Accepting request 902783 from security

- update to version 5.1.1: - tpm2_import: fix fixed AES key CVE-2021-3565 - tpm2_import used a fixed AES key for the inner wrapper, which means that a MITM attack would be able to unwrap the imported key. To fix this, ensure the key size is 16 bytes or bigger and use OpenSSL to generate a secure random AES key. - Avoid pandoc build dependency, use prebuilt man pages everywhere - Drop 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch, now upstream - Drop _service, unused - Drop unused unzip build dependency - Drop autoreconfigure call, no longer necessary - Use %autosetup - Verify tarball signature - Build against efivar - Drop %check section, tests weren't built, so that was a noop (forwarded request 902778 from favogt) OBS-URL: https://build.opensuse.org/request/show/902783 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tpm2.0-tools?expand=0&rev=29
2021-06-28 13:33:46 +00:00 · 2021-06-28 13:33:46 +00:00 · f1c0b5d17f
commit f1c0b5d17f
parent 6158f57fbf 30fe5afe17
8 changed files with 283 additions and 91 deletions
--- a/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
+++ b/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
@ -1,46 +0,0 @@
-From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Fri, 21 May 2021 12:22:31 -0500
-Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
-
-tpm2_import used a fixed AES key for the inner wrapper, which means that
-a MITM attack would be able to unwrap the imported key. Even the
-use of an encrypted session will not prevent this. The TPM only
-encrypts the first parameter which is the fixed symmetric key.
-
-To fix this, ensure the key size is 16 bytes or bigger and use
-OpenSSL to generate a secure random AES key.
-
-Fixes: #2738
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
- tools/tpm2_import.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c
-index cfb6f207..f44326c8 100644
--- a/tools/tpm2_import.c
-+++ b/tools/tpm2_import.c
-@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub,
-     TPM2B_DATA enc_sensitive_key = {
-         .size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
-     };
-    memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
-+
-+    if(enc_sensitive_key.size < 16) {
-+        LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
-+        return tool_rc_general_error;
-+    }
-+
-+    int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
-+    if (ossl_rc != 1) {
-+        LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
-+        return tool_rc_general_error;
-+    }
- 
-     /*
-      * Calculate the object name.
-- 
-2.26.3
-
