From 30fe5afe17ad4cab0887de88a8d264e11e5c370dbf42a7367894493702ac5445 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Mon, 28 Jun 2021 09:47:58 +0000 Subject: [PATCH] Accepting request 902778 from home:favogt:branches:security - update to version 5.1.1: - tpm2_import: fix fixed AES key CVE-2021-3565 - tpm2_import used a fixed AES key for the inner wrapper, which means that a MITM attack would be able to unwrap the imported key. To fix this, ensure the key size is 16 bytes or bigger and use OpenSSL to generate a secure random AES key. - Avoid pandoc build dependency, use prebuilt man pages everywhere - Drop 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch, now upstream - Drop _service, unused - Drop unused unzip build dependency - Drop autoreconfigure call, no longer necessary - Use %autosetup - Verify tarball signature - Build against efivar - Drop %check section, tests weren't built, so that was a noop OBS-URL: https://build.opensuse.org/request/show/902778 OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-tools?expand=0&rev=80 --- ...port-fix-fixed-AES-key-CVE-2021-3565.patch | 46 ---- _service | 11 - tpm2-tools-5.1.1.tar.gz | 3 + tpm2-tools-5.1.1.tar.gz.asc | 16 ++ tpm2-tools-5.1.tar.gz | 3 - tpm2-tools.keyring | 233 ++++++++++++++++++ tpm2.0-tools.changes | 19 ++ tpm2.0-tools.spec | 43 +--- 8 files changed, 283 insertions(+), 91 deletions(-) delete mode 100644 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch delete mode 100644 _service create mode 100644 tpm2-tools-5.1.1.tar.gz create mode 100644 tpm2-tools-5.1.1.tar.gz.asc delete mode 100644 tpm2-tools-5.1.tar.gz create mode 100644 tpm2-tools.keyring diff --git a/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch b/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch deleted file mode 100644 index 1c46ea0..0000000 --- a/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch +++ /dev/null @@ -1,46 +0,0 @@ -From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001 -From: William Roberts -Date: Fri, 21 May 2021 12:22:31 -0500 -Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565 - -tpm2_import used a fixed AES key for the inner wrapper, which means that -a MITM attack would be able to unwrap the imported key. Even the -use of an encrypted session will not prevent this. The TPM only -encrypts the first parameter which is the fixed symmetric key. - -To fix this, ensure the key size is 16 bytes or bigger and use -OpenSSL to generate a secure random AES key. - -Fixes: #2738 - -Signed-off-by: William Roberts ---- - tools/tpm2_import.