Hello community, here is the log from the commit of package swtpm for openSUSE:Factory checked in at 2020-11-23 15:48:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/swtpm (Old) and /work/SRC/openSUSE:Factory/.swtpm.new.5913 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "swtpm" Mon Nov 23 15:48:47 2020 rev:2 rq:850055 version:0.5.1 Changes: -------- --- /work/SRC/openSUSE:Factory/swtpm/swtpm.changes 2020-11-10 13:44:47.223837644 +0100 +++ /work/SRC/openSUSE:Factory/.swtpm.new.5913/swtpm.changes 2020-11-23 16:21:22.615882284 +0100 @@ -1,0 +2,11 @@ +Sun Nov 22 03:16:13 UTC 2020 - Kai Liu <kai....@suse.com> + +- Update to version 0.5.1 + * swtpm & swtpm_setup: + - Addressed potential symlink attack issue (CVE-2020-28407) + * build-sys: + - Fix configure python cryptography error message + +- Misc. spec file changes. + +------------------------------------------------------------------- Old: ---- v0.5.0.tar.gz New: ---- v0.5.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ swtpm.spec ++++++ --- /var/tmp/diff_new_pack.aLJayE/_old 2020-11-23 16:21:23.179883112 +0100 +++ /var/tmp/diff_new_pack.aLJayE/_new 2020-11-23 16:21:23.183883118 +0100 @@ -1,7 +1,7 @@ # # spec file for package swtpm # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,21 +12,24 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # + +# Scripts in this package are python3 +%define skip_python2 1 + Name: swtpm -Version: 0.5.0 +Version: 0.5.1 Release: 0 Summary: Software TPM emulator License: BSD-3-Clause Group: System/Base -Url: https://github.com/stefanberger/swtpm +URL: https://github.com/stefanberger/swtpm Source: https://github.com/stefanberger/swtpm/archive/v%{version}.tar.gz BuildRequires: autoconf BuildRequires: automake BuildRequires: expect -BuildRequires: libtool BuildRequires: fuse-devel BuildRequires: glib2-devel BuildRequires: gnutls @@ -34,6 +37,7 @@ BuildRequires: libopenssl-devel BuildRequires: libseccomp-devel BuildRequires: libtasn1-devel +BuildRequires: libtool BuildRequires: libtpms-devel BuildRequires: python3-cryptography BuildRequires: socat @@ -58,9 +62,9 @@ Group: Development/Libraries/C and C++ Requires: %{name} = %{version} Requires: glib2-devel -Requires: libtpms-devel Requires: libopenssl-devel Requires: libseccomp-devel +Requires: libtpms-devel %description devel The development files for SWTPM @@ -69,6 +73,16 @@ %setup -q -n %{name}-%{version} %build + +# Fix rpmlint env-script-interpreter error +sed -i -e "s|^#!/usr/bin/env |#!/usr/bin/|" \ + %_builddir/%buildsubdir/src/swtpm_setup/swtpm_setup.in \ + %_builddir/%buildsubdir/src/swtpm_setup/py_swtpm_setup/swtpm_setup.py \ + %_builddir/%buildsubdir/samples/swtpm-create-tpmca \ + %_builddir/%buildsubdir/samples/swtpm-create-user-config-files.in \ + %_builddir/%buildsubdir/samples/swtpm-localca.in \ + %_builddir/%buildsubdir/samples/py_swtpm_localca/swtpm_localca.py + ./autogen.sh %configure --with-openssl --disable-static \ --with-tss-user=root --with-tss-group=tss @@ -82,7 +96,8 @@ %files %defattr(-,root,root) -%doc README LICENSE +%doc CHANGES README TODO +%license LICENSE %{_bindir}/swtpm* %config %{_sysconfdir}/swtpm* %dir %{_datadir}/swtpm ++++++ v0.5.0.tar.gz -> v0.5.