From f77df19e1a7de7a404c98abd618e1979784d4734 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 15 Sep 2025 12:16:53 +0000 Subject: [PATCH] import CS libtpms-0.9.6-11.el9 --- .gitignore | 2 +- .libtpms.metadata | 2 +- SOURCES/0001-tpm2-CVE-2025-49133-fix.patch | 52 +++++ ...-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch | 37 ---- ...Fix-size-check-in-CryptSecretDecrypt.patch | 31 --- ...TPM_RC_VALUE-upon-decryption-failure.patch | 31 +++ ...g-state-initialize-s_ContextSlotMask.patch | 51 ----- ...18B9CADF9089C2D5CEC66B75AD65802A0B4211.asc | 18 ++ SOURCES/libtpms-0.9.6.tar.gz.asc | 12 ++ SPECS/libtpms.spec | 187 ++++++++++++------ 10 files changed, 244 insertions(+), 179 deletions(-) create mode 100644 SOURCES/0001-tpm2-CVE-2025-49133-fix.patch delete mode 100644 SOURCES/0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch delete mode 100644 SOURCES/0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch create mode 100644 SOURCES/0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch delete mode 100644 SOURCES/0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch create mode 100644 SOURCES/gpgkey-B818B9CADF9089C2D5CEC66B75AD65802A0B4211.asc create mode 100644 SOURCES/libtpms-0.9.6.tar.gz.asc diff --git a/.gitignore b/.gitignore index 32b84c1..997529d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libtpms-20211126.tar.xz +SOURCES/libtpms-0.9.6.tar.gz diff --git a/.libtpms.metadata b/.libtpms.metadata index 020dc4b..3e13e37 100644 --- a/.libtpms.metadata +++ b/.libtpms.metadata @@ -1 +1 @@ -ae609402e34992590961b0d025e9ef1202d8dede SOURCES/libtpms-20211126.tar.xz +a585c1d34dc8ecd90eda1a2a91d0d2057cbd3914 SOURCES/libtpms-0.9.6.tar.gz diff --git a/SOURCES/0001-tpm2-CVE-2025-49133-fix.patch b/SOURCES/0001-tpm2-CVE-2025-49133-fix.patch new file mode 100644 index 0000000..0aa10de --- /dev/null +++ b/SOURCES/0001-tpm2-CVE-2025-49133-fix.patch @@ -0,0 +1,52 @@ +From 0b1db4bd1c668c56f1d893c9ed19a94d46c228f7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Wed, 11 Jun 2025 23:05:08 +0400 +Subject: [PATCH] tpm2: CVE-2025-49133 fix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Based from upstream commit 04b2d8e9afc ("tpm2: Fix potential +out-of-bound access & abort due to HMAC signing issue") + +Fix an HMAC signing issue that may causes an out-of-bounds access in a +TPM2B that in turn was running into an assert() in libtpms causing an +abort. The signing issue was due to an inconsistent pairing of the signKey +and signScheme parameters, where the signKey is ALG_KEYEDHASH key and +inScheme is an ECC or RSA scheme. + +Signed-off-by: Marc-André Lureau +--- + src/tpm2/CryptUtil.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c +index 8fae5b6..aadf7f6 100644 +--- a/src/tpm2/CryptUtil.c ++++ b/src/tpm2/CryptUtil.c +@@ -79,12 +79,16 @@ CryptHmacSign( + { + HMAC_STATE hmacState; + UINT32 digestSize; +- digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg, +- &signKey->sensitive.sensitive.bits.b); +- CryptDigestUpdate2B(&hmacState.hashState, &hashData->b); +- CryptHmacEnd(&hmacState, digestSize, +- (BYTE *)&signature->signature.hmac.digest); +- return TPM_RC_SUCCESS; ++ if (signature->sigAlg == TPM_ALG_HMAC) ++ { ++ digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg, ++ &signKey->sensitive.sensitive.bits.b); ++ CryptDigestUpdate2B(&hmacState.hashState, &hashData->b); ++ CryptHmacEnd(&hmacState, digestSize, ++ (BYTE *)&signature->signature.hmac.digest); ++ return TPM_RC_SUCCESS; ++ } ++ return TPM_RC_SCHEME; + } + /* 10.2.6.3.2 CryptHMACVerifySignature() */ + /* This function will verify a signature signed by a HMAC key. Note that a caller needs to prepare +-- +2.49.0 + diff --git a/SOURCES/0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch b/SOURCES/0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch deleted file mode 100644 index d39b0fb..0000000 --- a/SOURCES/0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch +++ /dev/null @@ -1,37 +0,0 @@ -From e4261984374556da65c9d46097d5a1200b335c0c Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Sat, 19 Feb 2022 12:59:32 +0100 -Subject: [PATCH] tpm2: Do not call EVP_PKEY_CTX_set0_rsa_oaep_label() for - label of size 0 (OSSL 3) - -Openssl 3.0 did return an error if EVP_PKEY_CTX_set0_rsa_oaep_label was called -with label size 0. The function should only be called if the size of the label -is greater 0. -With this fix TPM2_RSA_Encrypt/Decrypt did work with OpenSSL 1.1 and 3.0 -for encryption without label. - -Signed-off-by: Juergen Repp ---- - src/tpm2/crypto/openssl/CryptRsa.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/src/tpm2/crypto/openssl/CryptRsa.c b/src/tpm2/crypto/openssl/CryptRsa.c -index 4ed04384feb0..b5d6b6c3be82 100644 ---- a/src/tpm2/crypto/openssl/CryptRsa.c -+++ b/src/tpm2/crypto/openssl/CryptRsa.c -@@ -1356,10 +1356,9 @@ CryptRsaEncrypt( - if (tmp == NULL) - ERROR_RETURN(TPM_RC_FAILURE); - memcpy(tmp, label->buffer, label->size); -+ if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, tmp, label->size) <= 0) -+ ERROR_RETURN(TPM_RC_FAILURE); - } -- // label->size == 0 is supported -- if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, tmp, label->size) <= 0) -- ERROR_RETURN(TPM_RC_FAILURE); - tmp = NULL; - break; - default: --- -2.36.0.44.g0f828332d5ac - diff --git a/SOURCES/0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch b/SOURCES/0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch deleted file mode 100644 index a886ee8..0000000 --- a/SOURCES/0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 3d2bbe2f1947784506ba0a7f9e8ab81eefb69929 Mon Sep 17 00:00:00 2001 -From: Ross Lagerwall -Date: Mon, 23 May 2022 14:16:57 +0100 -Subject: [PATCH] tpm2: Fix size check in CryptSecretDecrypt - -Check the secret size against the size of the buffer, not the size -member that has not been set yet. - -Reported by Coverity. - -Signed-off-by: Ross Lagerwall ---- - src/tpm2/CryptUtil.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c -index 9879f918acb6..002fde0987a9 100644 ---- a/src/tpm2/CryptUtil.c -+++ b/src/tpm2/CryptUtil.c -@@ -732,7 +732,7 @@ CryptSecretDecrypt( - nonceCaller->t.size); - } - // make sure secret will fit -- if(secret->t.size > data->t.size) -+ if(secret->t.size > sizeof(data->t.buffer)) - return TPM_RC_FAILURE; - data->t.size = secret->t.size; - // CFB decrypt, using nonceCaller as iv --- -2.36.0.44.g0f828332d5ac - diff --git a/SOURCES/0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch b/SOURCES/0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch new file mode 100644 index 0000000..28ad2b9 --- /dev/null +++ b/SOURCES/0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch @@ -0,0 +1,31 @@ +From 1b0b41293a0d49ff8063542fcb3a5ee1d4e10f7e Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 29 Jul 2024 10:19:00 -0400 +Subject: [PATCH] tpm2: Return TPM_RC_VALUE upon decryption failure + +When decryption fails then return TPM_RC_VALUE rather than TPM_RC_FAILURE. +The old error code could indicate to an application or driver that +something is wrong with the TPM (has possibly gone into failure mode) even +though only the decryption failed, possibly due to a wrong key. + +Signed-off-by: Stefan Berger +--- + src/tpm2/crypto/openssl/CryptRsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tpm2/crypto/openssl/CryptRsa.c b/src/tpm2/crypto/openssl/CryptRsa.c +index b5d6b6c3..88ee3bac 100644 +--- a/src/tpm2/crypto/openssl/CryptRsa.c ++++ b/src/tpm2/crypto/openssl/CryptRsa.c +@@ -1457,7 +1457,7 @@ CryptRsaDecrypt( + outlen = sizeof(buffer); + if (EVP_PKEY_decrypt(ctx, buffer, &outlen, + cIn->buffer, cIn->size) <= 0) +- ERROR_RETURN(TPM_RC_FAILURE); ++ ERROR_RETURN(TPM_RC_VALUE); + + if (outlen > dOut->size) + ERROR_RETURN(TPM_RC_FAILURE); +-- +2.41.0.28.gd7d8841f67 + diff --git a/SOURCES/0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch b/SOURCES/0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch deleted file mode 100644 index 59aaacc..0000000 --- a/SOURCES/0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch +++ /dev/null @@ -1,51 +0,0 @@ -From b662e6fd7169f31ef664ecd0b0b45547462e1e31 Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Tue, 4 Jan 2022 14:45:31 -0500 -Subject: [PATCH] tpm2: When writing state initialize s_ContextSlotMask if not - set - -If s_ContextSlotMask was not set since the TPM 2 was not initialized -by a call to TPM_Manufacture() or the state was not resumed, then -initialize the s_ContextSlotMask to 0xffff. - -This situation can occur if a VM with an attached swtpm was started -and the VM's firmware either doesn't support TPM or didn't get to -initialize the vTPM. - -The following commands recreated the issue with a SeaBIOS-only VM that -had no attached hard disk but an attached TPM 2: - -virsh start BIOS-only-VM ; virsh save BIOS-only-VM save.bin ; \ - virsh restore save.bin - -Error: Failed to restore domain from save.bin -error: internal error: qemu unexpectedly closed the monitor: \ -2022-01-04T19:26:18.835851Z qemu-system-x86_64: tpm-emulator: Setting the stateblob (type 2) failed with a TPM error 0x3 a parameter is bad -2022-01-04T19:26:18.835899Z qemu-system-x86_64: error while loading state for instance 0x0 of device 'tpm-emulator' -2022-01-04T19:26:18.835929Z qemu-system-x86_64: load of migration failed: Input/output error - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2035731 -Signed-off-by: Stefan Berger ---- - src/tpm2/NVMarshal.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/tpm2/NVMarshal.c b/src/tpm2/NVMarshal.c -index 996c73c..c7cd1e0 100644 ---- a/src/tpm2/NVMarshal.c -+++ b/src/tpm2/NVMarshal.c -@@ -1422,6 +1422,11 @@ STATE_RESET_DATA_Marshal(STATE_RESET_DATA *data, BYTE **buffer, INT32 *size) - written += UINT16_Marshal(&array_size, buffer, size); - for (i = 0; i < array_size; i++) - written += UINT16_Marshal(&data->contextArray[i], buffer, size); -+ -+ if (s_ContextSlotMask != 0x00ff && s_ContextSlotMask != 0xffff) { -+ /* TPM wasn't initialized, so s_ContextSlotMask wasn't set */ -+ s_ContextSlotMask = 0xffff; -+ } - written += UINT16_Marshal(&s_ContextSlotMask, buffer, size); - - written += UINT64_Marshal(&data->contextCounter, buffer, size); --- -2.36.1 - diff --git a/SOURCES/gpgkey-B818B9CADF9089C2D5CEC66B75AD65802A0B4211.asc b/SOURCES/gpgkey-B818B9CADF9089C2D5CEC66B75AD65802A0B4211.asc new file mode 100644 index 0000000..2d460e5 --- /dev/null +++ b/SOURCES/gpgkey-B818B9CADF9089C2D5CEC66B75AD65802A0B4211.