Projects
openEuler:Mainline
tpm2-tss
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 8
View file
_service:tar_scm:tpm2-tss.spec
Changed
@@ -1,15 +1,13 @@ Name: tpm2-tss -Version: 3.2.1 -Release: 2 +Version: 3.2.2 +Release: 1 Summary: TPM2.0 Software Stack License: BSD URL: https://github.com/tpm2-software/tpm2-tss Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz -Patch1: backport-CVE-2023-22745.patch - BuildRequires: gcc-c++ autoconf-archive libtool pkgconfig systemd libgcrypt-devel openssl-devel doxygen json-c-devel libcurl-devel -BuildRequires: curl >= 7.80.0 +BuildRequires: curl >= 7.80.0 libcmocka-devel iproute uthash-devel swtpm %description tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system @@ -31,7 +29,8 @@ %build %configure --disable-static --disable-silent-rules --with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=80- \ - --with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir} + --with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir} \ + --enable-unit --enable-integration %make_build @@ -72,6 +71,18 @@ %{_mandir}/man*/* %changelog +* Tue Jul 18 2023 jinlun <jinlun@huawei.com> - 3.2.2-1 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:update version to 3.2.2 + +* Tue Mar 21 2023 jinlun <jinlun@huawei.com> - 3.2.1-3 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:add check code in tpm2-tss + * Tue Jan 31 2023 huangzq6 <huangzhenqiang2@huawei.com> - 3.2.1-2 - Type:CVE - ID:NA
View file
_service:tar_scm:backport-CVE-2023-22745.patch
Deleted
@@ -1,139 +0,0 @@ -From 306490c8d848c367faa2d9df81f5e69dab46ffb5 Mon Sep 17 00:00:00 2001 -From: William Roberts <william.c.roberts@intel.com> -Date: Thu, 19 Jan 2023 11:53:06 -0600 -Subject: PATCH tss2_rc: ensure layer number is in bounds - -The layer handler array was defined as 255, the max number of uint8, -which is the size of the layer field, however valid values are 0-255 -allowing for 256 possibilities and thus the array was off by one and -needed to be sized to 256 entries. Update the size and add tests. - -Note: previous implementations incorrectly dropped bits on unknown error -output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF, -but earlier implementations returned 255:0xFFFF, dropping the middle -bits, this patch fixes that. - -Fixes: CVE-2023-22745 - -Signed-off-by: William Roberts <william.c.roberts@intel.com> ---- - src/tss2-rc/tss2_rc.c | 31 +++++++++++++++++++++---------- - test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++- - 2 files changed, 41 insertions(+), 11 deletions(-) - -diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c -index 15ced56..4e14659 100644 ---- a/src/tss2-rc/tss2_rc.c -+++ b/src/tss2-rc/tss2_rc.c -@@ -1,5 +1,8 @@ - /* SPDX-License-Identifier: BSD-2-Clause */ -- -+#ifdef HAVE_CONFIG_H -+#include "config.h" -+#endif -+#include <assert.h> - #include <stdarg.h> - #include <stdbool.h> - #include <stdio.h> -@@ -834,7 +837,7 @@ tss_err_handler (TSS2_RC rc) - static struct { - char nameTSS2_ERR_LAYER_NAME_MAX; - TSS2_RC_HANDLER handler; --} layer_handlerTPM2_ERROR_TSS2_RC_LAYER_COUNT = { -+} layer_handlerTPM2_ERROR_TSS2_RC_LAYER_COUNT + 1 = { - ADD_HANDLER("tpm" , tpm2_ehandler), - ADD_NULL_HANDLER, /* layer 1 is unused */ - ADD_NULL_HANDLER, /* layer 2 