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c -index cfb6f207..f44326c8 100644 ---- a/tools/tpm2_import.c -+++ b/tools/tpm2_import.c -@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub, - TPM2B_DATA enc_sensitive_key = { - .size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8 - }; -- memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size); -+ -+ if(enc_sensitive_key.size < 16) { -+ LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size); -+ return tool_rc_general_error; -+ } -+ -+ int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size); -+ if (ossl_rc != 1) { -+ LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL)); -+ return tool_rc_general_error; -+ } - - /* - * Calculate the object name. --- -2.26.3 - diff --git a/_service b/_service deleted file mode 100644 index 94691de..0000000 --- a/_service +++ /dev/null @@ -1,11 +0,0 @@ - - - - https://github.com/intel/tpm2-tools.git - git - 5.1 - @PARENT_TAG@ - disable - - - diff --git a/tpm2-tools-5.1.1.tar.gz b/tpm2-tools-5.1.1.tar.gz new file mode 100644 index 0000000..a628ff4 --- /dev/null +++ b/tpm2-tools-5.1.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5500810f7af999391babb13216d75843bee9f3f9d1544feed5e503d801174a3b +size 1044427 diff --git a/tpm2-tools-5.1.1.tar.gz.asc b/tpm2-tools-5.1.1.tar.gz.asc new file mode 100644 index 0000000..e5fd431 --- /dev/null +++ b/tpm2-tools-5.1.1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEW0grjj4Z2nyXjh0BbeLpB44fUMEFAmDQoIoACgkQbeLpB44f +UMEidhAAqmjQ+JUI5dlp4hsU78cKpZpIC3ivS2vobHekdOrzlDqe9/GhFXQEo07O +M7RI1zgguaXXGlNNatx+xU3vHZD3CjtwRxjt4OFEwL0yH8/8/5YDMgTbujmuprbu +sF3uQ3+RUmY6UQPqXH5UTV6sri50psY0JSQg4CKSfu/KGAzu74dfkcq6k6zFwaTl +Odj7orMw+5tzygeF6L308o07jIM0Z0Uiuf0nAkKAQX8iSrJDZZK89gfSLr5+rcBB +ihAAWE087Mfkd7WgMi54Ozja5YfZ9RF9CNMqETLB1YEseu1Q8LqmR39DDUANAMGb +eJx9ZP1+r3MPp2EqUjt6DWDvp9KUEepg6ZQfarhvBknJU4cXxpoK/qV9/QD8NaEP +YY2SGOkb4O9OxENrCNGKKAW1yI+sx4kjxqVVq1Gz+nFDOhd6wOWxLOfOFrQTy0o8 +H76Zs3cJodgrSYTO690hLJzX4pEVn2qrtFq+eDmRmD6IktJXaU4dK7SlXRW3yfkH +sSdsHy+HZ1tBsvEbLGRDJLFrt4rVyl42n1dl+yynliQ0Np/i6TMwPfoTUsZGqSbA +ifMLZW774d204FDwZZzmAbRtILHNUDNKwyMVMFMHbZtjep5MwW3x3sC89tOgkCtM +LLlxoiaHzhS7coAYDBUxYiL/wzsbIFYDyDLplxgoLfqzJCl8unY= +=KI3b +-----END PGP SIGNATURE----- diff --git a/tpm2-tools-5.1.tar.gz b/tpm2-tools-5.1.tar.gz deleted file mode 100644 index 16d99e8..0000000 --- a/tpm2-tools-5.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e2d37b4376f968d6ce480e71b9b26a56a1960c844f4816335570c141c03642cd -size 1042653 diff --git a/tpm2-tools.keyring b/tpm2-tools.keyring new file mode 100644 index 0000000..8bb5fa2 --- /dev/null +++ b/tpm2-tools.keyring @@ -0,0 +1,233 @@ +tag william-roberts-pub +Tagger: William Roberts +Date: Wed Feb 15 15:12:03 2017 -0800 + +Signing key for maintainer: +william.c.roberts@intel.com +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 + +mQINBFik3GUBEADYDYbSXH3UTr9oCNCI3UxC1hiLH7cM+QIbMtWiwfAbT3G8wrTa +NPj00qNvI4wQ/Xm3h0hB7kri7vP0FqIjIwsTdM6ZpFdVHHKW1m4P8fkOcxqmLN0g +V36MN5fgoGWf2K94aS7ItoweRMcuHnwWawe6aAtbKSYVqhWhoB/3grgd0xhE61AS +o8fJ7uRYNEAYVeOKlC2j+qKfoJbCa6yqZejFwOOzB6qxNRA7JYvckEf8yJ4+Y16m +qPyZ1ErHzpql3+b5ha+g+9g8WzxAbSfGYZTwaQxyePNjXuq2tdEXf9XnESvoaoN4 +pQhiu/0BJEkXPxl1zso65g4Mn22xEELhUnwPDo5YdLlWEZ8xhELLvdJc3Z0nTR5A +4/YaZvvzf7pOD1cwpB6IrRf8n9rOe1aDxh/A//zX9PpIOV25p5kqlE88Ya5VXrnA +Ayfs19RZmK3+FuaI0ij79CRokG9BrI6TXT0pRTDIRu7GvAo2q13MELRvFddyRT2G +mNjsHYcqEbraYTh3LHEiwfWp4ZgDtk8jj3iRabHQUHk9V8vSFzj+wp1E8HzO8Vp3 +BxMDIOG1VPdLi81DP+LbZI1h30ZG63ulqkKIhwx5/h2v4VCYPatVtGqVf37tLstj +Wrs0DkBykuZrecp+AJ5ZJ+UVvR8ajO2ncAoOugNwoj9Wuvz0fVTiJIhuNQARAQAB +tDxXaWxsaWFtIFJvYmVydHMgKEJpbGwgUm9iZXJ0cykgPHdpbGxpYW0uYy5yb2Jl +cnRzQGludGVsLmNvbT6JAjgEEwECACIFAlik3GUCGwMGCwkIBwMCBhUIAgkKCwQW +AgMBAh4BAheAAAoJEG3i6QeOH1DBibEQAL4EwEzegkc8NyHiW0mntwDoCv3tkUlG +fprp/g7GWfrP+L+pN5yexg3Zm/CgVN/tTNCEr5XtP+sdds8xBF6ReJ8QPO7EiMiM +asPXh8zlODrySXCGHmpa7IzuUC2wgD3Wq7WjniMvnBmqBdL0+8nqA6NFxOOklvK1 +ub7bqLrHKfUfciFOfYAi+C0Bh8kdZtMjfY9sqlJA3sVK2UxVXq9D+oHbL1o454N6 +VzV0rDtsK47GSSCXT75kulPdfOCopTgxPgNsK4VnXgMOL5JMURPJa3rBzmBRFed1 +ynrqwFdmYdMepsUgt/JS2I/23QChqp6AdVDjtGLKS71hox+vdE4S0DoRnMHwHkkt +B6bqQci3RlUP+wcHHRCUXUubxMSlYJqhBdEOclo6N0X0LseLcdAMGda8ZnqbHlyg +hPLmJrM3C5zTLjDb2YJXCy6RVNwqAnU3o33SZCnHqo/zUjEtR03Ztk1DzSeCjo5w +zLac1VFq5S3QdgZUwmPhyeoigqOvHu6Z1s2eL8Aw7Hn8i6MWLz5sOXAtyC9NPwK/ +qbp1a+GQXzNW4rvKl7ZEFKrBKyj8AiRoVLSRKcqZtFT56ltXQjrwKjsWDTEOzjnm +XCSM96xfay6asQH5fw+haC3RIErwyNV0uUDIVC0xDTZ6NgJEBkp8liwNeHE7eHoN +8qWSZZO2syf7uQINBFik3GUBEAC7V2o1kBsLFSKwmgsCuGfW0oBIQiaCcakT6D2X +rKBjmzBvh/UIdXQwl9+vPKtWX3T/7g6UBvezV3uc2ZqrigGmFemoQI3sW7wFk0L9 +/QTUWCMfZtyrWgqyetmPYS+i2PnsEPinsgsEHWf3iu/ew1A7npZwINwMdOSOVw2u +JqYyW2tZCErWKVe31ziYUpXA+HaRm9zoVr0F0sE2GYGWbMVYtqxN9TSYcIAHxB71 +Y31dcY77ln/1JAH4Yzqc063w/lNYogEbbQY7WNgcKdPP+aovpV7kS3TKwsdb9/xT +pj67nnlvjLTMRoW3Ez0PcIDFhuube9uOQupYG4rC4grLeVLwL/ekVmn6TxRN1hG7 +6zYXWiwWi16uAO++eBNt127FwCOVZsPO0ye3/XpOpCdpUadguxF2gGt6xY0gtetj +Vdv6S4kCdSx8NMrO2epS/1pgklxN9R/xl7Wu+JPUuVX4Jy0ycmw7TCWxdK2fuFy6 +6aLCXWWEjRSp06oeVJoVV2py+rYaoau7JG7Zgx1A3gYTm6MLFysfROaQgmfRozIH +0boYh3IA1WWzk4I6ew129ynC5zGXg/+UCnKKwn8Tsh9neq9noRDAonWI7jOCipwF +l51py82093M87zjz9o/qxnB8p00jByQ+MunUykaZrkQKHAsiyIF6cUIeQiy/AL7n +wwSPQQARAQABiQIfBBgBAgAJBQJYpNxlAhsMAAoJEG3i6QeOH1DBtO8P/1D98sl3 +oz/0oSSz0u9nzgOh93UkLbXpjSR4U+g7Wl2ppxQyGSFeWwRwT5BT74EVP2IcrraX +V9c7l+s8PYqnUdX2XAqGMv06523cCrNUU93kUUNjAo3FxGSn7i2kHIvMkDbUoeVk +jyWKfIvyy2sKcVB9GQxfMrbnTR5/Z6fCyGHNqMFb9e9TUWclLzMIhvtkvLuKmf52 +TKKxKQt/wero5zb0fynOttIjuhmOP9CFTiYjdj7qSmQapW8VFdYjyzL+OOFk9gCL +S3mIk1LdkfWah7trmMUTXdmiEibvARAQ3Yjr+Hz9yU1gzEJSPUUugNguqgS5kN+T +3TdwUHAP9whVD2IvN/Mfn29bmFFVfzu3ftJIa1zJmOdZy7KWb6MWVhw3SJ65luPB +qxKWRqFDOSpqzBm6bYQ/Oka49Jl7/dCImSm+7bCC7LDK9hXa3AIlDtWvG4iiL18T +wUOrgXPysB/D/NQaRxT/vSPUOB4WrQzIKIf4vJdyuPdtOtIWm97KUw8r/jDqd4I3 +B62qknrrR+FPcz8ACM9fXkpbBEcjFV8EkoOae106Vxjo/lu5LVBbwiKviMMwoK5o +YE7FfCwLBbLTYMeetHo8jGBRonTEOKMtPlp/fCMOp9w7CgMDuvfEwuTsA1ux4uAb +tZZIbipcKcZmsU7Su4+oeyh61giG++M5rL2D +=xdFJ +-----END PGP PUBLIC