--- a/11
+++ b/11
@ -1,11 +0,0 @@
-<services>
-  <!-- we need to setup a download_files service here. it is already called implicitly for some reason in the devel project, but not in e.g. SLE-15 -->
-  <service name="tar_scm" mode="disabled">
-    <param name="url">https://github.com/intel/tpm2-tools.git</param>
-    <param name="scm">git</param>
-    <param name="revision">5.1</param>
-    <param name="versionformat">@PARENT_TAG@</param>
-    <param name="changesgenerate">disable</param>
-  </service>
-  <service name="set_version" mode="disabled"/>
-</services>
--- a/tpm2-tools-5.1.1.tar.gz
+++ b/tpm2-tools-5.1.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5500810f7af999391babb13216d75843bee9f3f9d1544feed5e503d801174a3b
+size 1044427
--- a/tpm2-tools-5.1.1.tar.gz.asc
+++ b/tpm2-tools-5.1.1.tar.gz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEW0grjj4Z2nyXjh0BbeLpB44fUMEFAmDQoIoACgkQbeLpB44f
+UMEidhAAqmjQ+JUI5dlp4hsU78cKpZpIC3ivS2vobHekdOrzlDqe9/GhFXQEo07O
+M7RI1zgguaXXGlNNatx+xU3vHZD3CjtwRxjt4OFEwL0yH8/8/5YDMgTbujmuprbu
+sF3uQ3+RUmY6UQPqXH5UTV6sri50psY0JSQg4CKSfu/KGAzu74dfkcq6k6zFwaTl
+Odj7orMw+5tzygeF6L308o07jIM0Z0Uiuf0nAkKAQX8iSrJDZZK89gfSLr5+rcBB
+ihAAWE087Mfkd7WgMi54Ozja5YfZ9RF9CNMqETLB1YEseu1Q8LqmR39DDUANAMGb
+eJx9ZP1+r3MPp2EqUjt6DWDvp9KUEepg6ZQfarhvBknJU4cXxpoK/qV9/QD8NaEP
+YY2SGOkb4O9OxENrCNGKKAW1yI+sx4kjxqVVq1Gz+nFDOhd6wOWxLOfOFrQTy0o8
+H76Zs3cJodgrSYTO690hLJzX4pEVn2qrtFq+eDmRmD6IktJXaU4dK7SlXRW3yfkH
+sSdsHy+HZ1tBsvEbLGRDJLFrt4rVyl42n1dl+yynliQ0Np/i6TMwPfoTUsZGqSbA
+ifMLZW774d204FDwZZzmAbRtILHNUDNKwyMVMFMHbZtjep5MwW3x3sC89tOgkCtM
+LLlxoiaHzhS7coAYDBUxYiL/wzsbIFYDyDLplxgoLfqzJCl8unY=
+=KI3b
+-----END PGP SIGNATURE-----
--- a/tpm2-tools-5.1.tar.gz
+++ b/tpm2-tools-5.1.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e2d37b4376f968d6ce480e71b9b26a56a1960c844f4816335570c141c03642cd
-size 1042653
--- a/tpm2-tools.keyring
+++ b/tpm2-tools.keyring
@ -0,0 +1,233 @@
+tag william-roberts-pub
+Tagger: William Roberts <william.c.roberts@intel.com>
+Date:   Wed Feb 15 15:12:03 2017 -0800
+
+Signing key for maintainer:
+william.c.roberts@intel.com
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQINBFik3GUBEADYDYbSXH3UTr9oCNCI3UxC1hiLH7cM+QIbMtWiwfAbT3G8wrTa
+NPj00qNvI4wQ/Xm3h0hB7kri7vP0FqIjIwsTdM6ZpFdVHHKW1m4P8fkOcxqmLN0g
+V36MN5fgoGWf2K94aS7ItoweRMcuHnwWawe6aAtbKSYVqhWhoB/3grgd0xhE61AS
+o8fJ7uRYNEAYVeOKlC2j+qKfoJbCa6yqZejFwOOzB6qxNRA7JYvckEf8yJ4+Y16m
+qPyZ1ErHzpql3+b5ha+g+9g8WzxAbSfGYZTwaQxyePNjXuq2tdEXf9XnESvoaoN4
+pQhiu/0BJEkXPxl1zso65g4Mn22xEELhUnwPDo5YdLlWEZ8xhELLvdJc3Z0nTR5A
+4/YaZvvzf7pOD1cwpB6IrRf8n9rOe1aDxh/A//zX9PpIOV25p5kqlE88Ya5VXrnA
+Ayfs19RZmK3+FuaI0ij79CRokG9BrI6TXT0pRTDIRu7GvAo2q13MELRvFddyRT2G
