SHA256
1
0
forked from pool/tpm2.0-tools

Accepting request 902778 from home:favogt:branches:security

- update to version 5.1.1:
  - tpm2_import: fix fixed AES key CVE-2021-3565
    - tpm2_import used a fixed AES key for the inner wrapper, which means that
      a MITM attack would be able to unwrap the imported key. To fix this,
      ensure the key size is 16 bytes or bigger and use OpenSSL to generate a
      secure random AES key.
- Avoid pandoc build dependency, use prebuilt man pages everywhere
- Drop 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch, now upstream
- Drop _service, unused
- Drop unused unzip build dependency
- Drop autoreconfigure call, no longer necessary
- Use %autosetup
- Verify tarball signature
- Build against efivar
- Drop %check section, tests weren't built, so that was a noop

OBS-URL: https://build.opensuse.org/request/show/902778
OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-tools?expand=0&rev=80
This commit is contained in:
Matthias Gerstner 2021-06-28 09:47:58 +00:00 committed by Git OBS Bridge
parent 45f5061ef4
commit 30fe5afe17
8 changed files with 283 additions and 91 deletions

View File

@ -1,46 +0,0 @@
From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Fri, 21 May 2021 12:22:31 -0500
Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
tpm2_import used a fixed AES key for the inner wrapper, which means that
a MITM attack would be able to unwrap the imported key. Even the
use of an encrypted session will not prevent this. The TPM only
encrypts the first parameter which is the fixed symmetric key.
To fix this, ensure the key size is 16 bytes or bigger and use
OpenSSL to generate a secure random AES key.
Fixes: #2738
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
tools/tpm2_import.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c
index cfb6f207..f44326c8 100644
--- a/tools/tpm2_import.c
+++ b/tools/tpm2_import.c
@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub,
TPM2B_DATA enc_sensitive_key = {
.size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
};
- memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
+
+ if(enc_sensitive_key.size < 16) {
+ LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
+ return tool_rc_general_error;
+ }
+
+ int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
+ if (ossl_rc != 1) {
+ LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
+ return tool_rc_general_error;
+ }
/*
* Calculate the object name.
--
2.26.3

View File

@ -1,11 +0,0 @@
<services>
<!-- we need to setup a download_files service here. it is already called implicitly for some reason in the devel project, but not in e.g. SLE-15 -->