KEY BLOCK----- + +tag javier-martinez-pub +Tagger: Javier Martinez Canillas +Date: Mon Apr 30 11:11:25 2018 +0200 + +Signing key for maintainer: +javierm@redhat.com +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFm5I3sBEACnneVfhNlq+yVeTRpYlt9/2k9istJhozy4y8fuZuaqxwm5Tpjo +c1YqejLBCG1WRmNiJ1DgkI07IxUNQhx8oENYtzYPbFlk/t7fUgWOb3jME69zUs56 +sG410oFmSU+EHrLy6vk6jVgia8uCLeJ6X43boT2VMqzcbUQEv/ORf+J72ZK9wIYf +gPj32S77NV4pBEOeDp+3bV/2Qs8CPbSXJJa3SFTwt3h4U+CszekhlH1wMAK1aaSC +MKlYvkEuKG8vgp8hJ+wA2kTEg8io7WKOJP567eMs3l/EJ/zAnZByulKWr1BtD3n7 +OIMWFXQxvUr6SVScFNpRw3N9hiN+hjImbaTGHcxselXMNTQeyID42ckHaVm6mACq +g3QOVlolqKYnQgRNCuPVObDe6IhzdF+OhXfhYIDRvQ2+nFbGO/A6mt11bIP9BPNJ +pyw1JoIjLIcZJKwfh2FdzjQpzJ9StfX3eR9opXoD8mNyJ0EtvRVth0wp2mwuv42Q +BuVPtVZLGdxvnzMEMkl3QeWE+uiidurbTNZ4iFUNHd+r7alPBn2ItFNSpFj4+FaZ +u5eOyt/E3tcUdIoYHjpo5DkK4bwd7bX6L0VMzFr3qwBqDmHBylhwXMU6MR+a7zRU +CgoQt9xb2hJQnNWPdcWDXxQJfBrLRMjkpo5hD/sBYzrlyqHkM8PILIi6SQARAQAB +tC1KYXZpZXIgTWFydGluZXogQ2FuaWxsYXMgPGphdmllcm1AcmVkaGF0LmNvbT6J +Ak4EEwEIADgWIQTXXteqJOUM1kXG9FfHUeWQ1j89aQUCWbkjewIbAwULCQgHAgYV +CAkKCwIEFgIDAQIeAQIXgAAKCRDHUeWQ1j89aVNQD/9ESnrFxkZGg82WxD7fO6Oi +Zca1aq+4kQQlk4hjA4cLg0o3kZ28htjYR/jVw/wSNE3c2S9fnl7ZQcFEXntswLIc +fvrjlF6D8UA4sbxfve3fDF6SafbJXMAq+e+aOw5BwCKxn1a/j5b4eIY8hKA5G34H +L9Ypj7DEI90BZ7t4/xZ4UtCLyxWg4grT0IHNc8FL9NoHCo4kW8M7iQry14HfeieK +0psUWT5uKO0mhXiMau4KUQeF8agyfYTRdoIl6ObzHwYSZFCk8mPUsuDg8qVuc+jy +xKr+yOmY2Iu+4AFeQPSXJGiFmVlop2B+6jUnRUFCs2vyW6uW2Ya0eCKBJvRE7gyg +coL3deBIbs1OwNOZJFMAGZ+Zb+cKvRVArTnQ42Aktc2ayKiixJ/mJ/rxdEnhmMJX +WzKuEloDGH1wRhSwprQJRe1lIvVZmIggQ+OoY7P8hn2it4agSf5Cyd1JDc5wd5ZI +6+lzVRiwyVruIV/j5ku9HYnYsEHQ3ZttnYqk3dUenTWSsDNWc/bANWeGl2+2U+Mo +QFRvudOSjpWd1K2Chj4orUt5wy+cm8MZT6agHpJ1WZZrK0al4esoa0cR2cBvpgxP +eHtn8ajFGmyYS/B+tncfPH9kuMRGjv2Ao9BmikneHkYX/dXP6sNluiw0HqJXFC6d +sDz0s0d8Jpv3cGv8OCjPdbkCDQRZuSN7ARAAvy5lVu0Dw1+pSsRwb/5Ki6ovFxYO +RYymelvIc89DMA0zZ7TrBiTg+gI+UPJiouWk7GzZTVNthcIGT7ZN8G+/f1ba5Bkr +kY5/j/1chyJbW+KUgVYhDWJMH69cfPMpwha/HU8Yc+XmvRGyTE8EW96vIIqcAEqF +gkHh6EiWLFyF+rQNVRTQOsx/HdYmEQ3uu8JMEr1UmhE031gcEaECAk+dkQv97g+s +ONSxaMzC4BL9xVbOniEeY+pbnZ9pHwhB8ehZfBoHv/mcHJQKKSyK5ArQ2h2GMiY1 +31KXtP+GiuOpS7kjUW/mWok9gzTDE/k1sLLi9fOxpEHBia7TqKeSGJDFqM5TkFY4 +paOGohNH3Kzev/lwUu+Sf7kZ8q192/8xm/S1mbBO+AsFhMx1GbOCPfcklA1yZJXf +9ShR1poPVRNW15WgO/lIJm1SVjelmH6S2RfHous+Ij7u82K0vgzPKvAKJqoauaW5 +tmMrZuwCNQlhfm+59cacs9F6aueonw23iMaFGOHUVoTMzKvIWf6gYeqQiGPP/KnW +1HsdWmSjdE9wsRwDd5Dxnx76SAy+eTVfpL8qazNnX9nfTEtfwfo2t//LBB182Z+6 +azCSORNyvo8Uiwhi6c1lzlMngbq0RiCVqYswSsHvIcmN1MqZodJ4FMZrgZcbMHx4 +5Mv+JzopI2EGfzkAEQEAAYkCNgQYAQgAIBYhBNde16ok5QzWRcb0V8dR5ZDWPz1p +BQJZuSN7AhsMAAoJEMdR5ZDWPz1p6XgP/AuPr0IzbSvPhVOu1rqfBBldxeStSIYI +Fbw4Yll1iM0cpeiQ4x6TIH8GNx0HhnFps7hENbXoDyOVEMG1ju5MFj8cLZQKuBlB +jDSPza3jZ1ZQmQMBxcsQwrATTaceo8SI/Xx7orBzrtsfBgcnc2vp1zhqiiiLbB4M +GHdIBuOczGEhlZPq5o1Ld0fJggpPXJdZ45d545rErqyMlf5YLGjkDsdjBX3KVZyh +QCH+l9VRqTGEqQrVA2QkdfheoQ5k+g7TwwQfYoV4WbP/kbuEqOYhYEllr2Nhzl5U +3F+SI7gP80BYFxqqfccAQgcJZeQUrQ9YL0qB/sJkbi6fRydDQqpV3MrAp4FeZkSn +jgcKZgD6thILaWtI7yh6hdLUtLQmsOfxJKFspayWY+QBbJKu0WTGyWJ2bYCbDLQ5 +oOcCW0O2ShA4YFTAI2yI2g3IAYOCJiucIWz+q3h1Gt2cwmRBUUGKBoCm0Q3Pjm+T +hdbLXoPzZICuCT1iTZrhuwndH2sbM/itkDm1BaNEvWJqQd2PkqqPUF8lew4Eo4hP +JEz4k9v/LMaZpp8qRTqMpnYhvHDxb3OEPyDNor7VfPeAMAwP0MI7SxgFoiUAoL6q +wiKDPpqVHgRaCOAj6a/+p/ozXVrFGRelvRDZQ8g/tfIBLlHbZPa/VXjt+j//mvF8 +yX/+AfLZXs79 +=h4wr +-----END PGP PUBLIC KEY BLOCK----- + +tag joshua-lock-pub +Tagger: Joshua Lock +Date: Fri Jun 8 14:24:19 2018 +0100 + +Signing key for maintainer: +joshua.g.lock@intel.com +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFsagX0BEAC7QZhd0+McfBrI6CgLTpsLWTYrJZP/ABpVw2tzfgN+A+uCglml +Yg2VhfSr5AZWCOWbccrrB59kPnXIOqIshNC2We4ecpKHAWiw5KlboejnWP6Si+4F +3iZMF01M8AggVHx+iBPYPN0KiM45kRbTMDbKgqEpWntoUFHU3am9umfr2dPh8hpL +VaFzm3nThgsyckHar+DHZPo8tpOYFQSWzR6FfdrkjFfYTwkgEg2fyZVwfI4r2qO0 +H+Tx0FaHJN6shUN2uH1XowKdtOGi8GZl6xkeXvszp+q4kLCsDMzACMW3T9BIMykS +W7oUjrdYt5Wej0pAeImWZNU+N3cbGGYkq3DMRFMA7U9BQHZZLLEryQlfJq9GwW// +hfrkN70eepDldO8wWevsad3PUdSCMeUQFrWwZvCjeY8UOOiKhVVyHDWEM1wL41ek +C7G2c41L5yPw2jMj0pu+FmflD8UGLbGxQo08jxkWgmPGpm+WABT9bU9DIzLY5g2t +rzkgHxWHnEBzKZTJ7kQjuWjd+Kx0CtN6Msz8tc5JDgb6B9HBhYDLU0AZgLBDHh9W +BvVablpYb6rgDoA8LRzkKarg0KceQsBEXVphCnO80+0M6FzkRkNQTpqj/B6kXD+D +pIU5yCdJb+UDQbf7ouBwL0HjBz0J5e9DyQ877EYAshIatp1wtTJxcO5YjwARAQAB +tCVKb3NodWEgTG9jayA8am9zaHVhLmcubG9ja0BpbnRlbC5jb20+iQI+BBMBAgAo +BQJbGoF9AhsDBQkFo5qABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBJvK5U +Q//8NO2qD/9CZriVb7BNuGohcRkZTLNz+batciFaeRmpxp3yTztvIzsKxhzBI6o1 +GNASXUbYHWvICwtFxocn3QPmKQuB4FFyiDCv9ed0bdR8ohl+cAGa2xd83iSOrEgm +wp2QcHzej3JYitZzEB9oEathn+1fDuOFajeGMCOGIxW7zsFCmb0NGaj1QWye7OAt +ZrXcYeW0DDykVDx879n3uqVZwQsfXaKTfDCPxhFCG8Zo/s5QSvDPc7CAhDRrvhsR +yGEjhcs9FgDVzhuXVExSNSTk3TqgmtqoD7bN9l4QPlZqJZwlECY9pbmZ3XG8oxyH +OLcpSKwBGnvXmUKmjwIhhFdcWv8s0nvn03al72GqtOxyKdwjQZzvJEIv5FApR++Y +57gmc5wYsH/ECBzYTGxfEPTt+wU7rJp28JxVs6c0GMXG8fXclyFi3x2oyBelX6rN +KmwTU9uivN/ar5pHRUNshc8ElZBbMjZc9npmiUKSNwW6kcA7DumFdZefe1OCgTQS +6p2cYPYCZS3xvsi7rhdKFzKrpibPQz+vvBOcapJHgH/0pLdRA3aFq5gNKHbhJJVo +pzFxsB4cJ0vMnIwrQM55m0Xlh5d3LeiZQf9BSg8ZUVqTGaGdHCpfDgWLzpNEqhO+ +plFSDQ6JMqAi3st4iaJUt1l/lrJ5DWFJ5GYmNy8FWeQ4NOA9Vjq94LkCDQRbGoF9 +ARAArSYEZko1GKSB1H+7cnLrqKeVovnWqczuSNl1cIBwYlCOPhG5Uzm7bxHVWhqL +AZ8Fmv4BkKQ5Q/GXUwQvI5GhYVrPQru0wd5Uq3J3NiDUPV+QtGtKDixtqJAkpmJt +vfopRzyIEjGeepTSzxaJzvxGSIZNY4HfZzdaOK5W83c9w0f3OP6Stj/dFtw7I1tW +ar5nz98+FyzkncD6Igr0ZxONMBo/+1LCbfa5l+zAPtOgTIhSqVgxbjwRGHq6RtH/ +dmapx7I6ntMqKVWQC1tuiuwrZjC23yU72QY0Bn1An0bMI/IKZzHAIj0VTpq99+x7 +pAuTb5gJ+Bv2gXJuXaBVXGxmlmv24VU9w5YhAcmIuD+xphAnUy/ojzHC/Z+tOlEJ +blQ4iDOWo6Ed8wFPJx8anKZBDfIBRSnBqsDwszAp1OAtMLoxH8byFGlE61YuiUvE +6miikGL2HxSljZYy65t5ev6ZL4KBr4Qc704ORCz+TB844jakg7m52aR1L51e0HCs +g+bQ8vF2oiuePCMx/KYXZzLKgU70bh24nOEjLtb8f25kHhwlUr7Z4Q8LNaswBanX +fAFp+nwXj2gHsOYL9nMAdHtCHiH7dVd8G1bQrsUxgB3DjCDp5OWdRjI8CRxsjIPq +8HsQ5Ee4j0M3dJse3HGi24R6TUBCTvHG9/3IXfbf9dkMQ0sAEQEAAYkCJQQYAQIA +DwUCWxqBfQIbDAUJBaOagAAKCRBJvK5UQ//8NCIZD/0UotJ5uuJddFpKDnHxuM7m +eCVakQHmVHYTzq/B0+e6O/ac6EOteljOTf9Vh5ikGMuMTQg0b3XTC+Z/Z3C9zWYi +VAn6/TC2z+tQ6OfgMC7iBTcirsBpnsCB5UUAMIYCirelr5AecIxdy8oPitlRJa4k +teJnVeqFW6xsmk0i2B4aPkDO4NrYVSxlUe9rMObed851Dq8vb2BuVBqMbQ9NxmS6 +pACO8z1Gbn6ZBXj0Zg0AZnq9y9Ff1+vTmbjON9jwkYVPM9W+Nn3w6s3FvRO/aQcf +ac+p1wJw7o+q9wtfANjiRysM2NL4Gq6qtiDtxFrB/gqN6En7Mc0LYUwMydp1vSPw +ThjoXKGm+f/SgjEIaJo7ChA2uXQ6f2+aD9WVxOX1BvGfUZOofVF99rII/dO0nJbL +68z2pwESeOKKUWX+pPgm9kcEJeyorugfArMHgi9zFDpqWm26UgmlIuMv7iMUiynZ +YHaj724RJ+Bh/vTGbu5409c+R8UJvlhnmdf0gXN1bherzMQDvKEtg7GT8mRN+A4O +yERtOiAqZtDexzYVAYvVtJNiFQjkhvIvuvYcghjhjNzhnErPepnYj4vpRKyrwhmZ +MR1sWYuKXcq02CHDAjnloHMrLWMdtZXHsdRAuBtP+56brpns4WoFpPwn1O43DqM5 +SLZfOoNW1VlWexTY9ymjuA== +=G+yU +-----END PGP PUBLIC KEY BLOCK----- + +tag idesai-pub +Tagger: Imran Desai +Date: Mon Aug 26 11:03:41 2019 -0700 + +Desai, Imran GPG public key +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF1kFXIBEACeHCYibXuMWOVYJ6O33q37zu/OinwnXKGVOCGJ6a+95KuZHENv +q3zjMOCoeNdW7jGl5n4BaDlmCEY+rDfPca5Fqz3Y/PTvkyk9mMIh2SCERLyYvwBE +QAQ6OQIFSRF8RyIy9EmTRylX7ms0b86Gx/Jhz9+pnN3+5gRlkbPK5O5Ab6Ei/PlS +f3NLm8+TTR/as6dLq0khS8hhBT1vZphMBT61zICAUxjIV/bDB+EfOB3kiZ6UNtim +cbCU3Lve5L1JLayFBRIw2DnGXZOAwsWn0AdRqxPX0FEWL/lEGFk9j0SrdNsUIwia +hbEheTxXbGZ/hhUMSulxCSWchLP7+i3u8RouUm7Iy4md1xMNy1DPiBKVItvO9nwz +ECp7dm1a4tO9FAtbeSGTa8alqZR6MHD5bMBxoI5gtC+RXZ0/EbuJBZVuM4vld1dO +OkB6L5Q+Ktttq8G6KeWYAOmJ8kZpNR/Qb1HMO8jRMGOPSV5cdmJEsUZp4KeWESjw +QLOH3tH4sU+3mnOifPl2tNjfP3CBpQTFmB+IdpCq1HfxVsKa0Ba2rcwkOHCj2E65 +7RI3Els5wgsnTT5p/oWIVIb1PQQZ8R0f9WoLYPlggUzeg8SKem+nX0ZIgbJPUwVn +f5q70GCMJEKmAGk+8U4TraQ+x/8dbKL1J5R88g48Jj3dqji5EsXVziD7LwARAQAB +tDhEZXNhaSwgSW1yYW4gKGlkZXNhaS1naXRodWItZ3BnKSA8aW1yYW4uZGVzYWlA +aW50ZWwuY29tPokCTgQTAQoAOBYhBGMT5txBqvwxWodgpBSYb2lEsfcrBQJdZBVy +AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEBSYb2lEsfcrcaYP/A38JygC +xj7AN5EChMbtJVrK+nNGwRGHFK7uf+XPI4bdFSUdF3CEG5gl7+2lh85z8xzMezGQ +Ozhr9rWVzLxQ2J0HPD1EW1WjkFpo154lhFgdz1fmlTgkXTnX5Zqsv7EEfL4lvXt+ +5uzTwvOMcyLHnD5oiS8gbaVZvrvQHXwMOeLrCniCZboFemYOnCA/sFa+WhhjBGVf +knMgMtnJWjEmJ4TNTO5cU5yK9o0QWAA+PIKt+5aaNXf59kcUsFsnhrWQzBiGV3Tw +Qczj51vyeSoOCpM4Rh5JMET9wfLIeVKsdGbhwe4BqHDC+DxxdO03bevd5FY+5zJ1 +Gr8f43dC1/MaBlV6TjBSTB6eYEyPcA4kDI7E9DRq0tFnhTz1pSu5qUslLS8O04il +vLaoBvDjkUvNJRJS7uY0w08LqZ7sgKi3z9W92NrVE+ra689fwh1mpRN+P2D+sz5w +gWZYMlrBc8udyHDhwQ9Yy0CX8LoOVkN4Ji9gr4xCez0O1W+IqIFA2wT7t1pwyHGC +25E1TkqxhOxKaSZUQNz1iNrTGHKurYhAKG9ECfTEiEVKTEuKn+PcnXRXjpDUaypH +GPoIpTSo5iaZceT/vAxb8xJsdg+OqVaVVe9t1mBPIUHOy6JMx4eZya9GOCI/gi8F +gRmcHctHXEh9GgmYxPxrsZiPyh7CE5L9PewSuQINBF1kFXIBEADHbS4HAqgRqZFK +1i+Df1VdBThASn2N069/YwNuxwP3chPenUNHHcTINbctYmfl9yZPLCmr9UBFOQJl +/QyjHH4BnMG94Kwq62qJ0zuYlbq4TkiSeyJhHOOH1MlKbw+UPmsrmTyFKi9/F2uF +ZebqKpOs7CxC1npWIRA1Vt13Lk/HoVJQwPBGBQzazuavc9vXr5ftFA1YraEieSgL +yk5YMb5lXH0CnsjmaVUVXX+GWFLHO/72P8/mK1i9aiu0E7PEIXWzAlVftrsmz/iG +7ktWvptHI08MaOC5ifjwO44uXEaUqET3qX6gHNP5bAJENu4prwSrrl8Clc7J535Q +Byk7wLchR0CxC6kJFlsYos0xU3Rc1C0Sw1xL2iTiRVVxzQYfckVj7j0Ptko36THh +veu7PQm+KLHS55OPYbbfLiiihVjjXZlDzipT5dFzGpJ0lqQit4LzTuqOOhn1qBwQ +hgorSkNXv+shLY3nbG8c0oZXf6Ef5r0qPYQIpSs6MwSQMPy40pEhFri6ZaVjMsIf +TkxlnJnv4EfK/iRFgsHxtboPtf6I3QqMPgEa+pk+KPABHUS8+vOGdUTEmXGnmSIT +TlO9nO2GQBTwWeYJkaQYWdfwpNYDEieGPI8optsqs6jnZGieYgqlsnpb+z9bU7Pa +taEzyINjfWTnpa5BkE/tfApRnHmhvwARAQABiQI2BBgBCgAgFiEEYxPm3EGq/DFa +h2CkFJhvaUSx9ysFAl1kFXICGwwACgkQFJhvaUSx9ys8SBAAlixQR1yOLvuJ3eBp +nEdxqpvh3GLbS83QSVox1uJXZFHfBLl23FACqeiY7WP8+6m/BH2T1TC92MAu6+CO ++12wEXk/IooOHRBy6lsjAFYlgeWOKKPg7WbI8jiyjqIb4THlnhu+61tVOZTTxNYi +iBU8Skc4d8rPi/vAbiQXRKpIUxEziCsruJm1sEMH5AHGB+OAyM6vywfc6ZR5Sk0+ +LP++b7yL1joPgdH934dfgeCMF25JqChk7S4uAbOnICItutLVyEfqLjXZFYjnUuqE +lysOUpiGCTyK7UxL4MhFoblCbZwo/7hZrb82TpJOf9ttKJ/twql1JZhuGH5DTdjc +GbpyRhtemMb/oFEKGem7Ch/cEtjxonmRGzKdaFed2WizXoXL93mytxayUvRO/uVa +9BDOU02/lB0z68NkaaNMeKwiPMh3EyjShMZnBjIn+LtSM2241h9jHq2dy7YA5Avh +Teo8xpCOBxXHVAbWrAUU8WT2b/z8DLxTl926C+YWQouzDZX7AD5xHcuhmNYqqTBO +MVuwsBDdugW1fn7AH1EKXZY2dc7EFSNO+mG4XJqzT+Biq5pumoaT7c/29RqpnM+N +1BYk8ULSMJZ2Pu1DhxeSLti0KHamxt7NAyM7J/NLROLBL28gmqHmro+Qf170HYZc +qvbCulq4dMyalS/ez4xSC00X5wg= +=kpvR +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tpm2.0-tools.changes b/tpm2.0-tools.changes index 67d02bb..48adc72 100644 --- a/tpm2.0-tools.changes +++ b/tpm2.0-tools.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Mon Jun 28 09:09:46 UTC 2021 - Fabian Vogt + +- update to version 5.1.1: + - tpm2_import: fix fixed AES key CVE-2021-3565 + - tpm2_import used a fixed AES key for the inner wrapper, which means that + a MITM attack would be able to unwrap the imported key. To fix this, + ensure the key size is 16 bytes or bigger and use OpenSSL to generate a + secure random AES key. +- Avoid pandoc build dependency, use prebuilt man pages everywhere +- Drop 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch, now upstream +- Drop _service, unused +- Drop unused unzip build dependency +- Drop autoreconfigure call, no longer necessary +- Use %autosetup +- Verify tarball signature +- Build against efivar +- Drop %check section, tests weren't built, so that was a noop + ------------------------------------------------------------------- Fri Jun 18 14:44:25 UTC 2021 - Alberto Planas Dominguez diff --git a/tpm2.0-tools.spec b/tpm2.0-tools.spec index cb9f1aa..a34caf5 100644 --- a/tpm2.0-tools.spec +++ b/tpm2.0-tools.spec @@ -17,47 +17,40 @@ Name: tpm2.0-tools -Version: 5.1 +Version: 5.1.1 Release: 0 Summary: Trusted Platform Module (TPM) 2.0 administration tools