+mNjsHYcqEbraYTh3LHEiwfWp4ZgDtk8jj3iRabHQUHk9V8vSFzj+wp1E8HzO8Vp3
+BxMDIOG1VPdLi81DP+LbZI1h30ZG63ulqkKIhwx5/h2v4VCYPatVtGqVf37tLstj
+Wrs0DkBykuZrecp+AJ5ZJ+UVvR8ajO2ncAoOugNwoj9Wuvz0fVTiJIhuNQARAQAB
+tDxXaWxsaWFtIFJvYmVydHMgKEJpbGwgUm9iZXJ0cykgPHdpbGxpYW0uYy5yb2Jl
+cnRzQGludGVsLmNvbT6JAjgEEwECACIFAlik3GUCGwMGCwkIBwMCBhUIAgkKCwQW
+AgMBAh4BAheAAAoJEG3i6QeOH1DBibEQAL4EwEzegkc8NyHiW0mntwDoCv3tkUlG
+fprp/g7GWfrP+L+pN5yexg3Zm/CgVN/tTNCEr5XtP+sdds8xBF6ReJ8QPO7EiMiM
+asPXh8zlODrySXCGHmpa7IzuUC2wgD3Wq7WjniMvnBmqBdL0+8nqA6NFxOOklvK1
+ub7bqLrHKfUfciFOfYAi+C0Bh8kdZtMjfY9sqlJA3sVK2UxVXq9D+oHbL1o454N6
+VzV0rDtsK47GSSCXT75kulPdfOCopTgxPgNsK4VnXgMOL5JMURPJa3rBzmBRFed1
+ynrqwFdmYdMepsUgt/JS2I/23QChqp6AdVDjtGLKS71hox+vdE4S0DoRnMHwHkkt
+B6bqQci3RlUP+wcHHRCUXUubxMSlYJqhBdEOclo6N0X0LseLcdAMGda8ZnqbHlyg
+hPLmJrM3C5zTLjDb2YJXCy6RVNwqAnU3o33SZCnHqo/zUjEtR03Ztk1DzSeCjo5w
+zLac1VFq5S3QdgZUwmPhyeoigqOvHu6Z1s2eL8Aw7Hn8i6MWLz5sOXAtyC9NPwK/
+qbp1a+GQXzNW4rvKl7ZEFKrBKyj8AiRoVLSRKcqZtFT56ltXQjrwKjsWDTEOzjnm
+XCSM96xfay6asQH5fw+haC3RIErwyNV0uUDIVC0xDTZ6NgJEBkp8liwNeHE7eHoN
+8qWSZZO2syf7uQINBFik3GUBEAC7V2o1kBsLFSKwmgsCuGfW0oBIQiaCcakT6D2X
+rKBjmzBvh/UIdXQwl9+vPKtWX3T/7g6UBvezV3uc2ZqrigGmFemoQI3sW7wFk0L9
+/QTUWCMfZtyrWgqyetmPYS+i2PnsEPinsgsEHWf3iu/ew1A7npZwINwMdOSOVw2u
+JqYyW2tZCErWKVe31ziYUpXA+HaRm9zoVr0F0sE2GYGWbMVYtqxN9TSYcIAHxB71
+Y31dcY77ln/1JAH4Yzqc063w/lNYogEbbQY7WNgcKdPP+aovpV7kS3TKwsdb9/xT
+pj67nnlvjLTMRoW3Ez0PcIDFhuube9uOQupYG4rC4grLeVLwL/ekVmn6TxRN1hG7
+6zYXWiwWi16uAO++eBNt127FwCOVZsPO0ye3/XpOpCdpUadguxF2gGt6xY0gtetj
+Vdv6S4kCdSx8NMrO2epS/1pgklxN9R/xl7Wu+JPUuVX4Jy0ycmw7TCWxdK2fuFy6
+6aLCXWWEjRSp06oeVJoVV2py+rYaoau7JG7Zgx1A3gYTm6MLFysfROaQgmfRozIH
+0boYh3IA1WWzk4I6ew129ynC5zGXg/+UCnKKwn8Tsh9neq9noRDAonWI7jOCipwF
+l51py82093M87zjz9o/qxnB8p00jByQ+MunUykaZrkQKHAsiyIF6cUIeQiy/AL7n
+wwSPQQARAQABiQIfBBgBAgAJBQJYpNxlAhsMAAoJEG3i6QeOH1DBtO8P/1D98sl3
+oz/0oSSz0u9nzgOh93UkLbXpjSR4U+g7Wl2ppxQyGSFeWwRwT5BT74EVP2IcrraX
+V9c7l+s8PYqnUdX2XAqGMv06523cCrNUU93kUUNjAo3FxGSn7i2kHIvMkDbUoeVk
+jyWKfIvyy2sKcVB9GQxfMrbnTR5/Z6fCyGHNqMFb9e9TUWclLzMIhvtkvLuKmf52
+TKKxKQt/wero5zb0fynOttIjuhmOP9CFTiYjdj7qSmQapW8VFdYjyzL+OOFk9gCL
+S3mIk1LdkfWah7trmMUTXdmiEibvARAQ3Yjr+Hz9yU1gzEJSPUUugNguqgS5kN+T
+3TdwUHAP9whVD2IvN/Mfn29bmFFVfzu3ftJIa1zJmOdZy7KWb6MWVhw3SJ65luPB
+qxKWRqFDOSpqzBm6bYQ/Oka49Jl7/dCImSm+7bCC7LDK9hXa3AIlDtWvG4iiL18T
+wUOrgXPysB/D/NQaRxT/vSPUOB4WrQzIKIf4vJdyuPdtOtIWm97KUw8r/jDqd4I3
+B62qknrrR+FPcz8ACM9fXkpbBEcjFV8EkoOae106Vxjo/lu5LVBbwiKviMMwoK5o
+YE7FfCwLBbLTYMeetHo8jGBRonTEOKMtPlp/fCMOp9w7CgMDuvfEwuTsA1ux4uAb
+tZZIbipcKcZmsU7Su4+oeyh61giG++M5rL2D
+=xdFJ
+-----END PGP PUBLIC KEY BLOCK-----
+
+tag javier-martinez-pub