<service name="tar_scm" mode="disabled">
<param name="url">https://github.com/intel/tpm2-tools.git</param>
<param name="scm">git</param>
<param name="revision">5.1</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">disable</param>
</service>
<service name="set_version" mode="disabled"/>
</services>

3
tpm2-tools-5.1.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5500810f7af999391babb13216d75843bee9f3f9d1544feed5e503d801174a3b
size 1044427

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEW0grjj4Z2nyXjh0BbeLpB44fUMEFAmDQoIoACgkQbeLpB44f
UMEidhAAqmjQ+JUI5dlp4hsU78cKpZpIC3ivS2vobHekdOrzlDqe9/GhFXQEo07O
M7RI1zgguaXXGlNNatx+xU3vHZD3CjtwRxjt4OFEwL0yH8/8/5YDMgTbujmuprbu
sF3uQ3+RUmY6UQPqXH5UTV6sri50psY0JSQg4CKSfu/KGAzu74dfkcq6k6zFwaTl
Odj7orMw+5tzygeF6L308o07jIM0Z0Uiuf0nAkKAQX8iSrJDZZK89gfSLr5+rcBB
ihAAWE087Mfkd7WgMi54Ozja5YfZ9RF9CNMqETLB1YEseu1Q8LqmR39DDUANAMGb
eJx9ZP1+r3MPp2EqUjt6DWDvp9KUEepg6ZQfarhvBknJU4cXxpoK/qV9/QD8NaEP
YY2SGOkb4O9OxENrCNGKKAW1yI+sx4kjxqVVq1Gz+nFDOhd6wOWxLOfOFrQTy0o8
H76Zs3cJodgrSYTO690hLJzX4pEVn2qrtFq+eDmRmD6IktJXaU4dK7SlXRW3yfkH
sSdsHy+HZ1tBsvEbLGRDJLFrt4rVyl42n1dl+yynliQ0Np/i6TMwPfoTUsZGqSbA
ifMLZW774d204FDwZZzmAbRtILHNUDNKwyMVMFMHbZtjep5MwW3x3sC89tOgkCtM
LLlxoiaHzhS7coAYDBUxYiL/wzsbIFYDyDLplxgoLfqzJCl8unY=
=KI3b
-----END PGP SIGNATURE-----

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e2d37b4376f968d6ce480e71b9b26a56a1960c844f4816335570c141c03642cd
size 1042653

233
tpm2-tools.keyring Normal file
View File

@ -0,0 +1,233 @@
tag william-roberts-pub
Tagger: William Roberts <william.c.roberts@intel.com>
Date: Wed Feb 15 15:12:03 2017 -0800
Signing key for maintainer:
william.c.roberts@intel.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFik3GUBEADYDYbSXH3UTr9oCNCI3UxC1hiLH7cM+QIbMtWiwfAbT3G8wrTa
NPj00qNvI4wQ/Xm3h0hB7kri7vP0FqIjIwsTdM6ZpFdVHHKW1m4P8fkOcxqmLN0g
V36MN5fgoGWf2K94aS7ItoweRMcuHnwWawe6aAtbKSYVqhWhoB/3grgd0xhE61AS
o8fJ7uRYNEAYVeOKlC2j+qKfoJbCa6yqZejFwOOzB6qxNRA7JYvckEf8yJ4+Y16m
qPyZ1ErHzpql3+b5ha+g+9g8WzxAbSfGYZTwaQxyePNjXuq2tdEXf9XnESvoaoN4
pQhiu/0BJEkXPxl1zso65g4Mn22xEELhUnwPDo5YdLlWEZ8xhELLvdJc3Z0nTR5A
4/YaZvvzf7pOD1cwpB6IrRf8n9rOe1aDxh/A//zX9PpIOV25p5kqlE88Ya5VXrnA
Ayfs19RZmK3+FuaI0ij79CRokG9BrI6TXT0pRTDIRu7GvAo2q13MELRvFddyRT2G
mNjsHYcqEbraYTh3LHEiwfWp4ZgDtk8jj3iRabHQUHk9V8vSFzj+wp1E8HzO8Vp3
BxMDIOG1VPdLi81DP+LbZI1h30ZG63ulqkKIhwx5/h2v4VCYPatVtGqVf37tLstj
Wrs0DkBykuZrecp+AJ5ZJ+UVvR8ajO2ncAoOugNwoj9Wuvz0fVTiJIhuNQARAQAB
tDxXaWxsaWFtIFJvYmVydHMgKEJpbGwgUm9iZXJ0cykgPHdpbGxpYW0uYy5yb2Jl
cnRzQGludGVsLmNvbT6JAjgEEwECACIFAlik3GUCGwMGCwkIBwMCBhUIAgkKCwQW
AgMBAh4BAheAAAoJEG3i6QeOH1DBibEQAL4EwEzegkc8NyHiW0mntwDoCv3tkUlG
