Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tpm2.0-tools for openSUSE:Factory checked in at 2021-06-01 10:38:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tpm2.0-tools (Old) and /work/SRC/openSUSE:Factory/.tpm2.0-tools.new.1898 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tpm2.0-tools" Tue Jun 1 10:38:02 2021 rev:24 rq:895955 version:5.1 Changes: -------- --- /work/SRC/openSUSE:Factory/tpm2.0-tools/tpm2.0-tools.changes 2021-05-04 22:01:06.620573352 +0200 +++ /work/SRC/openSUSE:Factory/.tpm2.0-tools.new.1898/tpm2.0-tools.changes 2021-06-01 10:39:17.220999500 +0200 @@ -1,0 +2,127 @@ +Fri May 28 10:24:21 UTC 2021 - Matthias Gerstner <matthias.gerst...@suse.com> + +- add 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch: no longer use a + fixed AES key in the context of the tpm2_import command. Fixes CVE-2021-3565 + (bsc#1186490). +- drop fix_pie_linking.patch: now contained in upstream tarball +- drop fix_warnings.patch: now contained in upstream tarball +- update to upstream version 5.1: + - Minimum tpm2-tss version dependency bumped to 3.1.0 + - Minimum tpm2-abrmd version dependency bumped to 2.4.0 + - tss2: + - Support in tools for PolicyRef inclusion in policy search per latest TSS. + - Support to use TPM objects protected by a policy with PolicySigned. + - Enable backward compatibility to old Fapi callback API. + - Fix PCR selection for tss2 quote. + - Support policy signed policies by implementing Fapi_SetSignCB. + - Command/ response parameter support for auditing and pHash policies: + - lib/tpm2_util.c: Add method to determine hashing alg for cp/rphash + - Add support to calculate rphash for tpm2_create, tpm2_activatecredential, + tpm2_certify, tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps, + tpm2_changepps, tpm2_nvdefine, tpm2_nvextend, tpm2_unseal + - Add support to calculate cphash for tpm2_changeeps, tpm2_changepps. + - Session-support: + - tpm2_sessionconfig: Add tool to display and configure session attributes. + - tpm2_getrandom: Fix??? session input was hardcoded for audit-only + - tpm2_startauthsession: Add option to specify the bind object and its + authorization value. + - tpm2_startauthsession: support for bounded-only session. + - tpm2_startauthsession: support for salted-only session. + - tpm2_startauthsession: add option to specify an hmac session type. + - Add support for specifying non-authorization sessions for audit and + parameter encryption for tpm2_getrandom, tpm2_create, tpm2_nvextend, + tpm2_nvdefine, tpm2_unseal, tpm2_activatecredential, tpm2_certify, + tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps, tpm2_changepps. + - tpm2_eventlog: + - Support for event type: EV_IPL extensively used by the Shim and Grub. + - Support for event type: EV_EFI_GPT_EVENT to parse. + UEFI_PARTITION_TABLE_HEADER and UEFI_PARTITION_ENTRY. + - Support for event type: EFI_SIGNATURE_LIST, which contains one or more + EFI_SIGNATURE_DATA. + - Support for event type EV_EFI_VARIABLE_AUTHORITY. + - Parse UEFI_PLATFORM_FIRMWARE_BLOB structure that the CRTM MUST put into + the Event Log entry TCG_PCR_EVENT2.event field for event types + EV_POST_CODE, EV_S_CRTM_CONTENTS, and EV_EFI_PLATFORM_FIRMWARE_BLOB. + - Parse secureboot variable to indicate enable as 'Yes'. + - Parse BootOrder variable to a more readable format. + - Parse Boot variables per EFI_LOAD_OPTION described in more details in + UEFI Spec Section 3.1.3 + - Parse Device-path in a readable format using the efivar library. + - Support for logs longer than 64 kilobytes. + - Perform verification for event types where digest can be verified from + their event payload. + - Better support for multiline strings. + - Fix handling of event log EV_POST_CODE data where field is empty and len + is specified. + - scripts/utils: Add a utility to read the cert chain of embedded CA. + - tpm2_getekcertificate: Fix tool failing to return error/non-zero for HTTP + 404. + - tpm2_nvdefine: allow setting hash algorithm by command line parameter for NV + indices set in extend mode. + - tpm2_duplicate, tpm2_import: support duplicating non-TPM keys to a remote + TPM without first requiring them to be loaded to a local TPM. + - tpm2_dictionarylockout: Fix issue where setting value for one parameter + caused to reset the others. + - tpm2_getpolicydigest: Add new tool to enable TPM2_CC_PolicyGetDigest. + - Fix segfault where optind > argc. + - tools/tpm2_checkquote: fix missing initializer + - tpm2_convert: fix EVP_EncodeUpdate usage for OSSL < 1.1.0 + - openssl: fix EVP_ENCODE_CTX_(new|free) + - test: Add support for swTPM simulator to the testing framework and make it + the default if mssim isn't available. + - tpm2_unseal: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - tpm2_nvextend: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - tpm2_nvdefine: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - tpm2_changepps: + - Added option **\--cphash**=_FILE_ to specify ile path to record the hash + of the command parameters. This is commonly termed as cpHash. + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + - Added option **-S**, **\--session** to specify to specify an auxiliary + session for auditing and or encryption/decryption of the parameters. + - tpm2_changeeps: + - Added option **\--cphash**=_FILE_ to specify ile path to record the hash + of the command parameters. This is commonly termed as cpHash. + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - Added option **-S**, **\--session** to specify to specify an auxiliary + session for auditing and or encryption/decryption of the parameters. + - tpm2_changeauth: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - Added option **-S**, **\--session** to specify to specify an auxiliary + session for auditing and or encryption/decryption of the parameters. + - tpm2_certifycreation: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - Added option **-S**, **\--session** to specify to specify an auxiliary + session for auditing and or encryption/decryption of the parameters. + - tpm2_certify: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - Added option **-S**, **\--session** to specify to specify an auxiliary + session for auditing and or encryption/decryption of the parameters. + - tpm2_activatecredential: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - Added option **-S**, **\--session** to specify to specify an auxiliary + session for auditing and or encryption/decryption of the parameters. + - tpm2_create: + - Added option **\--rphash**=_FILE_ to specify ile path to record the hash + of the response parameters. This is commonly termed as rpHash. + - tpm2_unseal: + - Added option **-S**, **--session** to specify auxiliary sessions for + audit and encryption. + - tpm2_nvdefine: + - Added option **-S**, **--session** to specify auxiliary sessions for + audit and encryption. + - tpm2_nvextend: + - Added option **-S**, **--session** to specify auxilary sessions for + audit and encryption. + +------------------------------------------------------------------- Old: ---- fix_pie_linking.patch fix_warnings.patch tpm2-tools-5.0.tar.gz New: ---- 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch tpm2-tools-5.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tpm2.0-tools.spec ++++++ --- /var/tmp/diff_new_pack.dYJZBl/_old 2021-06-01 10:39:17.661000249 +0200 +++ /var/tmp/diff_new_pack.dYJZBl/_new 2021-06-01 10:39:17.665000256 +0200 @@ -17,7 +17,7 @@ Name: tpm2.0-tools -Version: 5.0 +Version: 5.1 Release: 0 Summary: Trusted Platform Module (TPM) 2.0 administration tools License: BSD-3-Clause @@ -25,8 +25,7 @@ URL: https://github.com/tpm2-software/tpm2-tools/releases Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz Patch0: fix_bogus_warning.patch -Patch1: fix_warnings.patch -Patch2: fix_pie_linking.patch +Patch1: 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: gcc-c++ @@ -67,7 +66,6 @@ %setup -q -n tpm2-tools-%{version} %patch0 -p1 %patch1 -p1 -%patch2 -p1 %build # TODO: remove autoreconf once fix_pie_linking patch is no longer needed ++++++ 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch ++++++ >From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001 From: William Roberts <william.c.robe...@intel.com> Date: Fri, 21 May 2021 12:22:31 -0500 Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565 tpm2_import used a fixed AES key for the inner wrapper, which means that a MITM attack would be able to unwrap the imported key. Even the use of an encrypted session will not prevent this. The TPM only encrypts the first parameter which is the fixed symmetric key. To fix this, ensure the key size is 16 bytes or bigger and use OpenSSL to generate a secure random AES key. Fixes: #2738 Signed-off-by: William Roberts <william.c.robe...@intel.com> --- tools/tpm2_import.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c index cfb6f207..f44326c8 100644 --- a/tools/tpm2_import.c +++ b/tools/tpm2_import.c @@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub, TPM2B_DATA enc_sensitive_key = { .size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8 }; - memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size); + + if(enc_sensitive_key.size < 16) { + LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size); + return tool_rc_general_error; + } + + int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size); + if (ossl_rc != 1) { + LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL)); + return tool_rc_general_error; + } /* * Calculate the object name. -- 2.26.3 ++++++ tpm2-tools-5.0.tar.gz -> tpm2-tools-5.1.tar.gz ++++++ ++++ 16757 lines of diff (skipped)