+Tagger: Javier Martinez Canillas <javierm@redhat.com>
+Date:   Mon Apr 30 11:11:25 2018 +0200
+
+Signing key for maintainer:
+javierm@redhat.com
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFm5I3sBEACnneVfhNlq+yVeTRpYlt9/2k9istJhozy4y8fuZuaqxwm5Tpjo
+c1YqejLBCG1WRmNiJ1DgkI07IxUNQhx8oENYtzYPbFlk/t7fUgWOb3jME69zUs56
+sG410oFmSU+EHrLy6vk6jVgia8uCLeJ6X43boT2VMqzcbUQEv/ORf+J72ZK9wIYf
+gPj32S77NV4pBEOeDp+3bV/2Qs8CPbSXJJa3SFTwt3h4U+CszekhlH1wMAK1aaSC
+MKlYvkEuKG8vgp8hJ+wA2kTEg8io7WKOJP567eMs3l/EJ/zAnZByulKWr1BtD3n7
+OIMWFXQxvUr6SVScFNpRw3N9hiN+hjImbaTGHcxselXMNTQeyID42ckHaVm6mACq
+g3QOVlolqKYnQgRNCuPVObDe6IhzdF+OhXfhYIDRvQ2+nFbGO/A6mt11bIP9BPNJ
+pyw1JoIjLIcZJKwfh2FdzjQpzJ9StfX3eR9opXoD8mNyJ0EtvRVth0wp2mwuv42Q
+BuVPtVZLGdxvnzMEMkl3QeWE+uiidurbTNZ4iFUNHd+r7alPBn2ItFNSpFj4+FaZ
+u5eOyt/E3tcUdIoYHjpo5DkK4bwd7bX6L0VMzFr3qwBqDmHBylhwXMU6MR+a7zRU
+CgoQt9xb2hJQnNWPdcWDXxQJfBrLRMjkpo5hD/sBYzrlyqHkM8PILIi6SQARAQAB
+tC1KYXZpZXIgTWFydGluZXogQ2FuaWxsYXMgPGphdmllcm1AcmVkaGF0LmNvbT6J
+Ak4EEwEIADgWIQTXXteqJOUM1kXG9FfHUeWQ1j89aQUCWbkjewIbAwULCQgHAgYV
+CAkKCwIEFgIDAQIeAQIXgAAKCRDHUeWQ1j89aVNQD/9ESnrFxkZGg82WxD7fO6Oi
+Zca1aq+4kQQlk4hjA4cLg0o3kZ28htjYR/jVw/wSNE3c2S9fnl7ZQcFEXntswLIc
+fvrjlF6D8UA4sbxfve3fDF6SafbJXMAq+e+aOw5BwCKxn1a/j5b4eIY8hKA5G34H
+L9Ypj7DEI90BZ7t4/xZ4UtCLyxWg4grT0IHNc8FL9NoHCo4kW8M7iQry14HfeieK
+0psUWT5uKO0mhXiMau4KUQeF8agyfYTRdoIl6ObzHwYSZFCk8mPUsuDg8qVuc+jy
+xKr+yOmY2Iu+4AFeQPSXJGiFmVlop2B+6jUnRUFCs2vyW6uW2Ya0eCKBJvRE7gyg
+coL3deBIbs1OwNOZJFMAGZ+Zb+cKvRVArTnQ42Aktc2ayKiixJ/mJ/rxdEnhmMJX
+WzKuEloDGH1wRhSwprQJRe1lIvVZmIggQ+OoY7P8hn2it4agSf5Cyd1JDc5wd5ZI
+6+lzVRiwyVruIV/j5ku9HYnYsEHQ3ZttnYqk3dUenTWSsDNWc/bANWeGl2+2U+Mo
+QFRvudOSjpWd1K2Chj4orUt5wy+cm8MZT6agHpJ1WZZrK0al4esoa0cR2cBvpgxP
+eHtn8ajFGmyYS/B+tncfPH9kuMRGjv2Ao9BmikneHkYX/dXP6sNluiw0HqJXFC6d
+sDz0s0d8Jpv3cGv8OCjPdbkCDQRZuSN7ARAAvy5lVu0Dw1+pSsRwb/5Ki6ovFxYO
+RYymelvIc89DMA0zZ7TrBiTg+gI+UPJiouWk7GzZTVNthcIGT7ZN8G+/f1ba5Bkr
+kY5/j/1chyJbW+KUgVYhDWJMH69cfPMpwha/HU8Yc+XmvRGyTE8EW96vIIqcAEqF
+gkHh6EiWLFyF+rQNVRTQOsx/HdYmEQ3uu8JMEr1UmhE031gcEaECAk+dkQv97g+s
+ONSxaMzC4BL9xVbOniEeY+pbnZ9pHwhB8ehZfBoHv/mcHJQKKSyK5ArQ2h2GMiY1
+31KXtP+GiuOpS7kjUW/mWok9gzTDE/k1sLLi9fOxpEHBia7TqKeSGJDFqM5TkFY4
+paOGohNH3Kzev/lwUu+Sf7kZ8q192/8xm/S1mbBO+AsFhMx1GbOCPfcklA1yZJXf
+9ShR1poPVRNW15WgO/lIJm1SVjelmH6S2RfHous+Ij7u82K0vgzPKvAKJqoauaW5
+tmMrZuwCNQlhfm+59cacs9F6aueonw23iMaFGOHUVoTMzKvIWf6gYeqQiGPP/KnW
+1HsdWmSjdE9wsRwDd5Dxnx76SAy+eTVfpL8qazNnX9nfTEtfwfo2t//LBB182Z+6
+azCSORNyvo8Uiwhi6c1lzlMngbq0RiCVqYswSsHvIcmN1MqZodJ4FMZrgZcbMHx4
+5Mv+JzopI2EGfzkAEQEAAYkCNgQYAQgAIBYhBNde16ok5QzWRcb0V8dR5ZDWPz1p
+BQJZuSN7AhsMAAoJEMdR5ZDWPz1p6XgP/AuPr0IzbSvPhVOu1rqfBBldxeStSIYI