fprp/g7GWfrP+L+pN5yexg3Zm/CgVN/tTNCEr5XtP+sdds8xBF6ReJ8QPO7EiMiM
asPXh8zlODrySXCGHmpa7IzuUC2wgD3Wq7WjniMvnBmqBdL0+8nqA6NFxOOklvK1
ub7bqLrHKfUfciFOfYAi+C0Bh8kdZtMjfY9sqlJA3sVK2UxVXq9D+oHbL1o454N6
VzV0rDtsK47GSSCXT75kulPdfOCopTgxPgNsK4VnXgMOL5JMURPJa3rBzmBRFed1
ynrqwFdmYdMepsUgt/JS2I/23QChqp6AdVDjtGLKS71hox+vdE4S0DoRnMHwHkkt
B6bqQci3RlUP+wcHHRCUXUubxMSlYJqhBdEOclo6N0X0LseLcdAMGda8ZnqbHlyg
hPLmJrM3C5zTLjDb2YJXCy6RVNwqAnU3o33SZCnHqo/zUjEtR03Ztk1DzSeCjo5w
zLac1VFq5S3QdgZUwmPhyeoigqOvHu6Z1s2eL8Aw7Hn8i6MWLz5sOXAtyC9NPwK/
qbp1a+GQXzNW4rvKl7ZEFKrBKyj8AiRoVLSRKcqZtFT56ltXQjrwKjsWDTEOzjnm
XCSM96xfay6asQH5fw+haC3RIErwyNV0uUDIVC0xDTZ6NgJEBkp8liwNeHE7eHoN
8qWSZZO2syf7uQINBFik3GUBEAC7V2o1kBsLFSKwmgsCuGfW0oBIQiaCcakT6D2X
rKBjmzBvh/UIdXQwl9+vPKtWX3T/7g6UBvezV3uc2ZqrigGmFemoQI3sW7wFk0L9
/QTUWCMfZtyrWgqyetmPYS+i2PnsEPinsgsEHWf3iu/ew1A7npZwINwMdOSOVw2u
JqYyW2tZCErWKVe31ziYUpXA+HaRm9zoVr0F0sE2GYGWbMVYtqxN9TSYcIAHxB71
Y31dcY77ln/1JAH4Yzqc063w/lNYogEbbQY7WNgcKdPP+aovpV7kS3TKwsdb9/xT
pj67nnlvjLTMRoW3Ez0PcIDFhuube9uOQupYG4rC4grLeVLwL/ekVmn6TxRN1hG7
6zYXWiwWi16uAO++eBNt127FwCOVZsPO0ye3/XpOpCdpUadguxF2gGt6xY0gtetj
Vdv6S4kCdSx8NMrO2epS/1pgklxN9R/xl7Wu+JPUuVX4Jy0ycmw7TCWxdK2fuFy6
6aLCXWWEjRSp06oeVJoVV2py+rYaoau7JG7Zgx1A3gYTm6MLFysfROaQgmfRozIH
0boYh3IA1WWzk4I6ew129ynC5zGXg/+UCnKKwn8Tsh9neq9noRDAonWI7jOCipwF
l51py82093M87zjz9o/qxnB8p00jByQ+MunUykaZrkQKHAsiyIF6cUIeQiy/AL7n
wwSPQQARAQABiQIfBBgBAgAJBQJYpNxlAhsMAAoJEG3i6QeOH1DBtO8P/1D98sl3
oz/0oSSz0u9nzgOh93UkLbXpjSR4U+g7Wl2ppxQyGSFeWwRwT5BT74EVP2IcrraX
V9c7l+s8PYqnUdX2XAqGMv06523cCrNUU93kUUNjAo3FxGSn7i2kHIvMkDbUoeVk
jyWKfIvyy2sKcVB9GQxfMrbnTR5/Z6fCyGHNqMFb9e9TUWclLzMIhvtkvLuKmf52
TKKxKQt/wero5zb0fynOttIjuhmOP9CFTiYjdj7qSmQapW8VFdYjyzL+OOFk9gCL
S3mIk1LdkfWah7trmMUTXdmiEibvARAQ3Yjr+Hz9yU1gzEJSPUUugNguqgS5kN+T
3TdwUHAP9whVD2IvN/Mfn29bmFFVfzu3ftJIa1zJmOdZy7KWb6MWVhw3SJ65luPB
qxKWRqFDOSpqzBm6bYQ/Oka49Jl7/dCImSm+7bCC7LDK9hXa3AIlDtWvG4iiL18T
wUOrgXPysB/D/NQaRxT/vSPUOB4WrQzIKIf4vJdyuPdtOtIWm97KUw8r/jDqd4I3
B62qknrrR+FPcz8ACM9fXkpbBEcjFV8EkoOae106Vxjo/lu5LVBbwiKviMMwoK5o
YE7FfCwLBbLTYMeetHo8jGBRonTEOKMtPlp/fCMOp9w7CgMDuvfEwuTsA1ux4uAb
tZZIbipcKcZmsU7Su4+oeyh61giG++M5rL2D
=xdFJ
-----END PGP PUBLIC KEY BLOCK-----
tag javier-martinez-pub
Tagger: Javier Martinez Canillas <javierm@redhat.com>
Date: Mon Apr 30 11:11:25 2018 +0200
Signing key for maintainer:
javierm@redhat.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFm5I3sBEACnneVfhNlq+yVeTRpYlt9/2k9istJhozy4y8fuZuaqxwm5Tpjo
c1YqejLBCG1WRmNiJ1DgkI07IxUNQhx8oENYtzYPbFlk/t7fUgWOb3jME69zUs56
sG410oFmSU+EHrLy6vk6jVgia8uCLeJ6X43boT2VMqzcbUQEv/ORf+J72ZK9wIYf
gPj32S77NV4pBEOeDp+3bV/2Qs8CPbSXJJa3SFTwt3h4U+CszekhlH1wMAK1aaSC
