Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package swtpm for openSUSE:Factory checked in at 2022-02-24 18:18:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/swtpm (Old) and /work/SRC/openSUSE:Factory/.swtpm.new.1958 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "swtpm" Thu Feb 24 18:18:18 2022 rev:9 rq:957026 version:0.7.1 Changes: -------- --- /work/SRC/openSUSE:Factory/swtpm/swtpm.changes 2021-11-12 15:59:20.674567142 +0100 +++ /work/SRC/openSUSE:Factory/.swtpm.new.1958/swtpm.changes 2022-02-24 18:18:20.458740252 +0100 @@ -1,0 +2,9 @@ +Mon Feb 21 12:04:56 UTC 2022 - Marcus Meissner <meiss...@suse.com> + +- Update to version 0.7.1: + - swtpm: + - Check header size indicator against expected size (CVE-2022-23645 bsc#1196240) + - swtpm_localca: + - Test for available issuercert before creating CA + +------------------------------------------------------------------- Old: ---- swtpm-0.7.0.tar.gz New: ---- swtpm-0.7.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ swtpm.spec ++++++ --- /var/tmp/diff_new_pack.xi2WGB/_old 2022-02-24 18:18:20.978740114 +0100 +++ /var/tmp/diff_new_pack.xi2WGB/_new 2022-02-24 18:18:20.982740113 +0100 @@ -1,7 +1,7 @@ # # spec file for package swtpm # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ %define modulename2 swtpm_svirt %define modulename3 swtpmcuse Name: swtpm -Version: 0.7.0 +Version: 0.7.1 Release: 0 Summary: Software TPM emulator License: BSD-3-Clause ++++++ swtpm-0.7.0.tar.gz -> swtpm-0.7.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.7.0/CHANGES new/swtpm-0.7.1/CHANGES --- old/swtpm-0.7.0/CHANGES 2021-11-09 16:49:45.000000000 +0100 +++ new/swtpm-0.7.1/CHANGES 2022-02-18 14:32:34.000000000 +0100 @@ -1,5 +1,11 @@ CHANGES - changes for swtpm +version 0.7.1: + - swtpm: + - Check header size indicator against expected size (CVE-2022-23645) + - swtpm_localca: + - Test for available issuercert before creating CA + version 0.7.0: - swtpm: - Support for linear file storage backend (file://) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.7.0/configure.ac new/swtpm-0.7.1/configure.ac --- old/swtpm-0.7.0/configure.ac 2021-11-09 16:49:45.000000000 +0100 +++ new/swtpm-0.7.1/configure.ac 2022-02-18 14:32:34.000000000 +0100 @@ -23,7 +23,7 @@ # This file is derived from tpm-tool's configure.in. # -AC_INIT([swtpm],[0.7.0]) +AC_INIT([swtpm],[0.7.1]) AC_PREREQ([2.69]) AC_CONFIG_SRCDIR(Makefile.am) AC_CONFIG_HEADERS([config.h]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.7.0/debian/changelog new/swtpm-0.7.1/debian/changelog --- old/swtpm-0.7.0/debian/changelog 2021-11-09 16:49:45.000000000 +0100 +++ new/swtpm-0.7.1/debian/changelog 2022-02-18 14:32:34.000000000 +0100 @@ -1,3 +1,9 @@ +swtpm (0.7.1) RELEASED; urgency=medium + + * Stable release + + -- Stefan Berger <stef...