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.5.0/CHANGES new/swtpm-0.5.1/CHANGES --- old/swtpm-0.5.0/CHANGES 2020-10-07 20:24:43.000000000 +0200 +++ new/swtpm-0.5.1/CHANGES 2020-11-17 21:47:43.000000000 +0100 @@ -1,5 +1,11 @@ CHANGES - changes for swtpm +version 0.5.1: + - swtpm & swtpm_setup: + - Addressed potential symlink attack issue (CVE-2020-28407) + - build-sys: + - Fix configure python cryptography error message + version 0.5.0: - swtpm: - Write files atomically using a temp file and then renaming diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.5.0/configure.ac new/swtpm-0.5.1/configure.ac --- old/swtpm-0.5.0/configure.ac 2020-10-07 20:24:43.000000000 +0200 +++ new/swtpm-0.5.1/configure.ac 2020-11-17 21:47:43.000000000 +0100 @@ -23,7 +23,7 @@ # This file is derived from tpm-tool's configure.in. # -AC_INIT(swtpm, 0.5.0) +AC_INIT(swtpm, 0.5.1) AC_PREREQ(2.12) AC_CONFIG_SRCDIR(Makefile.am) AC_CONFIG_HEADER(config.h) @@ -372,7 +372,7 @@ $PYTHON -c "import cryptography" AS_IF([ test $? = 0 ], [AC_MSG_RESULT([yes])], - [AC_MSG_ERROR([python setuptools is required])]) + [AC_MSG_ERROR([python cryptography is required])]) AC_ARG_ENABLE([python-installation], AS_HELP_STRING([--disable-python-installation], [Disable running setup.py install for swtpm_setup])) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.5.0/debian/changelog new/swtpm-0.5.1/debian/changelog --- old/swtpm-0.5.0/debian/changelog 2020-10-07 20:24:43.000000000 +0200 +++ new/swtpm-0.5.1/debian/changelog 2020-11-17 21:47:43.000000000 +0100 @@ -1,4 +1,10 @@ -swtpm (0.5.0-1) RELEASED; urgency=medium +swtpm (0.5.1) RELEASED; urgency=medium + + * Addressed potential symlink attack issue (CVE-2020-28407) + + -- Stefan Berger <stef...@linux.ibm.com> Fri, 13 Nov 2020 09:52:00 -0500 + +swtpm (0.5.0) RELEASED; urgency=medium * Stable release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.5.0/dist/swtpm.spec new/swtpm-0.5.1/dist/swtpm.spec --- old/swtpm-0.5.0/dist/swtpm.spec 2020-10-07 20:24:43.000000000 +0200 +++ new/swtpm-0.5.1/dist/swtpm.spec 2020-11-17 21:47:43.000000000 +0100 @@ -1,6 +1,6 @@ %bcond_without gnutls -%global gitdate 20201007 +%global gitdate 20201113 %global gitcommit enter_commit_here %global gitshortcommit %(c=%{gitcommit}; echo ${c:0:7}) @@ -11,7 +11,7 @@ Summary: TPM Emulator Name: swtpm -Version: 0.5.0 +Version: 0.5.1 Release: 0.%{gitdate}git%{gitshortcommit}%{?dist} License: BSD Url: http://github.com/stefanberger/swtpm @@ -183,6 +183,9 @@ %{_datadir}/swtpm/swtpm-create-tpmca %changelog +* Fri Nov 13 2020 Stefan Berger <stef...@linux.ibm.com> - 0.5.1-0.20201113git------- +- v0.5.1 release: Addressed potential symlink attack issue (CVE-2020-28407) + * Wed Oct 7 2020 Stefan Berger <stef...