is unused */ -@@ -869,7 +872,7 @@ unknown_layer_handler(TSS2_RC rc) - static __thread char buf32; - - clearbuf(buf); -- catbuf(buf, "0x%X", tpm2_error_get(rc)); -+ catbuf(buf, "0x%X", rc); - - return buf; - } -@@ -966,19 +969,27 @@ Tss2_RC_Decode(TSS2_RC rc) - catbuf(buf, "%u:", layer); - } - -- handler = !handler ? unknown_layer_handler : handler; -- - /* - * Handlers only need the error bits. This way they don't - * need to concern themselves with masking off the layer - * bits or anything else. - */ -- UINT16 err_bits = tpm2_error_get(rc); -- const char *e = err_bits ? handler(err_bits) : "success"; -- if (e) { -- catbuf(buf, "%s", e); -+ if (handler) { -+ UINT16 err_bits = tpm2_error_get(rc); -+ const char *e = err_bits ? handler(err_bits) : "success"; -+ if (e) { -+ catbuf(buf, "%s", e); -+ } else { -+ catbuf(buf, "0x%X", err_bits); -+ } - } else { -- catbuf(buf, "0x%X", err_bits); -+ /* -+ * we don't want to drop any bits if we don't know what to do with it -+ * so drop the layer byte since we we already have that. -+ */ -+ const char *e = unknown_layer_handler(rc >> 8); -+ assert(e); -+ catbuf(buf, "%s", e); - } - - return buf; -diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c -index f4249b7..6d8428b 100644 ---- a/test/unit/test_tss2_rc.c -+++ b/test/unit/test_tss2_rc.c -@@ -199,7 +199,7 @@ test_custom_handler(void **state) - * Test an unknown layer - */ - e = Tss2_RC_Decode(rc); -- assert_string_equal(e, "1:0x2A"); -+ assert_string_equal(e, "1:0x100"); - } - - static void -@@ -282,6 +282,23 @@ test_tcti(void **state) - assert_string_equal(e, "tcti:Fails to connect to next lower layer"); - } - -+static void -+test_all_FFs(void **state) -+{ -+ (void) state; -+ -+ const char *e = Tss2_RC_Decode(0xFFFFFFFF); -+ assert_string_equal(e, "255:0xFFFFFF"); -+} -+ -+static void -+test_all_FFs_set_handler(void **state) -+{ -+ (void) state; -+ Tss2_RC_SetHandler(0xFF, "garbage", custom_err_handler); -+ Tss2_RC_SetHandler(0xFF, NULL, NULL); -+} -+ - /* link required symbol, but tpm2_tool.c declares it AND main, which - * we have a main below for cmocka tests. - */ -@@ -313,6 +330,8 @@ main(int argc, char* argv) - cmocka_unit_test(test_esys), - cmocka_unit_test(test_mu), - cmocka_unit_test(test_tcti), -+ cmocka_unit_test(test_all_FFs), -+ cmocka_unit_test(test_all_FFs_set_handler) - }; - - return cmocka_run_group_tests(tests, NULL, NULL); --- -2.27.0 -
View file
_service:tar_scm:tpm2-tss-3.2.1.tar.gz/AUTHORS -> _service:tar_scm:tpm2-tss-3.2.2.tar.gz/AUTHORS
Changed
@@ -32,9 +32,9 @@ Johannes Holland <joh.ho@gmx.de> Jeffrey Ferreira <jeffpferreira@gmail.com> Javier Martinez Canillas <javierm@redhat.com> +Erik Larsson <who+github@cnackers.org> manuknz <jmmg01@hotmail.com> Kristen Carlson Accardi <kristen@linux.intel.com> -Erik Larsson <who+github@cnackers.org> danintel <daniel.anderson@intel.com> Pieter Agten <pieter.agten@gmail.com> Philip Tricca <flihp@twobit.org>
View file
_service:tar_scm:tpm2-tss-3.2.1.tar.gz/CHANGELOG.md -> _service:tar_scm:tpm2-tss-3.2.2.tar.gz/CHANGELOG.md
Changed