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFnVA4YBCAD3fs+WUzvB6OPoj0HhvBlemEV6I8AcDwZHCNvA4UMc03sSVl/Q +tDr4WuZd1v9utvi0xHjsTHbF1ndsgNkNzisvTIBHptcxw+Z3+VskOl3GTsfiKG22 +OfZJsdXfhjYW/Oezl2IVy6/QqOV0JeEtV3J10gCHR/5PKhOy+pP/8jlw3EA8GYtY +ojM4znfEXHh6vx//hbf8FVMlVcKwUKHB1zHhM5jF9Kx4ZLU8rYHkMiXXbzdWBkCa +L6E2P2T01hQ1wPpowU9aL/zLt7ISiKMcYLvZJYcgX3quPVSXJRG+y3q3lXv1IOrV +HoGJLdkNu/0bLJoeNBFXiEGs7+tfk4XAjBTTABEBAAG0KlN0ZWZhbiBCZXJnZXIg +PHN0ZWZhbmJAbGludXgudm5ldC5pYm0uY29tPokBPgQTAQIAKAUCWdUDhgIbAwUJ +EswDAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQda1lgCoLQhENQQf/XmyD +zWL5VSAKbDKcpI5t0PjiC/Brrs1xNtKLht5le4UdhAH6e/y+3H6lhoJCNbHGBE7r +cAM/LVv8MT+4WXhLvRDUkn6Z5cSiMx0ANWDABCHGI3+z2imqI5XjB5fwFq2FIRdu +MUhWRhxSYHDd4E0BN2FvHNUhqm60QlLCrH9zjar8XcJQ1lnDgcSDP9EWENZizYW9 +W5DKFiWR4vMXU0lvDpAYyDR1EU4pfnoMDc/19MoI3oR+wP0ELXI52CG0w4Lcs+Y5 +8ywb0/El789qRTNQG6bPcZYx6KrRNq8KSrtNY20ID2tyM4boRQ412mD87x/kNWqU +CHklMi79wKcJ7OA73g== +=l1ZJ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/SOURCES/libtpms-0.9.6.tar.gz.asc b/SOURCES/libtpms-0.9.6.tar.gz.asc new file mode 100644 index 0000000..01448c7 --- /dev/null +++ b/SOURCES/libtpms-0.9.6.tar.gz.asc @@ -0,0 +1,12 @@ +-----BEGIN PGP SIGNATURE----- + +iQFPBAABCAA5FiEEuBi5yt+QicLVzsZrda1lgCoLQhEFAmP+i0gbHHN0ZWZhbmJA +bGludXgudm5ldC5pYm0uY29tAAoJEHWtZYAqC0IRPUcH/R4+fk5ivbwAE02YIYWg +eqDj6Rs05lkZv6fhn8cyTjW0hncsUiSeui1huyxam/DFgNtBwFPk9Fzjkm3mzasw +SyYcqp5jN2fP9VptfEc33Epa3+80LwoAvQZadqDB5ruFcSKfpZGH1etFRGpD9A48 +UBFts9WZM66R9dz0dilLzilTauWOuMcNgydtRNxbo55wdTEBko4MG0Z3cgPaGuYo +mPqKGIOiH8dpQYe8UsuhTWQgY6xJuGGOBdouDbJG+8RlYEQCmc++xH52jMjA/D0S +Rn41+/Pe0n+dq4VfIJXJRKqOuwVISoYMenXMXRZkHu+69w4Ji2JKc3Xz4n7oYEiy +V70= +=QrLR +-----END PGP SIGNATURE----- diff --git a/SPECS/libtpms.spec b/SPECS/libtpms.spec index bf4da0e..8aecb8c 100644 --- a/SPECS/libtpms.spec +++ b/SPECS/libtpms.spec @@ -1,22 +1,29 @@ -%global gitdate 20211126 -%global gitversion 1ff6fe1f43 - Name: libtpms -Version: 0.9.1 -Release: 2.%{gitdate}git%{gitversion}%{?dist} +Version: 0.9.6 +Release: 11%{?dist} +Summary: Library providing Trusted Platform Module (TPM) functionality +License: BSD-3-Clause AND LicenseRef-TCGL -Summary: Library providing Trusted Platform Module (TPM) functionality -License: BSD -Url: http://github.com/stefanberger/libtpms -Source0: libtpms-%{gitdate}.tar.xz -Patch0001: 0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch -Patch0002: 0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch -Patch0003: 0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch +URL: https://github.com/stefanberger/libtpms +Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz +Source1: %{url}/releases/download/v%{version}/v%{version}.tar.gz.asc#/%{name}-%{version}.tar.gz.asc +# https://github.com/stefanberger.gpg +Source2: gpgkey-B818B9CADF9089C2D5CEC66B75AD65802A0B4211.asc +Patch0001: 0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch +Patch0002: 0001-tpm2-CVE-2025-49133-fix.patch + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: coreutils +BuildRequires: gawk +BuildRequires: gcc-c++ +BuildRequires: gnupg2 +BuildRequires: libtool +BuildRequires: make BuildRequires: openssl-devel -BuildRequires: pkgconfig gawk sed -BuildRequires: automake autoconf libtool bash coreutils gcc-c++ -BuildRequires: make +BuildRequires: pkgconfig +BuildRequires: sed %description A library providing TPM functionality for VMs. Targeted for integration @@ -30,72 +37,133 @@ Requires: %{name}%{?