Hello community, here is the log from the commit of package s390-tools for openSUSE:Factory checked in at 2020-02-22 19:03:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/s390-tools (Old) and /work/SRC/openSUSE:Factory/.s390-tools.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "s390-tools" Sat Feb 22 19:03:27 2020 rev:28 rq:777412 version:2.11.0 Changes: -------- --- /work/SRC/openSUSE:Factory/s390-tools/s390-tools.changes 2020-02-15 22:23:57.703262407 +0100 +++ /work/SRC/openSUSE:Factory/.s390-tools.new.26092/s390-tools.changes 2020-02-22 19:03:27.957991348 +0100 @@ -1,0 +2,15 @@ +Tue Feb 18 20:10:50 UTC 2020 - Mark Post <[email protected]> + +- Added s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch + (bsc#1163002). +- Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch + (bsc#1163570). +- Re-categorized s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch + from an IBM patch to a SUSE-maintained patch. (bsc#1162840) + +------------------------------------------------------------------- +Thu Feb 13 13:50:55 UTC 2020 - Marcus Meissner <[email protected]> + +- sign the stage3.bin bootloader stage (bsc#1163524) + +------------------------------------------------------------------- @@ -11 +26 @@ - (bsc#1163002). + (bsc#1163003). New: ---- s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ s390-tools.spec ++++++ --- /var/tmp/diff_new_pack.PU5rb7/_old 2020-02-22 19:03:32.802000998 +0100 +++ /var/tmp/diff_new_pack.PU5rb7/_new 2020-02-22 19:03:32.810001013 +0100 @@ -1,7 +1,7 @@ # # spec file for package s390-tools # -# Copyright (c) 2019-2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2009-2020 SUSE LLC, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -14,6 +14,7 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # +# needssslcertforbuild #Compat macro for new _fillupdir macro introduced in Nov 2017 @@ -123,9 +124,10 @@ Patch35: s390-tools-sles15sp2-35-zkey-Allow-zkey-cryptsetup-setkey-to-set-different-k.patch Patch36: s390-tools-sles15sp2-zcrypt-CEX7S-exploitation-support.patch Patch37: s390-tools-sles15sp2-zcryptstats-Add-support-for-CEX7.patch -Patch38: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch -Patch39: s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch -Patch40: s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch +Patch38: s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch +Patch39: s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch +Patch40: s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch +Patch41: s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch # SUSE patches Patch900: s390-tools-sles12-zipl_boot_msg.patch @@ -141,6 +143,7 @@ Patch910: s390-tools-sles12-fdasd-skip-partition-check-and-BLKRRPART-ioctl.patch Patch911: s390-tools-sles15sp2-Close-file-descriptor-when-checking-for-read-only.patch Patch912: s390-tools-sles15sp1-zdev-Also-include-the-ctc-driver-in-the-initrd.patch +Patch913: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch BuildRequires: dracut BuildRequires: fuse-devel @@ -153,6 +156,7 @@ BuildRequires: libpfm-devel BuildRequires: ncurses-devel BuildRequires: net-snmp-devel +BuildRequires: pesign-obs-integration BuildRequires: qclib-devel-static BuildRequires: tcpd-devel BuildRequires: zlib-devel-static @@ -364,6 +368,8 @@ EOT chmod 755 osasnmpd +export BRP_PESIGN_FILES='/lib/s390-tools/stage3.bin' + %verifyscript %verify_permissions -e %{_localstatedir}/log/ts-shell ++++++ s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch ++++++ Subject: [PATCH] [BZ 183669] zkey: Fix display of XTS attribute for validate command From: Ingo Franzki <[email protected]> Description: zkey: Fix display of XTS attribute for validate command Symptom: The 'zkey validate' command shows an invalid value for the XTS attribute. Problem: Due to a use after free of the secure key, the XTS attribute is not determined correctly, and is displayed incorrectly. Function is_xts_key() is called with a secure key that has already been freed and thus most likely returns false. This bug has been introduced with feature SEC1717 "Cipher key support" with commit 298fab68fee8 "zkey: Preparations for introducing a new key type" Solution: Free the secure key only after the last use. Reproduction: Generate an XTS key of type CCA-AESDATA or CCA-AESCIPHER and then run 'zkey validate'. Upstream-ID: f75f4aff8f6e4ae148bde858ee1cb7f1066f5f23 Problem-ID: 183669 Signed-off-by: Ingo Franzki <[email protected]> --- zkey/keystore.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/zkey/keystore.c +++ b/zkey/keystore.c @@ -2516,7 +2516,7 @@ static int _keystore_process_validate(st size_t clear_key_bitsize; size_t secure_key_size; char *apqns = NULL; - u8 *secure_key; + u8 *secure_key = NULL; int is_old_mk; int rc, valid; u64 mkvp; @@ -2550,8 +2550,7 @@ static int _keystore_process_validate(st rc = get_master_key_verification_pattern(secure_key, secure_key_size, &mkvp, keystore->verbose); - free(secure_key); - if (rc) + if (rc != 0) goto out; _keystore_print_record(info->rec, name, properties, 1, @@ -2577,6 +2576,8 @@ static int _keystore_process_validate(st info->num_warnings++; out: + if (secure_key != NULL) + free(secure_key); if (apqns != NULL) free(apqns); if (apqn_list != NULL) ++++++ s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch ++++++ Subject: [PATCH] [BZ 183875] zkey: Fix display of clear key size for CCA-AESCIPHER keys From: Ingo Franzki <[email protected]> Description: zkey: Fix display of clear key size for CCA-AESCIPHER keys Symptom: The 'zkey list' command shows bogus values for the keys 'Clear key size' for keys of type CCA-AESCIPHER. Problem: Secure keys of type CCA-AESCIPHER are variable length, dependent on the effective key size (e.g. 128, 192, or 256 bits). However, the key blob stored is padded to a fixed length, so that all key blobs of type CCA-AESCIPHER are the same size, regardless of the effective key bit size. To code to display the clear key bitsize does not correctly handle the padding and may treat a non-XTS key like an XTS key and thus reads past the end of the key blob. This results in bogus values reported as clear key size. This bug has been introduced with feature SEC1717 "Cipher key support" with commit ddde3f354f35 ("zkey: Introduce th CCA-AESCIPHER key type"). Solution: Correct the handling of key of type CCA-AESCIPHER. Reproduction: Generate a key of type CCA-AESCIPHER and then run 'zkey list'. Upstream-ID: 49cbaba302f002aa7f148631a76fc21a3069bc25 Problem-ID: 183875 Upstream-Description: zkey: Fix display of clear key size for CCA-AESCIPHER keys Fixes: ddde3f354f35 ("zkey: Introduce the CCA-AESCIPHER key type") Signed-off-by: Ingo Franzki <[email protected]> Signed-off-by: Jan Hoeppner <[email protected]> Signed-off-by: Ingo Franzki <[email protected]> --- a/zkey/pkey.c +++ b/zkey/pkey.c @@ -1600,9 +1600,9 @@ int get_key_bit_size(const u8 *key, size *bitsize = cipherkey->pl - 384; else *bitsize = 0; /* Unknown */ - if (key_size > cipherkey->length) { + if (key_size == 2 * AESCIPHER_KEY_SIZE) { cipherkey = (struct aescipherkeytoken *)(key + - cipherkey->length); + AESCIPHER_KEY_SIZE); if (cipherkey->pfv == 0x00) /* V0 payload */ *bitsize += cipherkey->pl - 384; }