MKlYvkEuKG8vgp8hJ+wA2kTEg8io7WKOJP567eMs3l/EJ/zAnZByulKWr1BtD3n7
OIMWFXQxvUr6SVScFNpRw3N9hiN+hjImbaTGHcxselXMNTQeyID42ckHaVm6mACq
g3QOVlolqKYnQgRNCuPVObDe6IhzdF+OhXfhYIDRvQ2+nFbGO/A6mt11bIP9BPNJ
pyw1JoIjLIcZJKwfh2FdzjQpzJ9StfX3eR9opXoD8mNyJ0EtvRVth0wp2mwuv42Q
BuVPtVZLGdxvnzMEMkl3QeWE+uiidurbTNZ4iFUNHd+r7alPBn2ItFNSpFj4+FaZ
u5eOyt/E3tcUdIoYHjpo5DkK4bwd7bX6L0VMzFr3qwBqDmHBylhwXMU6MR+a7zRU
CgoQt9xb2hJQnNWPdcWDXxQJfBrLRMjkpo5hD/sBYzrlyqHkM8PILIi6SQARAQAB
tC1KYXZpZXIgTWFydGluZXogQ2FuaWxsYXMgPGphdmllcm1AcmVkaGF0LmNvbT6J
Ak4EEwEIADgWIQTXXteqJOUM1kXG9FfHUeWQ1j89aQUCWbkjewIbAwULCQgHAgYV
CAkKCwIEFgIDAQIeAQIXgAAKCRDHUeWQ1j89aVNQD/9ESnrFxkZGg82WxD7fO6Oi
Zca1aq+4kQQlk4hjA4cLg0o3kZ28htjYR/jVw/wSNE3c2S9fnl7ZQcFEXntswLIc
fvrjlF6D8UA4sbxfve3fDF6SafbJXMAq+e+aOw5BwCKxn1a/j5b4eIY8hKA5G34H
L9Ypj7DEI90BZ7t4/xZ4UtCLyxWg4grT0IHNc8FL9NoHCo4kW8M7iQry14HfeieK
0psUWT5uKO0mhXiMau4KUQeF8agyfYTRdoIl6ObzHwYSZFCk8mPUsuDg8qVuc+jy
xKr+yOmY2Iu+4AFeQPSXJGiFmVlop2B+6jUnRUFCs2vyW6uW2Ya0eCKBJvRE7gyg
coL3deBIbs1OwNOZJFMAGZ+Zb+cKvRVArTnQ42Aktc2ayKiixJ/mJ/rxdEnhmMJX
WzKuEloDGH1wRhSwprQJRe1lIvVZmIggQ+OoY7P8hn2it4agSf5Cyd1JDc5wd5ZI
6+lzVRiwyVruIV/j5ku9HYnYsEHQ3ZttnYqk3dUenTWSsDNWc/bANWeGl2+2U+Mo
QFRvudOSjpWd1K2Chj4orUt5wy+cm8MZT6agHpJ1WZZrK0al4esoa0cR2cBvpgxP
eHtn8ajFGmyYS/B+tncfPH9kuMRGjv2Ao9BmikneHkYX/dXP6sNluiw0HqJXFC6d
sDz0s0d8Jpv3cGv8OCjPdbkCDQRZuSN7ARAAvy5lVu0Dw1+pSsRwb/5Ki6ovFxYO
RYymelvIc89DMA0zZ7TrBiTg+gI+UPJiouWk7GzZTVNthcIGT7ZN8G+/f1ba5Bkr
kY5/j/1chyJbW+KUgVYhDWJMH69cfPMpwha/HU8Yc+XmvRGyTE8EW96vIIqcAEqF
gkHh6EiWLFyF+rQNVRTQOsx/HdYmEQ3uu8JMEr1UmhE031gcEaECAk+dkQv97g+s
ONSxaMzC4BL9xVbOniEeY+pbnZ9pHwhB8ehZfBoHv/mcHJQKKSyK5ArQ2h2GMiY1
31KXtP+GiuOpS7kjUW/mWok9gzTDE/k1sLLi9fOxpEHBia7TqKeSGJDFqM5TkFY4
paOGohNH3Kzev/lwUu+Sf7kZ8q192/8xm/S1mbBO+AsFhMx1GbOCPfcklA1yZJXf
9ShR1poPVRNW15WgO/lIJm1SVjelmH6S2RfHous+Ij7u82K0vgzPKvAKJqoauaW5
tmMrZuwCNQlhfm+59cacs9F6aueonw23iMaFGOHUVoTMzKvIWf6gYeqQiGPP/KnW
1HsdWmSjdE9wsRwDd5Dxnx76SAy+eTVfpL8qazNnX9nfTEtfwfo2t//LBB182Z+6
azCSORNyvo8Uiwhi6c1lzlMngbq0RiCVqYswSsHvIcmN1MqZodJ4FMZrgZcbMHx4
5Mv+JzopI2EGfzkAEQEAAYkCNgQYAQgAIBYhBNde16ok5QzWRcb0V8dR5ZDWPz1p
BQJZuSN7AhsMAAoJEMdR5ZDWPz1p6XgP/AuPr0IzbSvPhVOu1rqfBBldxeStSIYI
Fbw4Yll1iM0cpeiQ4x6TIH8GNx0HhnFps7hENbXoDyOVEMG1ju5MFj8cLZQKuBlB
jDSPza3jZ1ZQmQMBxcsQwrATTaceo8SI/Xx7orBzrtsfBgcnc2vp1zhqiiiLbB4M
GHdIBuOczGEhlZPq5o1Ld0fJggpPXJdZ45d545rErqyMlf5YLGjkDsdjBX3KVZyh
QCH+l9VRqTGEqQrVA2QkdfheoQ5k+g7TwwQfYoV4WbP/kbuEqOYhYEllr2Nhzl5U
3F+SI7gP80BYFxqqfccAQgcJZeQUrQ9YL0qB/sJkbi6fRydDQqpV3MrAp4FeZkSn
jgcKZgD6thILaWtI7yh6hdLUtLQmsOfxJKFspayWY+QBbJKu0WTGyWJ2bYCbDLQ5
oOcCW0O2ShA4YFTAI2yI2g3IAYOCJiucIWz+q3h1Gt2cwmRBUUGKBoCm0Q3Pjm+T
hdbLXoPzZICuCT1iTZrhuwndH2sbM/itkDm1BaNEvWJqQd2PkqqPUF8lew4Eo4hP