@linux.ibm.com> - 0.5.0-0.20201007git------- - v0.5.0 release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.5.0/dist/swtpm.spec.in new/swtpm-0.5.1/dist/swtpm.spec.in --- old/swtpm-0.5.0/dist/swtpm.spec.in 2020-10-07 20:24:43.000000000 +0200 +++ new/swtpm-0.5.1/dist/swtpm.spec.in 2020-11-17 21:47:43.000000000 +0100 @@ -1,6 +1,6 @@ %bcond_without gnutls -%global gitdate 20201007 +%global gitdate 20201113 %global gitcommit enter_commit_here %global gitshortcommit %(c=%{gitcommit}; echo ${c:0:7}) @@ -183,6 +183,9 @@ %{_datadir}/swtpm/swtpm-create-tpmca %changelog +* Fri Nov 13 2020 Stefan Berger <stef...@linux.ibm.com> - 0.5.1-0.20201113git------- +- v0.5.1 release: Addressed potential symlink attack issue (CVE-2020-28407) + * Wed Oct 7 2020 Stefan Berger <stef...@linux.ibm.com> - 0.5.0-0.20201007git------- - v0.5.0 release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.5.0/samples/py_swtpm_localca/swtpm_localca.py new/swtpm-0.5.1/samples/py_swtpm_localca/swtpm_localca.py --- old/swtpm-0.5.0/samples/py_swtpm_localca/swtpm_localca.py 2020-10-07 20:24:43.000000000 +0200 +++ new/swtpm-0.5.1/samples/py_swtpm_localca/swtpm_localca.py 2020-11-17 21:47:43.000000000 +0100 @@ -574,6 +574,9 @@ sys.exit(0) if len(LOGFILE) > 0: + if os.path.islink(LOGFILE): + sys.stderr.write("Logfile must not be a symlink.\n") + sys.exit(1) try: fobj = open(LOGFILE, "a") # do not truncate fobj.close() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.5.0/samples/py_swtpm_localca/swtpm_utils.py new/swtpm-0.5.1/samples/py_swtpm_localca/swtpm_utils.py --- old/swtpm-0.5.0/samples/py_swtpm_localca/swtpm_utils.py 2020-10-07 20:24:43.000000000 +0200 +++ new/swtpm-0.5.1/samples/py_swtpm_localca/swtpm_utils.py 2020-11-17 21:47:43.000000000 +0100 @@ -3,17 +3,24 @@ # pylint: disable=W0703 +import os import sys def append_to_file(filename, string): """" Append a string to a file """ try: - fobj = open(filename, 'a') - fobj.write(string) - fobj.close() - except Exception: + filedesc = os.open(filename, os.O_WRONLY|os.O_APPEND|os.O_CREAT|os.O_NOFOLLOW, 0o640) + os.write(filedesc, string.encode('utf-8')) + os.close(filedesc) + except Exception as ex: + sys.stdout.write("Error: %s\n" % ex) sys.stdout.write(string) + try: + if filedesc > 0: + os.close(filedesc) + except Exception: + pass def logit(logfile, string): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.5.0/src/swtpm/pidfile.c new/swtpm-0.5.1/src/swtpm/pidfile.c --- old/swtpm-0.5.0/src/swtpm/pidfile.c 2020-10-07 20:24:43.000000000 +0200 +++ new/swtpm-0.5.1/src/swtpm/pidfile.c 2020-11-17 21:47:43.000000000 +0100 @@ -37,11 +37,13 @@ #include "config.h" +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> #include <string.h> #include <stdlib.h> #include <stdio.h> #include <errno.h> -#include <unistd.h> #include "pidfile.h" #include "logging.h" @@ -77,40 +79,49 @@ */ int pidfile_write(pid_t pid) { - FILE *f; + int fd; + char buffer[32]; + ssize_t nwritten; if (g_pidfile) { - f = fopen(g_pidfile, "w+"); + fd = open(g_pidfile, O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW, + S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); } else