+Fbw4Yll1iM0cpeiQ4x6TIH8GNx0HhnFps7hENbXoDyOVEMG1ju5MFj8cLZQKuBlB
+jDSPza3jZ1ZQmQMBxcsQwrATTaceo8SI/Xx7orBzrtsfBgcnc2vp1zhqiiiLbB4M
+GHdIBuOczGEhlZPq5o1Ld0fJggpPXJdZ45d545rErqyMlf5YLGjkDsdjBX3KVZyh
+QCH+l9VRqTGEqQrVA2QkdfheoQ5k+g7TwwQfYoV4WbP/kbuEqOYhYEllr2Nhzl5U
+3F+SI7gP80BYFxqqfccAQgcJZeQUrQ9YL0qB/sJkbi6fRydDQqpV3MrAp4FeZkSn
+jgcKZgD6thILaWtI7yh6hdLUtLQmsOfxJKFspayWY+QBbJKu0WTGyWJ2bYCbDLQ5
+oOcCW0O2ShA4YFTAI2yI2g3IAYOCJiucIWz+q3h1Gt2cwmRBUUGKBoCm0Q3Pjm+T
+hdbLXoPzZICuCT1iTZrhuwndH2sbM/itkDm1BaNEvWJqQd2PkqqPUF8lew4Eo4hP
+JEz4k9v/LMaZpp8qRTqMpnYhvHDxb3OEPyDNor7VfPeAMAwP0MI7SxgFoiUAoL6q
+wiKDPpqVHgRaCOAj6a/+p/ozXVrFGRelvRDZQ8g/tfIBLlHbZPa/VXjt+j//mvF8
+yX/+AfLZXs79
+=h4wr
+-----END PGP PUBLIC KEY BLOCK-----
+
+tag joshua-lock-pub
+Tagger: Joshua Lock <joshua.g.lock@intel.com>
+Date:   Fri Jun 8 14:24:19 2018 +0100
+
+Signing key for maintainer:
+joshua.g.lock@intel.com
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFsagX0BEAC7QZhd0+McfBrI6CgLTpsLWTYrJZP/ABpVw2tzfgN+A+uCglml
+Yg2VhfSr5AZWCOWbccrrB59kPnXIOqIshNC2We4ecpKHAWiw5KlboejnWP6Si+4F
+3iZMF01M8AggVHx+iBPYPN0KiM45kRbTMDbKgqEpWntoUFHU3am9umfr2dPh8hpL
+VaFzm3nThgsyckHar+DHZPo8tpOYFQSWzR6FfdrkjFfYTwkgEg2fyZVwfI4r2qO0
+H+Tx0FaHJN6shUN2uH1XowKdtOGi8GZl6xkeXvszp+q4kLCsDMzACMW3T9BIMykS
+W7oUjrdYt5Wej0pAeImWZNU+N3cbGGYkq3DMRFMA7U9BQHZZLLEryQlfJq9GwW//
+hfrkN70eepDldO8wWevsad3PUdSCMeUQFrWwZvCjeY8UOOiKhVVyHDWEM1wL41ek
+C7G2c41L5yPw2jMj0pu+FmflD8UGLbGxQo08jxkWgmPGpm+WABT9bU9DIzLY5g2t
+rzkgHxWHnEBzKZTJ7kQjuWjd+Kx0CtN6Msz8tc5JDgb6B9HBhYDLU0AZgLBDHh9W
+BvVablpYb6rgDoA8LRzkKarg0KceQsBEXVphCnO80+0M6FzkRkNQTpqj/B6kXD+D
+pIU5yCdJb+UDQbf7ouBwL0HjBz0J5e9DyQ877EYAshIatp1wtTJxcO5YjwARAQAB
+tCVKb3NodWEgTG9jayA8am9zaHVhLmcubG9ja0BpbnRlbC5jb20+iQI+BBMBAgAo
+BQJbGoF9AhsDBQkFo5qABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBJvK5U
+Q//8NO2qD/9CZriVb7BNuGohcRkZTLNz+batciFaeRmpxp3yTztvIzsKxhzBI6o1
+GNASXUbYHWvICwtFxocn3QPmKQuB4FFyiDCv9ed0bdR8ohl+cAGa2xd83iSOrEgm
+wp2QcHzej3JYitZzEB9oEathn+1fDuOFajeGMCOGIxW7zsFCmb0NGaj1QWye7OAt
+ZrXcYeW0DDykVDx879n3uqVZwQsfXaKTfDCPxhFCG8Zo/s5QSvDPc7CAhDRrvhsR
+yGEjhcs9FgDVzhuXVExSNSTk3TqgmtqoD7bN9l4QPlZqJZwlECY9pbmZ3XG8oxyH
+OLcpSKwBGnvXmUKmjwIhhFdcWv8s0nvn03al72GqtOxyKdwjQZzvJEIv5FApR++Y
+57gmc5wYsH/ECBzYTGxfEPTt+wU7rJp28JxVs6c0GMXG8fXclyFi3x2oyBelX6rN
+KmwTU9uivN/ar5pHRUNshc8ElZBbMjZc9npmiUKSNwW6kcA7DumFdZefe1OCgTQS
+6p2cYPYCZS3xvsi7rhdKFzKrpibPQz+vvBOcapJHgH/0pLdRA3aFq5gNKHbhJJVo
+pzFxsB4cJ0vMnIwrQM55m0Xlh5d3LeiZQf9BSg8ZUVqTGaGdHCpfDgWLzpNEqhO+
+plFSDQ6JMqAi3st4iaJUt1l/lrJ5DWFJ5GYmNy8FWeQ4NOA9Vjq94LkCDQRbGoF9
+ARAArSYEZko1GKSB1H+7cnLrqKeVovnWqczuSNl1cIBwYlCOPhG5Uzm7bxHVWhqL
+AZ8Fmv4BkKQ5Q/GXUwQvI5GhYVrPQru0wd5Uq3J3NiDUPV+QtGtKDixtqJAkpmJt