@@ -3,6 +3,14 @@ The format is based on Keep a Changelog(http://keepachangelog.com/) +## 3.2.2 - 2023-01-31 +### Fixed: + - A buffer overflow in tss2-rc as CVE-2023-22745. + - The drv layer in tss2-rc should have been the policy layer. + - Spec deviation in Fapi_GetDescription caused description to be NULL when it should be empty string. + This is API breaking but considered a bug since it deviated from the FAPI spec. + - FAPI: undefined reference to curl_url_strerror when using curl less than 7.80.0. + ## 3.2.1 - 2022-12-12 ### Fixed - Makefile.am: make all EXTRA_DIST includes unconditional to fix pristine tars
View file
_service:tar_scm:tpm2-tss-3.2.1.tar.gz/Makefile.in -> _service:tar_scm:tpm2-tss-3.2.2.tar.gz/Makefile.in
Changed
@@ -20,7 +20,7 @@ # All rights reserved. # aminclude_static.am generated automatically by Autoconf -# from AX_AM_MACROS_STATIC on Mon Dec 12 11:26:12 CST 2022 +# from AX_AM_MACROS_STATIC on Tue Jan 31 09:04:57 CST 2023 # SPDX-License-Identifier: BSD-2-Clause # Copyright (c) 2015 - 2018 Intel Corporation
View file
_service:tar_scm:tpm2-tss-3.2.1.tar.gz/VERSION -> _service:tar_scm:tpm2-tss-3.2.2.tar.gz/VERSION
Changed
@@ -1,1 +1,1 @@ -3.2.1 +3.2.2
View file
_service:tar_scm:tpm2-tss-3.2.1.tar.gz/aminclude_static.am -> _service:tar_scm:tpm2-tss-3.2.2.tar.gz/aminclude_static.am
Changed
@@ -1,6 +1,6 @@ # aminclude_static.am generated automatically by Autoconf -# from AX_AM_MACROS_STATIC on Mon Dec 12 11:26:12 CST 2022 +# from AX_AM_MACROS_STATIC on Tue Jan 31 09:04:57 CST 2023 # Code coverage
View file
_service:tar_scm:tpm2-tss-3.2.1.tar.gz/config.h.in -> _service:tar_scm:tpm2-tss-3.2.2.tar.gz/config.h.in
Changed
@@ -12,6 +12,9 @@ /* Perform integration tests without EK certificate verification */ #undef FAPI_TEST_EK_CERT_LESS +/* If lib curl has curl_url_strerror function */ +#undef HAVE_CURL_URL_STRERROR + /* Define to 1 if you have the declaration of `cygwin_conv_path', and to 0 if you don't. */ #undef HAVE_DECL_CYGWIN_CONV_PATH
View file
_service:tar_scm:tpm2-tss-3.2.1.tar.gz/configure -> _service:tar_scm:tpm2-tss-3.2.2.tar.gz/configure
Changed
@@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for tpm2-tss 3.2.1. +# Generated by GNU Autoconf 2.69 for tpm2-tss 3.2.2. # # Report bugs to <https://github.com/tpm2-software/tpm2-tss/issues>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='tpm2-tss' PACKAGE_TARNAME='tpm2-tss' -PACKAGE_VERSION='3.2.1' -PACKAGE_STRING='tpm2-tss 3.2.1' +PACKAGE_VERSION='3.2.2' +PACKAGE_STRING='tpm2-tss 3.2.2' PACKAGE_BUGREPORT='https://github.com/tpm2-software/tpm2-tss/issues' PACKAGE_URL='https://github.com/tpm2-software/tpm2-tss' @@ -1574,7 +1574,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures tpm2-tss 3.2.1 to adapt to many kinds of systems. +\`configure' configures tpm2-tss 3.2.2 to adapt to many kinds of systems. Usage: $0 OPTION... VAR=VALUE... @@ -1645,7 +1645,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of tpm2-tss 3.2.1:";; + short | recursive ) echo "Configuration of tpm2-tss 3.2.2:";; esac cat <<\_ACEOF @@ -1857,7 +1857,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -tpm2-tss configure 3.2.1 +tpm2-tss configure 3.2.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2393,7 +2393,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by tpm2-tss $as_me 3.2.1, which was +It was created by tpm2-tss $as_me 3.2.