Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libtpms for openSUSE:Factory checked in at 2026-03-25 21:17:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libtpms (Old) and /work/SRC/openSUSE:Factory/.libtpms.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libtpms" Wed Mar 25 21:17:40 2026 rev:24 rq:1342542 version:0.10.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libtpms/libtpms.changes 2025-08-25 20:37:14.441935769 +0200 +++ /work/SRC/openSUSE:Factory/.libtpms.new.8177/libtpms.changes 2026-03-27 06:43:33.979264765 +0100 @@ -1,0 +2,8 @@ +Wed Mar 18 12:38:14 UTC 2026 - Richard Biener <[email protected]> + +- Update to version 0.10.2: + * tpm2: Fix memory leak by freeing KDF context + * tpm2: Fix retrieval of updated IV when using OpenSSL >= 3.0 (CVE-2026-21444 bsc#1260439) +- Add libtpms-fix-const-correctness.patch to fix build with new glibc (bsc#1257311) + +------------------------------------------------------------------- Old: ---- libtpms-0.10.1.tar.gz New: ---- libtpms-0.10.2.tar.gz libtpms-fix-const-correctness.patch ----------(New B)---------- New: * tpm2: Fix retrieval of updated IV when using OpenSSL >= 3.0 (CVE-2026-21444 bsc#1260439) - Add libtpms-fix-const-correctness.patch to fix build with new glibc (bsc#1257311) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libtpms.spec ++++++ --- /var/tmp/diff_new_pack.dExnTS/_old 2026-03-27 06:43:34.463284762 +0100 +++ /var/tmp/diff_new_pack.dExnTS/_new 2026-03-27 06:43:34.463284762 +0100 @@ -1,7 +1,7 @@ # # spec file for package libtpms # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,13 +18,14 @@ %define lname libtpms0 Name: libtpms -Version: 0.10.1 +Version: 0.10.2 Release: 0 Summary: Library providing Trusted Platform Module (TPM) functionality License: BSD-3-Clause Group: Development/Libraries/C and C++ URL: https://github.com/stefanberger/libtpms Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz +Patch0: libtpms-fix-const-correctness.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: fdupes ++++++ libtpms-0.10.1.tar.gz -> libtpms-0.10.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libtpms-0.10.1/CHANGES new/libtpms-0.10.2/CHANGES --- old/libtpms-0.10.1/CHANGES 2025-06-10 18:04:17.000000000 +0200 +++ new/libtpms-0.10.2/CHANGES 2026-01-02 16:56:41.000000000 +0100 @@ -1,5 +1,9 @@ CHANGES - changes for libtpms +version 0.10.2: + - tpm2: Fix memory leak by freeing KDF context + - tpm2: Fix retrieval of updated IV when using OpenSSL >= 3.0 (CVE-2026-21444) + version 0.10.1: - tpm2: Fix potential out-of-bound access & abort due to HMAC signing issue (CVE-2025-49133) - tpm2: fix build for LibreSSL 4.1.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libtpms-0.10.1/configure.ac new/libtpms-0.10.2/configure.ac --- old/libtpms-0.10.1/configure.ac 2025-06-10 18:04:17.000000000 +0200 +++ new/libtpms-0.10.2/configure.ac 2026-01-02 16:56:41.000000000 +0100 @@ -3,7 +3,7 @@ # # See the LICENSE file for the license associated with this file. -AC_INIT([libtpms],[0.10.1]) +AC_INIT([libtpms],[0.10.2]) AC_PREREQ([2.69]) AC_CONFIG_SRCDIR(Makefile.am) AC_CONFIG_AUX_DIR([.]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libtpms-0.10.1/debian/changelog new/libtpms-0.10.2/debian/changelog --- old/libtpms-0.10.1/debian/changelog 2025-06-10 18:04:17.000000000 +0200 +++ new/libtpms-0.10.2/debian/changelog 2026-01-02 16:56:41.000000000 +0100 @@ -1,3 +1,10 @@ +libtpms (0.10.2) RELEASED; urgency=high + + * tpm2: Fix memory leak by freeing KDF context + * tpm2: Fix retrieval of updated IV when using OpenSSL >= 3.0 (CVE-2026-21444) + + -- Stefan Berger <[email protected]> Tue, 2 Jan 2026 09:00:00 -0500 + libtpms (0.10.1) RELEASED; urgency=high * tpm2: Fix potential out-of-bound access & abort due to HMAC signing issue (CVE-2025-49133) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libtpms-0.10.1/dist/libtpms.spec new/libtpms-0.10.2/dist/libtpms.spec --- old/libtpms-0.10.1/dist/libtpms.spec 2025-06-10 18:04:17.000000000 +0200 +++ new/libtpms-0.10.2/dist/libtpms.spec 