JEz4k9v/LMaZpp8qRTqMpnYhvHDxb3OEPyDNor7VfPeAMAwP0MI7SxgFoiUAoL6q
wiKDPpqVHgRaCOAj6a/+p/ozXVrFGRelvRDZQ8g/tfIBLlHbZPa/VXjt+j//mvF8
yX/+AfLZXs79
=h4wr
-----END PGP PUBLIC KEY BLOCK-----
tag joshua-lock-pub
Tagger: Joshua Lock <joshua.g.lock@intel.com>
Date: Fri Jun 8 14:24:19 2018 +0100
Signing key for maintainer:
joshua.g.lock@intel.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFsagX0BEAC7QZhd0+McfBrI6CgLTpsLWTYrJZP/ABpVw2tzfgN+A+uCglml
Yg2VhfSr5AZWCOWbccrrB59kPnXIOqIshNC2We4ecpKHAWiw5KlboejnWP6Si+4F
3iZMF01M8AggVHx+iBPYPN0KiM45kRbTMDbKgqEpWntoUFHU3am9umfr2dPh8hpL
VaFzm3nThgsyckHar+DHZPo8tpOYFQSWzR6FfdrkjFfYTwkgEg2fyZVwfI4r2qO0
H+Tx0FaHJN6shUN2uH1XowKdtOGi8GZl6xkeXvszp+q4kLCsDMzACMW3T9BIMykS
W7oUjrdYt5Wej0pAeImWZNU+N3cbGGYkq3DMRFMA7U9BQHZZLLEryQlfJq9GwW//
hfrkN70eepDldO8wWevsad3PUdSCMeUQFrWwZvCjeY8UOOiKhVVyHDWEM1wL41ek
C7G2c41L5yPw2jMj0pu+FmflD8UGLbGxQo08jxkWgmPGpm+WABT9bU9DIzLY5g2t
rzkgHxWHnEBzKZTJ7kQjuWjd+Kx0CtN6Msz8tc5JDgb6B9HBhYDLU0AZgLBDHh9W
BvVablpYb6rgDoA8LRzkKarg0KceQsBEXVphCnO80+0M6FzkRkNQTpqj/B6kXD+D
pIU5yCdJb+UDQbf7ouBwL0HjBz0J5e9DyQ877EYAshIatp1wtTJxcO5YjwARAQAB
tCVKb3NodWEgTG9jayA8am9zaHVhLmcubG9ja0BpbnRlbC5jb20+iQI+BBMBAgAo
BQJbGoF9AhsDBQkFo5qABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBJvK5U
Q//8NO2qD/9CZriVb7BNuGohcRkZTLNz+batciFaeRmpxp3yTztvIzsKxhzBI6o1
GNASXUbYHWvICwtFxocn3QPmKQuB4FFyiDCv9ed0bdR8ohl+cAGa2xd83iSOrEgm
wp2QcHzej3JYitZzEB9oEathn+1fDuOFajeGMCOGIxW7zsFCmb0NGaj1QWye7OAt
ZrXcYeW0DDykVDx879n3uqVZwQsfXaKTfDCPxhFCG8Zo/s5QSvDPc7CAhDRrvhsR
yGEjhcs9FgDVzhuXVExSNSTk3TqgmtqoD7bN9l4QPlZqJZwlECY9pbmZ3XG8oxyH
OLcpSKwBGnvXmUKmjwIhhFdcWv8s0nvn03al72GqtOxyKdwjQZzvJEIv5FApR++Y
57gmc5wYsH/ECBzYTGxfEPTt+wU7rJp28JxVs6c0GMXG8fXclyFi3x2oyBelX6rN
KmwTU9uivN/ar5pHRUNshc8ElZBbMjZc9npmiUKSNwW6kcA7DumFdZefe1OCgTQS
6p2cYPYCZS3xvsi7rhdKFzKrpibPQz+vvBOcapJHgH/0pLdRA3aFq5gNKHbhJJVo
pzFxsB4cJ0vMnIwrQM55m0Xlh5d3LeiZQf9BSg8ZUVqTGaGdHCpfDgWLzpNEqhO+
plFSDQ6JMqAi3st4iaJUt1l/lrJ5DWFJ5GYmNy8FWeQ4NOA9Vjq94LkCDQRbGoF9
ARAArSYEZko1GKSB1H+7cnLrqKeVovnWqczuSNl1cIBwYlCOPhG5Uzm7bxHVWhqL
AZ8Fmv4BkKQ5Q/GXUwQvI5GhYVrPQru0wd5Uq3J3NiDUPV+QtGtKDixtqJAkpmJt
vfopRzyIEjGeepTSzxaJzvxGSIZNY4HfZzdaOK5W83c9w0f3OP6Stj/dFtw7I1tW
ar5nz98+FyzkncD6Igr0ZxONMBo/+1LCbfa5l+zAPtOgTIhSqVgxbjwRGHq6RtH/
dmapx7I6ntMqKVWQC1tuiuwrZjC23yU72QY0Bn1An0bMI/IKZzHAIj0VTpq99+x7
pAuTb5gJ+Bv2gXJuXaBVXGxmlmv24VU9w5YhAcmIuD+xphAnUy/ojzHC/Z+tOlEJ
blQ4iDOWo6Ed8wFPJx8anKZBDfIBRSnBqsDwszAp1OAtMLoxH8byFGlE61YuiUvE
6miikGL2HxSljZYy65t5ev6ZL4KBr4Qc704ORCz+TB844jakg7m52aR1L51e0HCs
g+bQ8vF2oiuePCMx/KYXZzLKgU70bh24nOEjLtb8f25kHhwlUr7Z4Q8LNaswBanX
fAFp+nwXj2gHsOYL9nMAdHtCHiH7dVd8G1bQrsUxgB3DjCDp5OWdRjI8CRxsjIPq