_isa} = %{version}-%{release} Libtpms header files and documentation. %prep -%autosetup -p1 -n %{name}-%{gitdate} -%build -NOCONFIGURE=1 sh autogen.sh -%configure --disable-static --with-tpm2 --without-tpm1 --with-openssl -%make_build +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' +%autosetup -p1 -%check -make check +%build +NOCONFIGURE=1 ./autogen.sh +%configure --disable-static --with-tpm2 --with-openssl --without-tpm1 +%make_build %install %make_install -find %{buildroot} -type f -name '*.la' | xargs rm -f -- || : +find %{buildroot} -type f -name '*.la' -print -delete + +%check +make check %ldconfig_scriptlets %files %license LICENSE %doc README CHANGES -%{_libdir}/lib*.so.* +%{_libdir}/%{name}.so.0{,.*} %files devel -%dir %{_includedir}/%{name} -%{_includedir}/%{name}/*.h -%{_libdir}/lib*.so -%{_libdir}/pkgconfig/*.pc -%{_mandir}/man3/* +%{_includedir}/%{name}/ +%{_libdir}/%{name}.so +%{_libdir}/pkgconfig/%{name}.pc +%{_mandir}/man3/TPM* %changelog -* Mon Jun 20 2022 Marc-André Lureau - 0.9.1-2.20211126git1ff6fe1f43 -- Backport s_ContextSlotMask initialization fix - Resolves: rhbz#2035731 +* Mon Jun 16 2025 Marc-André Lureau - 0.9.6-11 +- Fix CVE-2025-49133 + Resolves: RHEL-96247 -* Mon Jun 13 2022 Marc-André Lureau - 0.9.1-1.20211126git1ff6fe1f43 -- Backport RSA/OAEP fixes. - Resolves: rhbz#2093651 +* Tue Oct 29 2024 Troy Dawson - 0.9.6-10 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 -* Wed Dec 01 2021 Marc-André Lureau - 0.9.1-0.20211126git1ff6fe1f43 -- Rebase to 0.9.1 - Resolves: rhbz#2027951 +* Wed Sep 11 2024 Marc-André Lureau - 0.9.6-9 +- Backport "tpm2: Return TPM_RC_VALUE upon decryption failure" + Resolves: RHEL-52968 -* Tue Nov 9 2021 Marc-André Lureau - 0.9.0-0.20211004gitdc4e3f6313 -- Rebase to 0.9.0, disable TPM 1.2 - Resolves: rhbz#1990152 & rhbz#2021628 +* Tue Aug 06 2024 Marc-André Lureau - 0.9.6-8 +- Disable TPM 1.2 support, as it is not supported by RHEL. -* Tue Aug 31 2021 Marc-André Lureau - 0.8.2-0.20210301git729fc6a4ca.7 -- Fixes CVE-2021-3746 libtpms: out-of-bounds access via specially crafted TPM 2 command packets - Resolves: rhbz#1999303 +* Mon Jun 24 2024 Troy Dawson - 0.9.6-7 +- Bump release for June 2024 mass rebuild -* Mon Aug 09 2021 Mohan Boddu - 0.8.2-0.20210301git729fc6a4ca.6 -- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Related: rhbz#1991688 +* Thu Jan 25 2024 Fedora Release Engineering - 0.9.6-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Wed Jun 30 2021 Marc-André Lureau - 0.8.2-0.20210301git729fc6a4ca.5 -- Fixes CVE-2021-3623: out-of-bounds access when trying to resume the state of the vTPM - Resolves: rhbz#1976814 +* Sun Jan 21 2024 Fedora Release Engineering - 0.9.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Wed Jun 16 2021 Mohan Boddu - 0.8.2-0.20210301git729fc6a4ca.4 -- Rebuilt for RHEL 9 BETA for openssl 3.0 - Related: rhbz#1971065 +* Thu Jul 20 2023 Fedora Release Engineering - 0.9.