2026-01-02 16:56:41.000000000 +0100 @@ -1,7 +1,7 @@ # --- libtpm rpm-spec --- %define name libtpms -%define version 0.10.1 +%define version 0.10.2 %define release 0~dev1 # Valid crypto subsystems are 'freebl' and 'openssl' @@ -112,6 +112,10 @@ %postun -p /sbin/ldconfig %changelog +* Fri Jan 02 2026 Stefan Berger - 0.10.2-1 +- tpm2: Fix memory leak by freeing KDF context +- tpm2: Fix retrieval of updated IV when using OpenSSL >= 3.0 (CVE-2026-21444) + * Tue Jun 10 2025 Stefan Berger - 0.10.1-1 - tpm2: Fix potential out-of-bound access & abort due to HMAC signing issue (CVE-2025-49133) - tpm2: fix build for LibreSSL 4.1.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libtpms-0.10.1/dist/libtpms.spec.in new/libtpms-0.10.2/dist/libtpms.spec.in --- old/libtpms-0.10.1/dist/libtpms.spec.in 2025-06-10 18:04:17.000000000 +0200 +++ new/libtpms-0.10.2/dist/libtpms.spec.in 2026-01-02 16:56:41.000000000 +0100 @@ -112,6 +112,10 @@ %postun -p /sbin/ldconfig %changelog +* Fri Jan 02 2026 Stefan Berger - 0.10.2-1 +- tpm2: Fix memory leak by freeing KDF context +- tpm2: Fix retrieval of updated IV when using OpenSSL >= 3.0 (CVE-2026-21444) + * Tue Jun 10 2025 Stefan Berger - 0.10.1-1 - tpm2: Fix potential out-of-bound access & abort due to HMAC signing issue (CVE-2025-49133) - tpm2: fix build for LibreSSL 4.1.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libtpms-0.10.1/include/libtpms/tpm_library.h new/libtpms-0.10.2/include/libtpms/tpm_library.h --- old/libtpms-0.10.1/include/libtpms/tpm_library.h 2025-06-10 18:04:17.000000000 +0200 +++ new/libtpms-0.10.2/include/libtpms/tpm_library.h 2026-01-02 16:56:41.000000000 +0100 @@ -50,7 +50,7 @@ #define TPM_LIBRARY_VER_MAJOR 0 #define TPM_LIBRARY_VER_MINOR 10 -#define TPM_LIBRARY_VER_MICRO 1 +#define TPM_LIBRARY_VER_MICRO 2 #define TPM_LIBRARY_VERSION_GEN(MAJ, MIN, MICRO) \ (( MAJ << 16 ) | ( MIN << 8 ) | ( MICRO )) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libtpms-0.10.1/src/tpm2/crypto/openssl/Helpers.c new/libtpms-0.10.2/src/tpm2/crypto/openssl/Helpers.c --- old/libtpms-0.10.1/src/tpm2/crypto/openssl/Helpers.c 2025-06-10 18:04:17.000000000 +0200 +++ new/libtpms-0.10.2/src/tpm2/crypto/openssl/Helpers.c 2026-01-02 16:56:41.000000000 +0100 @@ -354,7 +354,7 @@ { #if OPENSSL_VERSION_NUMBER >= 0x30000000L OSSL_PARAM params[] = { - OSSL_PARAM_octet_ptr(OSSL_CIPHER_PARAM_UPDATED_IV, &iv, iv_len), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_UPDATED_IV, iv, iv_len), OSSL_PARAM_END }; if (EVP_CIPHER_CTX_get_params(ctx, params) != 1) @@ -1131,7 +1131,7 @@ size_t buffer_size = 0; UINT16 generated = 0; size_t offset = 0; - EVP_KDF_CTX *ctx; + EVP_KDF_CTX *ctx = NULL; EVP_KDF *kdf; char *buffer; INT16 bytes; // number of bytes to generate @@ -1197,6 +1197,7 @@ generated = bytes; out: + EVP_KDF_CTX_free(ctx); EVP_KDF_free(kdf); free(buffer); ++++++ libtpms-fix-const-correctness.patch ++++++ >From fc8820cfaa8b5e17328f731df93911f6ab92443b Mon Sep 17 00:00:00 2001 From: Stefan Berger <[email protected]> Date: Fri, 2 Jan 2026 11:37:31 -0500 Subject: [PATCH] Fix a compilation error in TPMLIB_GetPlaintext Fix a compilation error that newer gcc versions may complain about: tpm_library.c: In function 'TPMLIB_GetPlaintext': tpm_library.c:441:11: error: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] 441 | start = strstr(stream, starttag); | ^ At top level: cc1: note: unrecognized command-line option '-Wno-self-assign' may have been intended to silence earlier diagnostics cc1: all warnings being treated as errors Signed-off-by: Stefan Berger <[email protected]> --- src/tpm_library.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tpm_library.c b/src/tpm_library.c index f48f4fd3..7b2ea687 100644 --- a/src/tpm_library.c +++ b/src/tpm_library.c @@ -435,7 +435,7 @@ static unsigned char *TPMLIB_GetPlaintext(const char *stream, const char *endtag, size_t *length) { - char *start, *end; + const char *start, *end; unsigned char *plaintext = NULL; start = strstr(stream, starttag); -- 2.51.0