if (pidfilefd >= 0) { - f = fdopen(pidfilefd, "w"); - if (f) { - g_pidfile = fd_to_filename(pidfilefd); - if (!g_pidfile) - goto error; - } + fd = pidfilefd; + g_pidfile = fd_to_filename(pidfilefd); + if (!g_pidfile) + goto error; } else { return 0; } - if (!f) { + if (fd < 0) { logprintf(STDERR_FILENO, "Could not open pidfile %s : %s\n", g_pidfile, strerror(errno)); goto error; } - if (fprintf(f, "%d", pid) < 0) { + if (snprintf(buffer, sizeof(buffer), "%d", pid) >= (int)sizeof(buffer)) { + logprintf(STDERR_FILENO, "Could not write pid to buffer\n"); + goto error_close; + } + + nwritten = write_full(fd, buffer, strlen(buffer)); + if (nwritten < 0 || nwritten != (ssize_t)strlen(buffer)) { logprintf(STDERR_FILENO, "Could not write to pidfile : %s\n", strerror(errno)); - goto error; + goto error_close; } - fclose(f); + close(fd); return 0; +error_close: + if (fd != pidfilefd) + close(fd); + error: - if (f) - fclose(f); return -1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.5.0/src/swtpm/swtpm_nvfile.c new/swtpm-0.5.1/src/swtpm/swtpm_nvfile.c --- old/swtpm-0.5.0/src/swtpm/swtpm_nvfile.c 2020-10-07 20:24:43.000000000 +0200 +++ new/swtpm-0.5.1/src/swtpm/swtpm_nvfile.c 2020-11-17 21:47:43.000000000 +0100 @@ -88,6 +88,7 @@ #include "tpmstate.h" #include "tpmlib.h" #include "tlv.h" +#include "utils.h" /* local structures */ typedef struct { @@ -210,7 +211,7 @@ return TPM_FAIL; } - *fd = open(lockfile, O_WRONLY|O_CREAT|O_TRUNC, 0660); + *fd = open(lockfile, O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW, 0660); if (*fd < 0) { logprintf(STDERR_FILENO, "SWTPM_NVRAM_Lock_Lockfile: Could not open lockfile: %s\n", @@ -295,16 +296,16 @@ const char *name) { TPM_RESULT rc = 0; - long lrc; size_t src; int irc; - FILE *file = NULL; + int fd = -1; char filename[FILENAME_MAX]; /* rooted file name from name */ unsigned char *decrypt_data = NULL; uint32_t decrypt_length; uint32_t dataoffset = 0; uint8_t hdrversion = 0; uint16_t hdrflags; + struct stat statbuf; TPM_DEBUG(" SWTPM_NVRAM_LoadData: From file %s\n", name); *data = NULL; @@ -318,8 +319,8 @@ if (rc == 0) { TPM_DEBUG(" SWTPM_NVRAM_LoadData: Opening file %s\n", filename); - file = fopen(filename, "rb"); /* closed @1 */ - if (file == NULL) { /* if failure, determine cause */ + fd = open(filename, O_RDONLY); /* closed @1 */ + if (fd < 0) { /* if failure, determine cause */ if (errno == ENOENT) { TPM_DEBUG("SWTPM_NVRAM_LoadData: No such file %s\n", filename); @@ -335,7 +336,7 @@ } if (rc == 0) { - if (fchmod(fileno(file), tpmstate_get_mode()) < 0) { + if (fchmod(fd, tpmstate_get_mode()) < 0) { logprintf(STDERR_FILENO, "SWTPM_NVRAM_LoadData: Could not fchmod %s : %s\n", filename, strerror(errno)); @@ -345,34 +346,16 @@ /* determine the file length */ if (rc == 0) { - irc = fseek(file, 0L, SEEK_END); /* seek to end of file */ + irc = fstat(fd, &statbuf); if (irc == -1L) { logprintf(STDERR_FILENO, - "SWTPM_NVRAM_LoadData: Error (fatal) fseek'ing %s, %s\n", + "SWTPM_NVRAM_LoadData: Error (fatal) fstat'ing %s, %s\n", filename, strerror(errno)); rc = TPM_FAIL; } } if (rc == 0) { - lrc = ftell(file); /* get position in the stream */ - if (lrc == -1L) { - logprintf(STDERR_FILENO, - "SWTPM_NVRAM_LoadData: Error (fatal) ftell'ing %s, %s\n", - filename, strerror(errno)); - rc = TPM_FAIL; - } - else { - *length = (uint32_t)lrc; /* save the length */ - } - } - if (rc == 0) { - irc = fseek(file, 0L, SEEK_SET); /* seek back to the beginning of the file */ - if (irc == -1L) { - logprintf(STDERR_FILENO, - "SWTPM_NVRAM_LoadData: Error (fatal) fseek'ing %s, %s\n", - filename, strerror(errno)); - rc = TPM_FAIL; - } + *length = statbuf.st_size; /* save the length */ } /* allocate a buffer for the actual data */ if ((rc == 0) && *length != 0) { @@ -387,7 +370,7 @@ } /* read the contents of the file into the data buffer */ if ((rc == 0) && *length != 0) { - src = fread(*data, 1, *length, file); + src = read(fd, *data, *length); if (src != *length) { logprintf(STDERR_FILENO, "SWTPM_NVRAM_LoadData: Error (fatal), data read of %u " @@ -396,9 +379,9 @@ } } /* close the file */ - if (file != NULL) { + if (fd >= 0) { TPM_DEBUG(" SWTPM_NVRAM_LoadData: Closing file %s\n", filename); - irc = fclose(file); /* @1 */ + irc = close(fd); /* @1 */ if (irc != 0) { logprintf(STDERR_FILENO, "SWTPM_NVRAM_LoadData: Error (fatal) closing file %s\n", @@ -473,7 +456,7 @@ TPM_RESULT rc = 0; uint32_t lrc; int irc; - FILE *file = NULL; + int fd = -1; char tmpfile[FILENAME_MAX]; /* rooted temporary file */ char filename[FILENAME_MAX]; /* rooted file name from name */ unsigned char *filedata = NULL; @@ -499,8 +482,9 @@ if (rc == 0) { /* open the file */ TPM_DEBUG(" SWTPM_NVRAM_StoreData: Opening file %s\n", tmpfile); - file = fopen(tmpfile, "wb"); /* closed @1 */ - if (file == NULL) { + fd = open(tmpfile, O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW, + tpmstate_get_mode()); /* closed @1 */ + if (fd < 0) { logprintf(STDERR_FILENO, "SWTPM_NVRAM_StoreData: Error (fatal) opening %s for " "write failed, %s\n", tmpfile, strerror(errno)); @@ -509,15 +493,6 @@ } if (rc == 0) { - if (fchmod(fileno(file), tpmstate_get_mode()) < 0) { - logprintf(STDERR_FILENO, - "SWTPM_NVRAM_StoreData: Could not fchmod %s : %s\n", - tmpfile, strerror(errno)); - rc = TPM_FAIL; - } - } - - if (rc == 0) { if (encrypt && SWTPM_NVRAM_Has_FileKey()) { td_len = 3; rc = SWTPM_NVRAM_EncryptData(&filekey, &td[0], &td_len, @@ -549,7 +524,7 @@ /* write the data to the file */ if (rc == 0) { TPM_DEBUG(" SWTPM_NVRAM_StoreData: Writing %u bytes of data\n", length); - lrc = fwrite(filedata, 1, filedata_length, file); + lrc = write_full(fd, filedata, filedata_length); if (lrc != filedata_length) { logprintf(STDERR_FILENO, "TPM_NVRAM_StoreData: Error (fatal), data write " @@ -557,9 +532,9 @@ rc = TPM_FAIL; } } - if (file != NULL) { + if (fd >= 0) { TPM_DEBUG(" SWTPM_NVRAM_StoreData: Closing file %s\n", tmpfile); - irc = fclose(file); /* @1 */ + irc = close(fd); /* @1 */ if (irc != 0) { logprintf(STDERR_FILENO, "SWTPM_NVRAM_StoreData: Error (fatal) closing file\n"); @@ -570,7 +545,7 @@ } } - if (rc == 0 && file != NULL) { + if (rc == 0 && fd >= 0) { irc = rename(tmpfile, filename); if (irc != 0) { logprintf(STDERR_FILENO, @@ -582,7 +557,7 @@ } } - if (rc != 0 && file != NULL) { + if (rc != 0 && fd >= 0) { unlink(tmpfile); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.5.0/src/swtpm_cert/ek-cert.c new/swtpm-0.5.1/src/swtpm_cert/ek-cert.c --- old/swtpm-0.5.0/src/swtpm_cert/ek-cert.c 2020-10-07 20:24:43.000000000 +0200 +++ new/swtpm-0.5.1/src/swtpm_cert/ek-cert.c 2020-11-17 21:47:43.000000000 +0100 @@ -51,6 +51,7 @@ #include <unistd.h> #include <fcntl.h> #include <getopt.h> +#include <sys/stat.h> #include <arpa/inet.h> @@ -1010,7 +1011,7 @@ unsigned long long serial = 1; time_t now; int err; - FILE *cert_file; + int cert_file_fd; const char *subject = NULL; const char *error = NULL; int days = 365; @@ -1695,8 +1696,9 @@ ? GNUTLS_X509_FMT_PEM : GNUTLS_X509_FMT_DER, &out); if (cert_filename) { - cert_file = fopen(cert_filename, "wb"); - if (cert_file == NULL) { + cert_file_fd = open(cert_filename, O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW, + S_IRUSR|S_IWUSR); + if (cert_file_fd < 0) { fprintf(stderr, "Could not open %s for writing the certificate: %s\n", cert_filename, strerror(errno)); @@ -1711,22 +1713,22 @@ }, .tag = htobe16(TCG_TAG_PCCLIENT_FULL_CERT), }; - if (sizeof(hdr) != fwrite(&hdr, 1, sizeof(hdr), cert_file)) { + if (sizeof(hdr) != write(cert_file_fd, &hdr, sizeof(hdr))) { fprintf(stderr, "Could not write certificate header: %s\n", strerror(errno)); - fclose(cert_file); + close(cert_file_fd); unlink(cert_filename); goto cleanup; } } - if (out.size != fwrite(out.data, 1, out.size, cert_file)) { + if ((ssize_t)out.size != write(cert_file_fd, out.data, out.size)) { fprintf(stderr, "Could not write certificate into file: %s\n", strerror(errno)); - fclose(cert_file); + close(cert_file_fd); unlink(cert_filename); goto cleanup; } - fclose(cert_file); + close(cert_file_fd); } else { fprintf(stdout, "%s\n", out.data); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.5.0/src/swtpm_setup/py_swtpm_setup/swtpm_setup.py new/swtpm-0.5.1/src/swtpm_setup/py_swtpm_setup/swtpm_setup.py --- old/swtpm-0.5.0/src/swtpm_setup/py_swtpm_setup/swtpm_setup.py 2020-10-07 20:24:43.000000000 +0200 +++ new/swtpm-0.5.1/src/swtpm_setup/py_swtpm_setup/swtpm_setup.py 2020-11-17 21:47:43.000000000 +0100 @@ -896,6 +896,9 @@ srkpass = DEFAULT_SRK_PASSWORD if len(LOGFILE) > 0: + if os.path.islink(LOGFILE): + sys.stderr.write("Logfile must not be a symlink.