import swtpm-0.8.0-1.el9

This commit is contained in:
CentOS Sources 2023-03-28 12:16:58 +00:00 committed by Stepan Oksanichenko
parent d7260dbfb7
commit 253f4d950a
5 changed files with 67 additions and 80 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/swtpm-b79fd91.tar.gz SOURCES/swtpm-0.8.0.tar.gz

View File

@ -1 +1 @@
b79a2d005663868139f0678cddeecf70278ec219 SOURCES/swtpm-b79fd91.tar.gz 742e598ae731d3aa7283b104153cfabdc3b73643 SOURCES/swtpm-0.8.0.tar.gz

View File

@ -1,54 +0,0 @@
From 9f740868fc36761de27df3935513bdebf8852d19 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Wed, 16 Feb 2022 11:17:47 -0500
Subject: [PATCH] swtpm: Check header size indicator against expected size (CID
375869)
This fix addresses Coverity issue CID 375869.
Check the header size indicated in the header of the state against the
expected size and return an error code in case the header size indicator
is different. There was only one header size so far since blobheader was
introduced, so we don't need to deal with different sizes.
Without this fix a specially craft header could have cause out-of-bounds
accesses on the byte array containing the swtpm's state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/swtpm/swtpm_nvstore.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/swtpm/swtpm_nvstore.c b/src/swtpm/swtpm_nvstore.c
index 437088370e11..144d8975ec54 100644
--- a/src/swtpm/swtpm_nvstore.c
+++ b/src/swtpm/swtpm_nvstore.c
@@ -1075,6 +1075,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
uint8_t *hdrversion, bool quiet)
{
blobheader *bh = (blobheader *)data;
+ uint16_t hdrsize;
if (length < sizeof(bh)) {
if (!quiet)
@@ -1100,8 +1101,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
return TPM_BAD_VERSION;
}
+ hdrsize = ntohs(bh->hdrsize);
+ if (hdrsize != sizeof(blobheader)) {
+ logprintf(STDERR_FILENO,
+ "bad header size: %u != %zu\n",
+ hdrsize, sizeof(blobheader));
+ return TPM_BAD_DATASIZE;
+ }
+
*hdrversion = bh->version;
- *dataoffset = ntohs(bh->hdrsize);
+ *dataoffset = hdrsize;
*hdrflags = ntohs(bh->flags);
return TPM_SUCCESS;
--
2.34.1.428.gdcc0cd074f0c

View File

@ -0,0 +1,37 @@
From 95cd8db3dc822d8f741b90d560e50f44841f9d29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Tue, 22 Nov 2022 11:24:57 +0400
Subject: [PATCH] swtpm_setup: fix -Werror=maybe-uninitialized
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
/usr/include/glib-2.0/glib/glib-autocleanups.h:30:3: error: argv may be used uninitialized [-Werror=maybe-uninitialized]
30 | g_free (*pp);
| ^~~~~~~~~~~~
swtpm_setup.c: In function get_swtpm_capabilities.constprop.0:
swtpm_setup.c:940:24: note: argv was declared here
940 | g_autofree gchar **argv;
| ^~~~
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
src/swtpm_setup/swtpm_setup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/swtpm_setup/swtpm_setup.c b/src/swtpm_setup/swtpm_setup.c
index 1b528c8..3570235 100644
--- a/src/swtpm_setup/swtpm_setup.c
+++ b/src/swtpm_setup/swtpm_setup.c
@@ -937,7 +937,7 @@ static int get_swtpm_capabilities(gchar **swtpm_prg_l, gboolean is_tpm2,
gchar *my_argv[] = { "--print-capabilities", is_tpm2 ? "--tpm2" : NULL, NULL };
g_autofree gchar *logop = NULL;
g_autoptr(GError) error = NULL;
- g_autofree gchar **argv;
+ g_autofree gchar **argv = NULL;
int exit_status = 0;
gboolean success;
int ret = 1;
--
2.38.1