8HsQ5Ee4j0M3dJse3HGi24R6TUBCTvHG9/3IXfbf9dkMQ0sAEQEAAYkCJQQYAQIA
DwUCWxqBfQIbDAUJBaOagAAKCRBJvK5UQ//8NCIZD/0UotJ5uuJddFpKDnHxuM7m
eCVakQHmVHYTzq/B0+e6O/ac6EOteljOTf9Vh5ikGMuMTQg0b3XTC+Z/Z3C9zWYi
VAn6/TC2z+tQ6OfgMC7iBTcirsBpnsCB5UUAMIYCirelr5AecIxdy8oPitlRJa4k
teJnVeqFW6xsmk0i2B4aPkDO4NrYVSxlUe9rMObed851Dq8vb2BuVBqMbQ9NxmS6
pACO8z1Gbn6ZBXj0Zg0AZnq9y9Ff1+vTmbjON9jwkYVPM9W+Nn3w6s3FvRO/aQcf
ac+p1wJw7o+q9wtfANjiRysM2NL4Gq6qtiDtxFrB/gqN6En7Mc0LYUwMydp1vSPw
ThjoXKGm+f/SgjEIaJo7ChA2uXQ6f2+aD9WVxOX1BvGfUZOofVF99rII/dO0nJbL
68z2pwESeOKKUWX+pPgm9kcEJeyorugfArMHgi9zFDpqWm26UgmlIuMv7iMUiynZ
YHaj724RJ+Bh/vTGbu5409c+R8UJvlhnmdf0gXN1bherzMQDvKEtg7GT8mRN+A4O
yERtOiAqZtDexzYVAYvVtJNiFQjkhvIvuvYcghjhjNzhnErPepnYj4vpRKyrwhmZ
MR1sWYuKXcq02CHDAjnloHMrLWMdtZXHsdRAuBtP+56brpns4WoFpPwn1O43DqM5
SLZfOoNW1VlWexTY9ymjuA==
=G+yU
-----END PGP PUBLIC KEY BLOCK-----
tag idesai-pub
Tagger: Imran Desai <imran.desai@intel.com>
Date: Mon Aug 26 11:03:41 2019 -0700
Desai, Imran GPG public key
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF1kFXIBEACeHCYibXuMWOVYJ6O33q37zu/OinwnXKGVOCGJ6a+95KuZHENv
q3zjMOCoeNdW7jGl5n4BaDlmCEY+rDfPca5Fqz3Y/PTvkyk9mMIh2SCERLyYvwBE
QAQ6OQIFSRF8RyIy9EmTRylX7ms0b86Gx/Jhz9+pnN3+5gRlkbPK5O5Ab6Ei/PlS
f3NLm8+TTR/as6dLq0khS8hhBT1vZphMBT61zICAUxjIV/bDB+EfOB3kiZ6UNtim
cbCU3Lve5L1JLayFBRIw2DnGXZOAwsWn0AdRqxPX0FEWL/lEGFk9j0SrdNsUIwia
hbEheTxXbGZ/hhUMSulxCSWchLP7+i3u8RouUm7Iy4md1xMNy1DPiBKVItvO9nwz
ECp7dm1a4tO9FAtbeSGTa8alqZR6MHD5bMBxoI5gtC+RXZ0/EbuJBZVuM4vld1dO
OkB6L5Q+Ktttq8G6KeWYAOmJ8kZpNR/Qb1HMO8jRMGOPSV5cdmJEsUZp4KeWESjw
QLOH3tH4sU+3mnOifPl2tNjfP3CBpQTFmB+IdpCq1HfxVsKa0Ba2rcwkOHCj2E65
7RI3Els5wgsnTT5p/oWIVIb1PQQZ8R0f9WoLYPlggUzeg8SKem+nX0ZIgbJPUwVn
f5q70GCMJEKmAGk+8U4TraQ+x/8dbKL1J5R88g48Jj3dqji5EsXVziD7LwARAQAB
tDhEZXNhaSwgSW1yYW4gKGlkZXNhaS1naXRodWItZ3BnKSA8aW1yYW4uZGVzYWlA
aW50ZWwuY29tPokCTgQTAQoAOBYhBGMT5txBqvwxWodgpBSYb2lEsfcrBQJdZBVy
AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEBSYb2lEsfcrcaYP/A38JygC
xj7AN5EChMbtJVrK+nNGwRGHFK7uf+XPI4bdFSUdF3CEG5gl7+2lh85z8xzMezGQ
Ozhr9rWVzLxQ2J0HPD1EW1WjkFpo154lhFgdz1fmlTgkXTnX5Zqsv7EEfL4lvXt+
5uzTwvOMcyLHnD5oiS8gbaVZvrvQHXwMOeLrCniCZboFemYOnCA/sFa+WhhjBGVf
knMgMtnJWjEmJ4TNTO5cU5yK9o0QWAA+PIKt+5aaNXf59kcUsFsnhrWQzBiGV3Tw
Qczj51vyeSoOCpM4Rh5JMET9wfLIeVKsdGbhwe4BqHDC+DxxdO03bevd5FY+5zJ1
Gr8f43dC1/MaBlV6TjBSTB6eYEyPcA4kDI7E9DRq0tFnhTz1pSu5qUslLS8O04il
vLaoBvDjkUvNJRJS7uY0w08LqZ7sgKi3z9W92NrVE+ra689fwh1mpRN+P2D+sz5w
gWZYMlrBc8udyHDhwQ9Yy0CX8LoOVkN4Ji9gr4xCez0O1W+IqIFA2wT7t1pwyHGC
25E1TkqxhOxKaSZUQNz1iNrTGHKurYhAKG9ECfTEiEVKTEuKn+PcnXRXjpDUaypH
GPoIpTSo5iaZceT/vAxb8xJsdg+OqVaVVe9t1mBPIUHOy6JMx4eZya9GOCI/gi8F
gRmcHctHXEh9GgmYxPxrsZiPyh7CE5L9PewSuQINBF1kFXIBEADHbS4HAqgRqZFK