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild -* Tue May 18 2021 Marc-André Lureau - 0.8.2-0.20210301git729fc6a4ca.3 -- Add -Wno-error=deprecated-declarations, to ignore OpenSSL 3.0 deprecation warnings. - Fixes: rhbz#1958054 +* Mon Jul 17 2023 Stefan Berger - 0.9.6-3 +- Set license to 'BSD and TCGL' from previous 'BSD' (BZ2219548) -* Fri Apr 16 2021 Mohan Boddu - 0.8.2-0.20210301git729fc6a4ca.2 -- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 +* Sat Mar 18 2023 Todd Zullinger - 0.9.6-2 +- verify upstream source signature + +* Tue Feb 28 2023 Stefan Berger - 0.9.6-1 +- Build of libtpms 0.9.6 with fixes for CVE-2023-1017 & CVE-2023-1018 + +* Thu Jan 19 2023 Fedora Release Engineering - 0.9.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Jul 21 2022 Fedora Release Engineering - 0.9.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Fri Jul 01 2022 Stefan Berger - 0.9.5-1 +- Build of libtpms 0.9.5 + +* Wed Apr 27 2022 Fabio Valentini - 0.9.4-2 +- Use standard method for fetching a GitHub release tarball. +- Fix Versioning scheme to confirm with Packaging Guidelines. +- Tighten file globs to match Packaging Guidelines. + +* Mon Apr 25 2022 Stefan Berger - 0.9.4-1.20220425gite4d68670e1 +- Build of libtpms 0.9.4 + +* Mon Mar 07 2022 Stefan Berger - 0.9.3-1.20220307gita63c51805e +- Build of libtpms 0.9.3 + +* Thu Jan 20 2022 Fedora Release Engineering - 0.9.2-0.20220106gite81d634c27.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Jan 06 2022 Stefan Berger - 0.9.2-0.20220106gite81d634c27 +- Build of libtpms 0.9.2 + +* Fri Nov 26 2021 Stefan Berger - 0.9.1-0.20211126git1ff6fe1f43 +- Build of libtpms 0.9.1 + +* Mon Oct 04 2021 Stefan Berger - 0.9.0-0.20211004gitdc4e3f6313 +- Build of libtpms 0.9.0 + +* Thu Sep 16 2021 Stefan Berger - 0.8.7-0.20210916gitfb9f0a61e8 +- Build upcoming libtpms 0.8.7 + +* Wed Sep 15 2021 Sahana Prasad - 0.8.6-0.20210910git7a4d46a119.3 +- Rebuilt with OpenSSL 3.0.0 + +* Tue Sep 14 2021 Stefan Berger - 0.8.6-0.20210910git7a4d46a119.2 +- Build with -Wno-deprecated-declarations + +* Tue Sep 14 2021 Sahana Prasad - 0.8.6-0.20210910git7a4d46a119.1 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Sep 10 2021 Stefan Berger - 0.8.6-1.20210910git7a4d46a119 +- tpm2: Marshal event sequence objects' hash state + +* Wed Sep 01 2021 Stefan Berger - 0.8.5-1.20210901git18ba4c0206 +- Build of libtpms 0.8.5 + +* Wed Aug 11 2021 Stefan Berger - 0.8.4-1.20210625gita594c4692a +- Applied patches resolving issues solved in upcoming 0.8.5 + +* Thu Jul 22 2021 Fedora Release Engineering - 0.8.4-0.20210624gita594c4692a.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Thu Jun 24 2021 Stefan Berger - 0.8.4-0.20210625gita594c4692a +- tpm2: Reset too large size indicators in TPM2B to avoid access beyond buffer +- tpm2: Restore original value in buffer if unmarshalled one was illegal + +* Tue Jun 01 2021 Stefan Berger - 0.8.3-0.20210601git9e736d5281 +- tpm2: Work-around for Windows 2016 & 2019 bug related to ContextLoad * Mon Mar 01 2021 Stefan Berger - 0.8.2-0.20210301git729fc6a4ca - tpm2: CryptSym: fix AES output IV; a CVE has been filed for this issue @@ -103,6 +171,9 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || : * Sat Feb 27 2021 Stefan Berger - 0.8.1-0.20210227git5bf2746e47 - Fixed a context save and suspend/resume problem when public keys are loaded +* Thu Feb 25 2021 Stefan Berger - 0.8.0-0.20210225git3fd4b94903 +- Release of v0.8.0 + * Thu Feb 18 2021 Stefan Berger - 0.7.5-0.20210218gite271498466 - Addressed UBSAN and cppcheck detected issues - Return proper size of ECC Parameters to pass HLK tests