View File

@ -1,9 +1,5 @@
%bcond_without gnutls %bcond_without gnutls
%global gitdate 20211109
%global gitcommit b79fd91c4b4a74c9c5027b517c5036952c5525db
%global gitshortcommit %(c=%{gitcommit}; echo ${c:0:7})
# Macros needed by SELinux # Macros needed by SELinux
%global selinuxtype targeted %global selinuxtype targeted
%global moduletype contrib %global moduletype contrib
@ -11,12 +7,12 @@
Summary: TPM Emulator Summary: TPM Emulator
Name: swtpm Name: swtpm
Version: 0.7.0 Version: 0.8.0
Release: 2.%{gitdate}git%{gitshortcommit}%{?dist} Release: 1%{?dist}
License: BSD License: BSD
Url: http://github.com/stefanberger/swtpm Url: https://github.com/stefanberger/swtpm
Source0: %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
Patch0001: 0001-swtpm-Check-header-size-indicator-against-expected-s.patch Patch0001: 0001-swtpm_setup-fix-Werror-maybe-uninitialized.patch
BuildRequires: make BuildRequires: make
BuildRequires: git-core BuildRequires: git-core
@ -24,12 +20,13 @@ BuildRequires: automake
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: libtool BuildRequires: libtool
BuildRequires: libtpms-devel >= 0.6.0 BuildRequires: libtpms-devel >= 0.6.0
BuildRequires: glib2-devel
BuildRequires: json-glib-devel
BuildRequires: expect BuildRequires: expect
BuildRequires: net-tools BuildRequires: net-tools
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: socat BuildRequires: socat
BuildRequires: softhsm BuildRequires: softhsm
BuildRequires: json-glib-devel
%if %{with gnutls} %if %{with gnutls}
BuildRequires: gnutls >= 3.4.0 BuildRequires: gnutls >= 3.4.0
BuildRequires: gnutls-devel BuildRequires: gnutls-devel
@ -41,7 +38,6 @@ BuildRequires: selinux-policy-devel
BuildRequires: gcc BuildRequires: gcc
BuildRequires: libseccomp-devel BuildRequires: libseccomp-devel
BuildRequires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd BuildRequires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd
BuildRequires: python3-devel
Requires: %{name}-libs = %{version}-%{release} Requires: %{name}-libs = %{version}-%{release}
Requires: libtpms >= 0.6.0 Requires: libtpms >= 0.6.0
@ -75,7 +71,7 @@ Requires: bash gnutls-utils
Tools for the TPM emulator from the swtpm package Tools for the TPM emulator from the swtpm package
%package tools-pkcs11 %package tools-pkcs11
Summary: Tools for creating a local CA based on a TPM pkcs11 device Summary: Tools for creating a local CA based on a pkcs11 device
License: BSD License: BSD
Requires: swtpm-tools = %{version}-%{release} Requires: swtpm-tools = %{version}-%{release}
Requires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd Requires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd
@ -85,7 +81,7 @@ Requires: expect gnutls-utils
Tools for creating a local CA based on a pkcs11 device Tools for creating a local CA based on a pkcs11 device
%prep %prep
%autosetup -S git -n %{name}-%{gitcommit} -p1 %autosetup -S git -p1
%build %build
@ -94,8 +90,7 @@ NOCONFIGURE=1 ./autogen.sh
%if %{with gnutls} %if %{with gnutls}
--with-gnutls \ --with-gnutls \
%endif %endif
--without-cuse \ --without-cuse
--without-tpm1
%make_build %make_build
@ -106,6 +101,7 @@ make %{?_smp_mflags} check VERBOSE=1
%make_install %make_install
rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so} rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so}
rm $RPM_BUILD_ROOT%{_mandir}/man8/swtpm_cuse.8*
%post %post
for pp in /usr/share/selinux/packages/swtpm.pp \ for pp in /usr/share/selinux/packages/swtpm.pp \
@ -160,12 +156,12 @@ fi
%{_mandir}/man8/swtpm_bios.8* %{_mandir}/man8/swtpm_bios.8*
%{_mandir}/man8/swtpm_cert.8* %{_mandir}/man8/swtpm_cert.8*
%{_mandir}/man8/swtpm_ioctl.8* %{_mandir}/man8/swtpm_ioctl.8*
%{_mandir}/man8/swtpm-localca.conf.8* %{_mandir}/man5/swtpm-localca.conf.5*
%{_mandir}/man8/swtpm-localca.options.8* %{_mandir}/man5/swtpm-localca.options.5*
%{_mandir}/man8/swtpm-localca.8* %{_mandir}/man8/swtpm-localca.8*
%{_mandir}/man8/swtpm_localca.8* %{_mandir}/man8/swtpm_localca.8*
%{_mandir}/man8/swtpm_setup.8* %{_mandir}/man8/swtpm_setup.8*
%{_mandir}/man8/swtpm_setup.conf.8* %{_mandir}/man5/swtpm_setup.conf.5*
%config(noreplace) %{_sysconfdir}/swtpm_setup.conf %config(noreplace) %{_sysconfdir}/swtpm_setup.conf
%config(noreplace) %{_sysconfdir}/swtpm-localca.options %config(noreplace) %{_sysconfdir}/swtpm-localca.options
%config(noreplace) %{_sysconfdir}/swtpm-localca.conf %config(noreplace) %{_sysconfdir}/swtpm-localca.conf
@ -179,6 +175,14 @@ fi
%{_datadir}/swtpm/swtpm-create-tpmca %{_datadir}/swtpm/swtpm-create-tpmca
%changelog %changelog
* Tue Nov 22 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.8.0-1
- Update to v0.8.0 release
Resolves: rhbz#2092944
* Fri Jun 17 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-3.20211109gitb79fd91
- Disable OpenSSL FIPS mode to avoid libtpms failures
Resolves: rhbz#2090219
* Mon Feb 21 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-2.20211109gitb79fd91 * Mon Feb 21 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-2.20211109gitb79fd91
- Add fix for CVE-2022-23645. - Add fix for CVE-2022-23645.
Resolves: rhbz#2056518 Resolves: rhbz#2056518