+vfopRzyIEjGeepTSzxaJzvxGSIZNY4HfZzdaOK5W83c9w0f3OP6Stj/dFtw7I1tW
+ar5nz98+FyzkncD6Igr0ZxONMBo/+1LCbfa5l+zAPtOgTIhSqVgxbjwRGHq6RtH/
+dmapx7I6ntMqKVWQC1tuiuwrZjC23yU72QY0Bn1An0bMI/IKZzHAIj0VTpq99+x7
+pAuTb5gJ+Bv2gXJuXaBVXGxmlmv24VU9w5YhAcmIuD+xphAnUy/ojzHC/Z+tOlEJ
+blQ4iDOWo6Ed8wFPJx8anKZBDfIBRSnBqsDwszAp1OAtMLoxH8byFGlE61YuiUvE
+6miikGL2HxSljZYy65t5ev6ZL4KBr4Qc704ORCz+TB844jakg7m52aR1L51e0HCs
+g+bQ8vF2oiuePCMx/KYXZzLKgU70bh24nOEjLtb8f25kHhwlUr7Z4Q8LNaswBanX
+fAFp+nwXj2gHsOYL9nMAdHtCHiH7dVd8G1bQrsUxgB3DjCDp5OWdRjI8CRxsjIPq
+8HsQ5Ee4j0M3dJse3HGi24R6TUBCTvHG9/3IXfbf9dkMQ0sAEQEAAYkCJQQYAQIA
+DwUCWxqBfQIbDAUJBaOagAAKCRBJvK5UQ//8NCIZD/0UotJ5uuJddFpKDnHxuM7m
+eCVakQHmVHYTzq/B0+e6O/ac6EOteljOTf9Vh5ikGMuMTQg0b3XTC+Z/Z3C9zWYi
+VAn6/TC2z+tQ6OfgMC7iBTcirsBpnsCB5UUAMIYCirelr5AecIxdy8oPitlRJa4k
+teJnVeqFW6xsmk0i2B4aPkDO4NrYVSxlUe9rMObed851Dq8vb2BuVBqMbQ9NxmS6
+pACO8z1Gbn6ZBXj0Zg0AZnq9y9Ff1+vTmbjON9jwkYVPM9W+Nn3w6s3FvRO/aQcf
+ac+p1wJw7o+q9wtfANjiRysM2NL4Gq6qtiDtxFrB/gqN6En7Mc0LYUwMydp1vSPw
+ThjoXKGm+f/SgjEIaJo7ChA2uXQ6f2+aD9WVxOX1BvGfUZOofVF99rII/dO0nJbL
+68z2pwESeOKKUWX+pPgm9kcEJeyorugfArMHgi9zFDpqWm26UgmlIuMv7iMUiynZ
+YHaj724RJ+Bh/vTGbu5409c+R8UJvlhnmdf0gXN1bherzMQDvKEtg7GT8mRN+A4O
+yERtOiAqZtDexzYVAYvVtJNiFQjkhvIvuvYcghjhjNzhnErPepnYj4vpRKyrwhmZ
+MR1sWYuKXcq02CHDAjnloHMrLWMdtZXHsdRAuBtP+56brpns4WoFpPwn1O43DqM5
+SLZfOoNW1VlWexTY9ymjuA==
+=G+yU
+-----END PGP PUBLIC KEY BLOCK-----
+
+tag idesai-pub
+Tagger: Imran Desai <imran.desai@intel.com>
+Date:   Mon Aug 26 11:03:41 2019 -0700
+
+Desai, Imran GPG public key
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF1kFXIBEACeHCYibXuMWOVYJ6O33q37zu/OinwnXKGVOCGJ6a+95KuZHENv
+q3zjMOCoeNdW7jGl5n4BaDlmCEY+rDfPca5Fqz3Y/PTvkyk9mMIh2SCERLyYvwBE
+QAQ6OQIFSRF8RyIy9EmTRylX7ms0b86Gx/Jhz9+pnN3+5gRlkbPK5O5Ab6Ei/PlS
+f3NLm8+TTR/as6dLq0khS8hhBT1vZphMBT61zICAUxjIV/bDB+EfOB3kiZ6UNtim
+cbCU3Lve5L1JLayFBRIw2DnGXZOAwsWn0AdRqxPX0FEWL/lEGFk9j0SrdNsUIwia
+hbEheTxXbGZ/hhUMSulxCSWchLP7+i3u8RouUm7Iy4md1xMNy1DPiBKVItvO9nwz
+ECp7dm1a4tO9FAtbeSGTa8alqZR6MHD5bMBxoI5gtC+RXZ0/EbuJBZVuM4vld1dO
+OkB6L5Q+Ktttq8G6KeWYAOmJ8kZpNR/Qb1HMO8jRMGOPSV5cdmJEsUZp4KeWESjw
+QLOH3tH4sU+3mnOifPl2tNjfP3CBpQTFmB+IdpCq1HfxVsKa0Ba2rcwkOHCj2E65
+7RI3Els5wgsnTT5p/oWIVIb1PQQZ8R0f9WoLYPlggUzeg8SKem+nX0ZIgbJPUwVn
+f5q70GCMJEKmAGk+8U4TraQ+x/8dbKL1J5R88g48Jj3dqji5EsXVziD7LwARAQAB
+tDhEZXNhaSwgSW1yYW4gKGlkZXNhaS1naXRodWItZ3BnKSA8aW1yYW4uZGVzYWlA
+aW50ZWwuY29tPokCTgQTAQoAOBYhBGMT5txBqvwxWodgpBSYb2lEsfcrBQJdZBVy
+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEBSYb2lEsfcrcaYP/A38JygC
+xj7AN5EChMbtJVrK+nNGwRGHFK7uf+XPI4bdFSUdF3CEG5gl7+2lh85z8xzMezGQ
+Ozhr9rWVzLxQ2J0HPD1EW1WjkFpo154lhFgdz1fmlTgkXTnX5Zqsv7EEfL4lvXt+