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3257,7 +3257,7 @@ # Define the identity of the package. PACKAGE='tpm2-tss' - VERSION='3.2.1' + VERSION='3.2.2' cat >>confdefs.h <<_ACEOF @@ -17542,6 +17542,48 @@ fi fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for curl_url_strerror in -lcurl" >&5 +$as_echo_n "checking for curl_url_strerror in -lcurl... " >&6; } +if ${ac_cv_lib_curl_curl_url_strerror+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lcurl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char curl_url_strerror (); +int +main () +{ +return curl_url_strerror (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_curl_curl_url_strerror=yes +else + ac_cv_lib_curl_curl_url_strerror=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_curl_curl_url_strerror" >&5 +$as_echo "$ac_cv_lib_curl_curl_url_strerror" >&6; } +if test "x$ac_cv_lib_curl_curl_url_strerror" = xyes; then : + +$as_echo "#define HAVE_CURL_URL_STRERROR 1" >>confdefs.h + +fi + # Check whether --with-tctidefaultmodule was given. @@ -23706,7 +23748,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by tpm2-tss $as_me 3.2.1, which was +This file was extended by tpm2-tss $as_me 3.2.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23773,7 +23815,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/\\""\`\$/\\\\&/g'`" ac_cs_version="\\ -tpm2-tss config.status 3.2.1 +tpm2-tss config.status 3.2.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\"
View file
_service:tar_scm:tpm2-tss-3.2.1.tar.gz/configure.ac -> _service:tar_scm:tpm2-tss-3.2.2.tar.gz/configure.ac
Changed
@@ -165,6 +165,7 @@ AS_IF(test "x$enable_fapi" = xyes , PKG_CHECK_MODULES(CURL, libcurl)) +AC_CHECK_LIB(curl, curl_url_strerror, AC_DEFINE(HAVE_CURL_URL_STRERROR,1, If lib curl has curl_url_strerror function)) AC_ARG_WITH(tctidefaultmodule, AS_HELP_STRING(--with-tctidefaultmodule,
View file
_service:tar_scm:tpm2-tss-3.2.1.tar.gz/man/man7/tss2-tcti-swtpm.7 -> _service:tar_scm:tpm2-tss-3.2.2.tar.gz/man/man7/tss2-tcti-swtpm.7
Changed
@@ -32,7 +32,7 @@ .BR tcti-tabrmd (7), .BR tpm2-abrmd (8) .SH COLOPHON -This page is part of release 3.2.1 of Open Source implementation of the +This page is part of release 3.2.2 of Open Source implementation of the TCG TPM2 Software Stack (TSS2). A description of the project, information about reporting bugs, and the latest version of this page can be found at \%https://github.com/tpm2-software/tpm2-tss/.
View file
_service:tar_scm:tpm2-tss-3.2.1.tar.gz/src/tss2-fapi/ifapi_helpers.c -> _service:tar_scm:tpm2-tss-3.2.2.tar.gz/src/tss2-fapi/ifapi_helpers.c
Changed
@@ -2529,8 +2529,12 @@ CURLUcode url_rc; url_rc = curl_url_set(urlp, CURLUPART_URL, (const char *)url, CURLU_ALLOW_SPACE | CURLU_URLENCODE); if (url_rc) { +#ifdef HAVE_CURL_URL_STRERROR LOG_ERROR("curl_url_set for CURUPART_URL failed: %s", curl_url_strerror(url_rc)); +#else + LOG_ERROR("curl_url_set for CURUPART_URL failed: %u", url_rc); +#endif goto out_easy_cleanup; } rc = curl_easy_setopt(curl, CURLOPT_CURLU, urlp);
View file
_service:tar_scm:tpm2-tss-3.2.1.tar.gz/src/tss2-rc/tss2_rc.c -> _service:tar_scm:tpm2-tss-3.2.2.tar.gz/src/tss2-rc/tss2_rc.c
Changed