\n") + sys.exit(1) try: fobj = open(LOGFILE, "a") # do not truncate fobj.close() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.5.0/src/swtpm_setup/py_swtpm_setup/swtpm_utils.py new/swtpm-0.5.1/src/swtpm_setup/py_swtpm_setup/swtpm_utils.py --- old/swtpm-0.5.0/src/swtpm_setup/py_swtpm_setup/swtpm_utils.py 2020-10-07 20:24:43.000000000 +0200 +++ new/swtpm-0.5.1/src/swtpm_setup/py_swtpm_setup/swtpm_utils.py 2020-11-17 21:47:43.000000000 +0100 @@ -3,6 +3,7 @@ # pylint: disable=W0703 +import os import sys from cryptography.hazmat.backends import default_backend @@ -12,11 +13,17 @@ def append_to_file(filename, string): """" Append a string to a file """ try: - fobj = open(filename, 'a') - fobj.write(string) - fobj.close() - except Exception: + filedesc = os.open(filename, os.O_WRONLY|os.O_APPEND|os.O_CREAT|os.O_NOFOLLOW, 0o640) + os.write(filedesc, string.encode('utf-8')) + os.close(filedesc) + except Exception as ex: + sys.stdout.write("Error: %s\n" % ex) sys.stdout.write(string) + try: + if filedesc > 0: + os.close(filedesc) + except Exception: + pass def logit(logfile, string): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/swtpm-0.5.0/tests/test_samples_create_tpmca new/swtpm-0.5.1/tests/test_samples_create_tpmca --- old/swtpm-0.5.0/tests/test_samples_create_tpmca 2020-10-07 20:24:43.000000000 +0200 +++ new/swtpm-0.5.1/tests/test_samples_create_tpmca 2020-11-17 21:47:43.000000000 +0100 @@ -155,27 +155,41 @@ system_ps_file = ${TCSD_SYSTEM_PS_FILE} _EOF_ - chown ${TSS_USER}:${TSS_GROUP} "${TCSD_CONF}" - if [ "${TSS_USER}" == "${TSS_GROUP}" ]; then - chmod 0600 "${TCSD_CONF}" - else - chmod 0640 "${TCSD_CONF}" - fi + # Due to recent changes in tcsd we have to try with TSS_USER=tss and TSS_USER=root + # Before the following worked: + # - tss:tss 0600 for TSS_USER=tss and TSS_GROUP=tss + # - root:tss 0640 for TSS_USER=root and TSS_GROUP=tss + # After the changes: + # - root:tss 0640 for TSS_USER=tss and TSS_GROUP=tss + while :; do + chown ${TSS_USER}:${TSS_GROUP} "${TCSD_CONF}" + if [ "${TSS_USER}" == "${TSS_GROUP}" ]; then + chmod 0600 "${TCSD_CONF}" + else + chmod 0640 "${TCSD_CONF}" + fi - bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=${SWTPM_SERVER_PORT} tcsd -c "${TCSD_CONF}" -e -f &>/dev/null & echo \$! > "${TCSD_PIDFILE}"; wait" & - BASH_PID=$! + bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=${SWTPM_SERVER_PORT} tcsd -c "${TCSD_CONF}" -e -f &>/dev/null & echo \$! > "${TCSD_PIDFILE}"; wait" & + BASH_PID=$! - if wait_for_file "${TCSD_PIDFILE}" 3; then - echo "Error: Could not get TCSD's PID file" - exit 1 - fi + if wait_for_file "${TCSD_PIDFILE}" 3; then + echo "Error: Could not get TCSD's PID file" + exit 1 + fi - TCSD_PID=$(cat "${TCSD_PIDFILE}") - kill_quiet -0 "${TCSD_PID}" - if [ $? -ne 0 ]; then - echo "Error: TCSD with pid ${TCSD_PID} must have terminated" - exit 1 - fi + TCSD_PID=$(cat "${TCSD_PIDFILE}") + kill_quiet -0 "${TCSD_PID}" + if [ $? -ne 0 ]; then + # Try again with root unless we already tried + if [ "$TSS_USER" != "root" ]; then + TSS_USER="root" + continue + fi + echo "Error: TCSD with pid ${TCSD_PID} must have terminated" + exit 1 + fi + break + done ${SWTPM_CREATE_TPMCA} \ --dir "${SWTPM_LOCALCA_DIR}" \ _______________________________________________ openSUSE Commits mailing list -- commit@lists.opensuse.org To unsubscribe, email commit-le...@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/commit@lists.opensuse.org