+5uzTwvOMcyLHnD5oiS8gbaVZvrvQHXwMOeLrCniCZboFemYOnCA/sFa+WhhjBGVf
+knMgMtnJWjEmJ4TNTO5cU5yK9o0QWAA+PIKt+5aaNXf59kcUsFsnhrWQzBiGV3Tw
+Qczj51vyeSoOCpM4Rh5JMET9wfLIeVKsdGbhwe4BqHDC+DxxdO03bevd5FY+5zJ1
+Gr8f43dC1/MaBlV6TjBSTB6eYEyPcA4kDI7E9DRq0tFnhTz1pSu5qUslLS8O04il
+vLaoBvDjkUvNJRJS7uY0w08LqZ7sgKi3z9W92NrVE+ra689fwh1mpRN+P2D+sz5w
+gWZYMlrBc8udyHDhwQ9Yy0CX8LoOVkN4Ji9gr4xCez0O1W+IqIFA2wT7t1pwyHGC
+25E1TkqxhOxKaSZUQNz1iNrTGHKurYhAKG9ECfTEiEVKTEuKn+PcnXRXjpDUaypH
+GPoIpTSo5iaZceT/vAxb8xJsdg+OqVaVVe9t1mBPIUHOy6JMx4eZya9GOCI/gi8F
+gRmcHctHXEh9GgmYxPxrsZiPyh7CE5L9PewSuQINBF1kFXIBEADHbS4HAqgRqZFK
+1i+Df1VdBThASn2N069/YwNuxwP3chPenUNHHcTINbctYmfl9yZPLCmr9UBFOQJl
+/QyjHH4BnMG94Kwq62qJ0zuYlbq4TkiSeyJhHOOH1MlKbw+UPmsrmTyFKi9/F2uF
+ZebqKpOs7CxC1npWIRA1Vt13Lk/HoVJQwPBGBQzazuavc9vXr5ftFA1YraEieSgL
+yk5YMb5lXH0CnsjmaVUVXX+GWFLHO/72P8/mK1i9aiu0E7PEIXWzAlVftrsmz/iG
+7ktWvptHI08MaOC5ifjwO44uXEaUqET3qX6gHNP5bAJENu4prwSrrl8Clc7J535Q
+Byk7wLchR0CxC6kJFlsYos0xU3Rc1C0Sw1xL2iTiRVVxzQYfckVj7j0Ptko36THh
+veu7PQm+KLHS55OPYbbfLiiihVjjXZlDzipT5dFzGpJ0lqQit4LzTuqOOhn1qBwQ
+hgorSkNXv+shLY3nbG8c0oZXf6Ef5r0qPYQIpSs6MwSQMPy40pEhFri6ZaVjMsIf
+TkxlnJnv4EfK/iRFgsHxtboPtf6I3QqMPgEa+pk+KPABHUS8+vOGdUTEmXGnmSIT
+TlO9nO2GQBTwWeYJkaQYWdfwpNYDEieGPI8optsqs6jnZGieYgqlsnpb+z9bU7Pa
+taEzyINjfWTnpa5BkE/tfApRnHmhvwARAQABiQI2BBgBCgAgFiEEYxPm3EGq/DFa
+h2CkFJhvaUSx9ysFAl1kFXICGwwACgkQFJhvaUSx9ys8SBAAlixQR1yOLvuJ3eBp
+nEdxqpvh3GLbS83QSVox1uJXZFHfBLl23FACqeiY7WP8+6m/BH2T1TC92MAu6+CO
+12wEXk/IooOHRBy6lsjAFYlgeWOKKPg7WbI8jiyjqIb4THlnhu+61tVOZTTxNYi
+iBU8Skc4d8rPi/vAbiQXRKpIUxEziCsruJm1sEMH5AHGB+OAyM6vywfc6ZR5Sk0+
+LP++b7yL1joPgdH934dfgeCMF25JqChk7S4uAbOnICItutLVyEfqLjXZFYjnUuqE
+lysOUpiGCTyK7UxL4MhFoblCbZwo/7hZrb82TpJOf9ttKJ/twql1JZhuGH5DTdjc
+GbpyRhtemMb/oFEKGem7Ch/cEtjxonmRGzKdaFed2WizXoXL93mytxayUvRO/uVa
+9BDOU02/lB0z68NkaaNMeKwiPMh3EyjShMZnBjIn+LtSM2241h9jHq2dy7YA5Avh
+Teo8xpCOBxXHVAbWrAUU8WT2b/z8DLxTl926C+YWQouzDZX7AD5xHcuhmNYqqTBO
+MVuwsBDdugW1fn7AH1EKXZY2dc7EFSNO+mG4XJqzT+Biq5pumoaT7c/29RqpnM+N
+1BYk8ULSMJZ2Pu1DhxeSLti0KHamxt7NAyM7J/NLROLBL28gmqHmro+Qf170HYZc
+qvbCulq4dMyalS/ez4xSC00X5wg=
+=kpvR
+-----END PGP PUBLIC KEY BLOCK-----
--- a/tpm2.0-tools.changes
+++ b/tpm2.0-tools.changes
@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Mon Jun 28 09:09:46 UTC 2021 - Fabian Vogt <fvogt@suse.com>
+
+- update to version 5.1.1:
+  - tpm2_import: fix fixed AES key CVE-2021-3565
+    - tpm2_import used a fixed AES key for the inner wrapper, which means that
+      a MITM attack would be able to unwrap the imported key. To fix this,
+      ensure the key size is 16 bytes or bigger and use OpenSSL to generate a
+      secure random AES key.