@@ -1,5 +1,8 @@ /* SPDX-License-Identifier: BSD-2-Clause */ - +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include <assert.h> #include <stdarg.h> #include <stdbool.h> #include <stdio.h> @@ -834,7 +837,7 @@ static struct { char nameTSS2_ERR_LAYER_NAME_MAX; TSS2_RC_HANDLER handler; -} layer_handlerTPM2_ERROR_TSS2_RC_LAYER_COUNT = { +} layer_handlerTPM2_ERROR_TSS2_RC_LAYER_COUNT + 1 = { ADD_HANDLER("tpm" , tpm2_ehandler), ADD_NULL_HANDLER, /* layer 1 is unused */ ADD_NULL_HANDLER, /* layer 2 is unused */ @@ -852,7 +855,7 @@ /* The RM usually duplicates TPM responses */ /* So just default the handler to tpm2. */ ADD_HANDLER("rm", NULL), /* layer 12 is the rm rc */ - ADD_HANDLER("drvr", NULL), /* layer 13 is the driver rc */ + ADD_HANDLER("policy", tss_err_handler), /* layer 13 is the policy rc */ }; /** @@ -869,7 +872,7 @@ static __thread char buf32; clearbuf(buf); - catbuf(buf, "0x%X", tpm2_error_get(rc)); + catbuf(buf, "0x%X", rc); return buf; } @@ -966,19 +969,27 @@ catbuf(buf, "%u:", layer); } - handler = !handler ? unknown_layer_handler : handler; - /* * Handlers only need the error bits. This way they don't * need to concern themselves with masking off the layer * bits or anything else. */ - UINT16 err_bits = tpm2_error_get(rc); - const char *e = err_bits ? handler(err_bits) : "success"; - if (e) { - catbuf(buf, "%s", e); + if (handler) { + UINT16 err_bits = tpm2_error_get(rc); + const char *e = err_bits ? handler(err_bits) : "success"; + if (e) { + catbuf(buf, "%s", e); + } else { + catbuf(buf, "0x%X", err_bits); + } } else { - catbuf(buf, "0x%X", err_bits); + /* + * we don't want to drop any bits if we don't know what to do with it + * so drop the layer byte since we we already have that. + */ + const char *e = unknown_layer_handler(rc >> 8); + assert(e); + catbuf(buf, "%s", e); } return buf;
View file
_service:tar_scm:tpm2-tss-3.2.1.tar.gz/src/util/log.c -> _service:tar_scm:tpm2-tss-3.2.2.tar.gz/src/util/log.c
Changed
@@ -129,6 +129,12 @@ vsnprintf(msg, sizeof(msg), fmt, vaargs); va_end(vaargs); + if (!blob) { + doLog(loglevel, module, logdefault, status, file, func, line, + "%s (size=%zi): (null)", msg, size); + return; + } + doLog(loglevel, module, logdefault, status, file, func, line, "%s (size=%zi):", msg, size);
View file
_service:tar_scm:tpm2-tss-3.2.1.tar.gz/test/unit/test_tss2_rc.c -> _service:tar_scm:tpm2-tss-3.2.2.tar.gz/test/unit/test_tss2_rc.c
Changed
@@ -39,7 +39,7 @@ "tcti:", "rmt", "rm", - "drvr", + "policy", }; UINT8 layer; @@ -199,7 +199,7 @@ * Test an unknown layer */ e = Tss2_RC_Decode(rc); - assert_string_equal(e, "1:0x2A"); + assert_string_equal(e, "1:0x100"); } static void @@ -282,6 +282,23 @@ assert_string_equal(e, "tcti:Fails to connect to next lower layer"); } +static void +test_all_FFs(void **state) +{ + (void) state; + + const char *e = Tss2_RC_Decode(0xFFFFFFFF); + assert_string_equal(e, "255:0xFFFFFF"); +} + +static void +test_all_FFs_set_handler(void **state) +{ + (void) state; + Tss2_RC_SetHandler(0xFF, "garbage", custom_err_handler); + Tss2_RC_SetHandler(0xFF, NULL, NULL); +} + /* link required symbol, but tpm2_tool.c declares it AND main, which * we have a main below for cmocka tests. */ @@ -313,6 +330,8 @@ cmocka_unit_test(test_esys), cmocka_unit_test(test_mu), cmocka_unit_test(test_tcti), + cmocka_unit_test(test_all_FFs), + cmocka_unit_test(test_all_FFs_set_handler) }; return cmocka_run_group_tests(tests, NULL, NULL);
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2