1i+Df1VdBThASn2N069/YwNuxwP3chPenUNHHcTINbctYmfl9yZPLCmr9UBFOQJl
/QyjHH4BnMG94Kwq62qJ0zuYlbq4TkiSeyJhHOOH1MlKbw+UPmsrmTyFKi9/F2uF
ZebqKpOs7CxC1npWIRA1Vt13Lk/HoVJQwPBGBQzazuavc9vXr5ftFA1YraEieSgL
yk5YMb5lXH0CnsjmaVUVXX+GWFLHO/72P8/mK1i9aiu0E7PEIXWzAlVftrsmz/iG
7ktWvptHI08MaOC5ifjwO44uXEaUqET3qX6gHNP5bAJENu4prwSrrl8Clc7J535Q
Byk7wLchR0CxC6kJFlsYos0xU3Rc1C0Sw1xL2iTiRVVxzQYfckVj7j0Ptko36THh
veu7PQm+KLHS55OPYbbfLiiihVjjXZlDzipT5dFzGpJ0lqQit4LzTuqOOhn1qBwQ
hgorSkNXv+shLY3nbG8c0oZXf6Ef5r0qPYQIpSs6MwSQMPy40pEhFri6ZaVjMsIf
TkxlnJnv4EfK/iRFgsHxtboPtf6I3QqMPgEa+pk+KPABHUS8+vOGdUTEmXGnmSIT
TlO9nO2GQBTwWeYJkaQYWdfwpNYDEieGPI8optsqs6jnZGieYgqlsnpb+z9bU7Pa
taEzyINjfWTnpa5BkE/tfApRnHmhvwARAQABiQI2BBgBCgAgFiEEYxPm3EGq/DFa
h2CkFJhvaUSx9ysFAl1kFXICGwwACgkQFJhvaUSx9ys8SBAAlixQR1yOLvuJ3eBp
nEdxqpvh3GLbS83QSVox1uJXZFHfBLl23FACqeiY7WP8+6m/BH2T1TC92MAu6+CO
+12wEXk/IooOHRBy6lsjAFYlgeWOKKPg7WbI8jiyjqIb4THlnhu+61tVOZTTxNYi
iBU8Skc4d8rPi/vAbiQXRKpIUxEziCsruJm1sEMH5AHGB+OAyM6vywfc6ZR5Sk0+
LP++b7yL1joPgdH934dfgeCMF25JqChk7S4uAbOnICItutLVyEfqLjXZFYjnUuqE
lysOUpiGCTyK7UxL4MhFoblCbZwo/7hZrb82TpJOf9ttKJ/twql1JZhuGH5DTdjc
GbpyRhtemMb/oFEKGem7Ch/cEtjxonmRGzKdaFed2WizXoXL93mytxayUvRO/uVa
9BDOU02/lB0z68NkaaNMeKwiPMh3EyjShMZnBjIn+LtSM2241h9jHq2dy7YA5Avh
Teo8xpCOBxXHVAbWrAUU8WT2b/z8DLxTl926C+YWQouzDZX7AD5xHcuhmNYqqTBO
MVuwsBDdugW1fn7AH1EKXZY2dc7EFSNO+mG4XJqzT+Biq5pumoaT7c/29RqpnM+N
1BYk8ULSMJZ2Pu1DhxeSLti0KHamxt7NAyM7J/NLROLBL28gmqHmro+Qf170HYZc
qvbCulq4dMyalS/ez4xSC00X5wg=
=kpvR
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Mon Jun 28 09:09:46 UTC 2021 - Fabian Vogt <fvogt@suse.com>
- update to version 5.1.1:
- tpm2_import: fix fixed AES key CVE-2021-3565
- tpm2_import used a fixed AES key for the inner wrapper, which means that
a MITM attack would be able to unwrap the imported key. To fix this,
ensure the key size is 16 bytes or bigger and use OpenSSL to generate a
secure random AES key.
- Avoid pandoc build dependency, use prebuilt man pages everywhere
- Drop 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch, now upstream
- Drop _service, unused
- Drop unused unzip build dependency
- Drop autoreconfigure call, no longer necessary
- Use %autosetup
- Verify tarball signature
- Build against efivar
- Drop %check section, tests weren't built, so that was a noop
-------------------------------------------------------------------
Fri Jun 18 14:44:25 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>

View File

@ -17,47 +17,40 @@
Name: tpm2.0-tools
Version: 5.1
Version: 5.1.1
Release: 0
Summary: Trusted Platform Module (TPM) 2.0 administration tools
License: BSD-3-Clause
Group: Productivity/Security