+- Avoid pandoc build dependency, use prebuilt man pages everywhere
+- Drop 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch, now upstream
+- Drop _service, unused
+- Drop unused unzip build dependency
+- Drop autoreconfigure call, no longer necessary
+- Use %autosetup
+- Verify tarball signature
+- Build against efivar
+- Drop %check section, tests weren't built, so that was a noop
+
 -------------------------------------------------------------------
 Fri Jun 18 14:44:25 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>

--- a/tpm2.0-tools.spec
+++ b/tpm2.0-tools.spec
@ -17,47 +17,40 @@


 Name:           tpm2.0-tools
-Version:        5.1
+Version:        5.1.1
 Release:        0
 Summary:        Trusted Platform Module (TPM) 2.0 administration tools
 License:        BSD-3-Clause
 Group:          Productivity/Security
 URL:            https://github.com/tpm2-software/tpm2-tools/releases
 Source0:        https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz
+Source1:        https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz.asc
+# git show william-roberts-pub javier-martinez-pub joshua-lock-pub idesai-pub > tpm2-tools.keyring
+Source2:        tpm2-tools.keyring
 Patch0:         fix_bogus_warning.patch
-Patch1:         0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
 Patch2:         0001-tpm2_checkquote-fix-uninitialized-variable.patch
 Patch3:         0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch
-BuildRequires:  autoconf-archive
-BuildRequires:  automake
 BuildRequires:  gcc-c++
 BuildRequires:  libcurl-devel
 BuildRequires:  libopenssl-devel
 BuildRequires:  libtool
 BuildRequires:  libuuid-devel
+BuildRequires:  pkgconfig(efivar)
+# Pandoc is used for generating the man pages, but since 3.0.4 prebuilt man
+# pages are shipped with the distribution tarball and we don't need to generate
+# them any more. Pandoc is only available on openSUSE (not 32-bit x86) and not
+# in Ring 1 (no haskell), so can't be used as build dependency here.
+%if 0
 %if 0%{?is_opensuse}
 %ifnarch %{ix86}
-# releases prior to 3.0.4 required pandoc for building the man pages. On SLE
-# we don't have pandoc and it requires a complete haskell stack so adding it
-# is out of the question just for man pages.
-#
-# since 3.0.4 the man pages are shipped with the distribution tarball and we
-# don't need to generate them any more. On openSUSE we can still keep this
-# dependency for having fresh builds of the man pages (if that helps
-# anything?).
-#
-# Update: In the 3.1.0 a required patch is still missing and the man pages
-# won't be installed. they're shipped, though. so if pandoc isn't installed we
-# need to install them explicitly.
 BuildRequires:  pandoc
 %endif
 %endif
+%endif
 BuildRequires:  pkgconfig
 BuildRequires:  tpm2-0-tss-devel
 BuildRequires:  tpm2.0-abrmd-devel
-BuildRequires:  unzip
 Recommends:     tpm2.0-abrmd
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
 Trusted Computing is a set of specifications published by the Trusted
@ -67,24 +60,12 @@ provides tools for enablement and configuration of the TPM 2.0 and
 associated interfaces.

 %prep
-%setup -q -n tpm2-tools-%{version}
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
+%autosetup -p1 -n tpm2-tools-%{version}

 %build
-# TODO: remove autoreconf once fix_pie_linking patch is no longer needed
-# until then we need to repair the version specification which configure.ac
-# wants to read from GIT which isn't there.
-sed -i 's/m4_esyscmd_s([^)]\+)/%{version}/g' configure.ac
-autoreconf -fvi
 %configure --disable-static
 make %{?_smp_mflags}

-%check
-make %{?_smp_mflags} check
-
 %install
 make DESTDIR=%{buildroot} install %{?_smp_mflags}
 find %{buildroot} -type f -name "*.la" -delete -print