License: BSD-3-Clause Group: Productivity/Security URL: https://github.com/tpm2-software/tpm2-tools/releases Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz +Source1: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz.asc +# git show william-roberts-pub javier-martinez-pub joshua-lock-pub idesai-pub > tpm2-tools.keyring +Source2: tpm2-tools.keyring Patch0: fix_bogus_warning.patch -Patch1: 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch Patch2: 0001-tpm2_checkquote-fix-uninitialized-variable.patch Patch3: 0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch -BuildRequires: autoconf-archive -BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: libcurl-devel BuildRequires: libopenssl-devel BuildRequires: libtool BuildRequires: libuuid-devel +BuildRequires: pkgconfig(efivar) +# Pandoc is used for generating the man pages, but since 3.0.4 prebuilt man +# pages are shipped with the distribution tarball and we don't need to generate +# them any more. Pandoc is only available on openSUSE (not 32-bit x86) and not +# in Ring 1 (no haskell), so can't be used as build dependency here. +%if 0 %if 0%{?is_opensuse} %ifnarch %{ix86} -# releases prior to 3.0.4 required pandoc for building the man pages. On SLE -# we don't have pandoc and it requires a complete haskell stack so adding it -# is out of the question just for man pages. -# -# since 3.0.4 the man pages are shipped with the distribution tarball and we -# don't need to generate them any more. On openSUSE we can still keep this -# dependency for having fresh builds of the man pages (if that helps -# anything?). -# -# Update: In the 3.1.0 a required patch is still missing and the man pages -# won't be installed. they're shipped, though. so if pandoc isn't installed we -# need to install them explicitly. BuildRequires: pandoc %endif %endif +%endif BuildRequires: pkgconfig BuildRequires: tpm2-0-tss-devel BuildRequires: tpm2.0-abrmd-devel -BuildRequires: unzip Recommends: tpm2.0-abrmd -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description Trusted Computing is a set of specifications published by the Trusted @@ -67,24 +60,12 @@ provides tools for enablement and configuration of the TPM 2.0 and associated interfaces. %prep -%setup -q -n tpm2-tools-%{version} -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 +%autosetup -p1 -n tpm2-tools-%{version} %build -# TODO: remove autoreconf once fix_pie_linking patch is no longer needed -# until then we need to repair the version specification which configure.ac -# wants to read from GIT which isn't there. -sed -i 's/m4_esyscmd_s([^)]\+)/%{version}/g' configure.ac -autoreconf -fvi %configure --disable-static make %{?_smp_mflags} -%check -make %{?_smp_mflags} check - %install make DESTDIR=%{buildroot} install %{?_smp_mflags} find %{buildroot} -type f -name "*.la" -delete -print