URL: https://github.com/tpm2-software/tpm2-tools/releases
Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz
Source1: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz.asc
# git show william-roberts-pub javier-martinez-pub joshua-lock-pub idesai-pub > tpm2-tools.keyring
Source2: tpm2-tools.keyring
Patch0: fix_bogus_warning.patch
Patch1: 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
Patch2: 0001-tpm2_checkquote-fix-uninitialized-variable.patch
Patch3: 0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: gcc-c++
BuildRequires: libcurl-devel
BuildRequires: libopenssl-devel
BuildRequires: libtool
BuildRequires: libuuid-devel
BuildRequires: pkgconfig(efivar)
# Pandoc is used for generating the man pages, but since 3.0.4 prebuilt man
# pages are shipped with the distribution tarball and we don't need to generate
# them any more. Pandoc is only available on openSUSE (not 32-bit x86) and not
# in Ring 1 (no haskell), so can't be used as build dependency here.
%if 0
%if 0%{?is_opensuse}
%ifnarch %{ix86}
# releases prior to 3.0.4 required pandoc for building the man pages. On SLE
# we don't have pandoc and it requires a complete haskell stack so adding it
# is out of the question just for man pages.
#
# since 3.0.4 the man pages are shipped with the distribution tarball and we
# don't need to generate them any more. On openSUSE we can still keep this
# dependency for having fresh builds of the man pages (if that helps
# anything?).
#
# Update: In the 3.1.0 a required patch is still missing and the man pages
# won't be installed. they're shipped, though. so if pandoc isn't installed we
# need to install them explicitly.
BuildRequires: pandoc
%endif
%endif
%endif
BuildRequires: pkgconfig
BuildRequires: tpm2-0-tss-devel
BuildRequires: tpm2.0-abrmd-devel
BuildRequires: unzip
Recommends: tpm2.0-abrmd
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
Trusted Computing is a set of specifications published by the Trusted
@ -67,24 +60,12 @@ provides tools for enablement and configuration of the TPM 2.0 and
associated interfaces.
%prep
%setup -q -n tpm2-tools-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%autosetup -p1 -n tpm2-tools-%{version}
%build
# TODO: remove autoreconf once fix_pie_linking patch is no longer needed
# until then we need to repair the version specification which configure.ac
# wants to read from GIT which isn't there.
sed -i 's/m4_esyscmd_s([^)]\+)/%{version}/g' configure.ac
autoreconf -fvi
%configure --disable-static
make %{?_smp_mflags}
%check
make %{?_smp_mflags} check
%install
make DESTDIR=%{buildroot} install %{?_smp_mflags}
find %{buildroot} -type f -name "*.la" -delete -print