s /bin/false -c "TSS daemon" \
+	-d %{_localstatedir}/lib/tpm tss
 %service_add_pre resourcemgr.service
 
 %post
@@ -119,6 +146,7 @@ ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr
 %{_sbindir}/resourcemgr
 /%{_unitdir}/resourcemgr.service
 %{_sbindir}/rcresourcemgr
+%{_udevrulesdir}/%{udev_rule_file}
 
 %files devel
 %defattr(-,root,root)
@@ -127,7 +155,7 @@ ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr
 %{_libdir}/*.so
 %{_libdir}/pkgconfig/*.pc
 ##only available in static form
-#%{_libdir}/libtddl.a
+#%%{_libdir}/libtddl.a
 
 %files -n libsapi0
 %defattr(-,root,root)