@linux.ibm.com> Fri, 18 Feb 2022 09:00:00 -0500 + swtpm (0.7.0) RELEASED; urgency=medium * Stable release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.7.0/src/swtpm/swtpm_nvstore.c new/swtpm-0.7.1/src/swtpm/swtpm_nvstore.c --- old/swtpm-0.7.0/src/swtpm/swtpm_nvstore.c 2021-11-09 16:49:45.000000000 +0100 +++ new/swtpm-0.7.1/src/swtpm/swtpm_nvstore.c 2022-02-18 14:32:34.000000000 +0100 @@ -1075,6 +1075,7 @@ uint8_t *hdrversion, bool quiet) { blobheader *bh = (blobheader *)data; + uint16_t hdrsize; if (length < sizeof(bh)) { if (!quiet) @@ -1100,8 +1101,16 @@ return TPM_BAD_VERSION; } + hdrsize = ntohs(bh->hdrsize); + if (hdrsize != sizeof(blobheader)) { + logprintf(STDERR_FILENO, + "bad header size: %u != %zu\n", + hdrsize, sizeof(blobheader)); + return TPM_BAD_DATASIZE; + } + *hdrversion = bh->version; - *dataoffset = ntohs(bh->hdrsize); + *dataoffset = hdrsize; *hdrflags = ntohs(bh->flags); return TPM_SUCCESS; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.7.0/src/swtpm_localca/swtpm_localca.c new/swtpm-0.7.1/src/swtpm_localca/swtpm_localca.c --- old/swtpm-0.7.0/src/swtpm_localca/swtpm_localca.c 2021-11-09 16:49:45.000000000 +0100 +++ new/swtpm-0.7.1/src/swtpm_localca/swtpm_localca.c 2022-02-18 14:32:34.000000000 +0100 @@ -117,7 +117,7 @@ goto error; } - if (access(signkey, R_OK) != 0) { + if (access(signkey, R_OK) != 0 || access(issuercert, R_OK) != 0) { g_autofree gchar *directory = g_path_get_dirname(signkey); g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL); g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL); @@ -808,13 +808,28 @@ if (ret != 0) goto error; } else { + int create_certs = 0; + + /* create certificate if either the signing key or issuer cert are missing */ if (access(signkey, R_OK) != 0) { if (stat(signkey, &statbuf) == 0) { logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n", signkey, curr_user ? curr_user->pw_name : "<unknown>"); goto error; } + create_certs = 1; + } + + if (access(issuercert, R_OK) != 0) { + if (stat(issuercert, &statbuf) == 0) { + logerr(gl_LOGFILE, "Need read rights on issuer certificate %s for user %s.\n", + issuercert, curr_user ? curr_user->pw_name : "<unknown>"); + goto error; + } + create_certs = 1; + } + if (create_certs) { logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n"); if (create_localca_cert(lockfile, statedir, signkey, signkey_password, issuercert) != 0) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.7.0/swtpm.spec new/swtpm-0.7.1/swtpm.spec --- old/swtpm-0.7.0/swtpm.spec 2021-11-09 16:49:45.000000000 +0100 +++ new/swtpm-0.7.1/swtpm.spec 2022-02-18 14:32:34.000000000 +0100 @@ -8,7 +8,7 @@ Summary: TPM Emulator Name: swtpm -Version: 0.7.0 +Version: 0.7.1 Release: 1%{?dist} License: BSD Url: https://github.com/stefanberger/swtpm @@ -174,6 +174,9 @@ %{_datadir}/swtpm/swtpm-create-tpmca %changelog +* Fri Feb 18 2022 Stefan Berger <stef...@linux.ibm.com> - 0.7.1-1.20220218git------- +- v0.7.1 release + * Tue Nov 09 2021 Stefan Berger <stef...@linux.ibm.com> - 0.7.0-0.20211022git------- - v0.7.0 release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.7.0/swtpm.spec.in new/swtpm-0.7.1/swtpm.spec.in --- old/swtpm-0.7.0/swtpm.spec.in 2021-11-09 16:49:45.000000000 +0100 +++ new/swtpm-0.7.1/swtpm.spec.in 2022-02-18 14:32:34.000000000 +0100 @@ -174,6 +174,9 @@ %{_datadir}/swtpm/swtpm-create-tpmca %changelog +* Fri Feb 18 2022 Stefan Berger <stef...@linux.ibm.com> - 0.7.1-1.20220218git------- +- v0.7.1 release + * Tue Nov 09 2021 Stefan Berger <stef...@linux.ibm.com> - 0.7.0-0.20211022git------- - v0.7.0 release