Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

app-crypt/libtpms: Bump to 0.8.2 #19630

Closed
wants to merge 2 commits into from
Closed

app-crypt/libtpms: Bump to 0.8.2 #19630

wants to merge 2 commits into from

Conversation

salahcoronya
Copy link
Contributor

The fact RSA keys are not as strong as they should be is disclosed in this version:

Note: The TPM 2 implementation returns 2048 bit keys with ~1984 bit
strength due to a bug in the TPM 2 key creation algo that cannot
easily be fixed. The bug is in RsaAjustPrimeCandidate, which is
called before the prime number check.

See stefanberger/libtpms#183

@gentoo-bot gentoo-bot added self-maintained The PR changes only packages that are maintained by the submitter (i.e. no need to ask anybody else) assigned PR successfully assigned to the package maintainer(s). labels Feb 24, 2021
@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2021-02-24 15:55 UTC
Newest commit scanned: 6ab955f
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/79cb5e25b3/output.html

@thesamesam
Copy link
Member

That's probably a candidate for a security bug. Could you file one?

@salahcoronya salahcoronya changed the title app-crypt/libtpms: Bump to 0.7.5 app-crypt/libtpms: Bump to 0.7.5 [please reassign] Feb 24, 2021
@gentoo-bot gentoo-bot changed the title app-crypt/libtpms: Bump to 0.7.5 [please reassign] app-crypt/libtpms: Bump to 0.7.5 Feb 24, 2021
@gentoo-bot
Copy link

Pull Request assignment

Submitter: @salahcoronya
Areas affected: ebuilds
Packages affected: dev-libs/libtpms

dev-libs/libtpms: @salahcoronya, @gentoo/proxy-maint

Linked bugs

Bugs linked: 772410

In order to force reassignment and/or bug reference scan, please append [please reassign] to the pull request title.

Docs: Code of ConductCopyright policy (expl.) ● DevmanualGitHub PRsProxy-maint guide

@gentoo-bot gentoo-bot added self-maintained The PR changes only packages that are maintained by the submitter (i.e. no need to ask anybody else) assigned PR successfully assigned to the package maintainer(s). bug linked Bug/Closes found in footer, and cross-linked with the PR. security PR that needs to be merged promptly as it addresses security issues and removed assigned PR successfully assigned to the package maintainer(s). self-maintained The PR changes only packages that are maintained by the submitter (i.e. no need to ask anybody else) labels Feb 24, 2021
@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2021-02-24 18:55 UTC
Newest commit scanned: 9ce145a
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/c14abd5f4f/output.html

@salahcoronya salahcoronya changed the title app-crypt/libtpms: Bump to 0.7.5 app-crypt/libtpms: Bump to 0.7.5 and 0.8.0 Feb 25, 2021
@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2021-02-25 04:50 UTC
Newest commit scanned: 8251c72
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/2d6bdd6427/output.html

@salahcoronya salahcoronya changed the title app-crypt/libtpms: Bump to 0.7.5 and 0.8.0 app-crypt/libtpms: Bump to 0.8.0 Feb 27, 2021
@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2021-02-27 03:15 UTC
Newest commit scanned: cc9c5f4
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/33b46eeb5a/output.html

@salahcoronya
dev-libs/libtpms: Bump to 0.8.2
741eedd 
Bug: https://bugs.gentoo.org/772410
Package-Manager: Portage-3.0.13, Repoman-3.0.2
Signed-off-by: Salah Coronya <salah.coronya@gmail.com>
@salahcoronya
dev-libs/libtpms: Remove old
8e696e3 
Package-Manager: Portage-3.0.13, Repoman-3.0.2
Signed-off-by: Salah Coronya <salah.coronya@gmail.com>
@salahcoronya salahcoronya changed the title app-crypt/libtpms: Bump to 0.8.0 app-crypt/libtpms: Bump to 0.8.2 Mar 2, 2021
@salahcoronya
Copy link
Contributor Author

Upstream has release version 0.8.2 with the following note:

CryptSym: fix AES output IV
A CVE has been filed for this bugfix. Unfortunately multi-step encrypted
data won't decrypt anymore but are now compatible with other TPM 2 devices.

@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2021-03-02 16:40 UTC
Newest commit scanned: 8e696e3
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/a2ed9ddc62/output.html

juippis
juippis approved these changes Mar 6, 2021
View reviewed changes
dev-libs/libtpms/files/libtpms-0.8.0-Remove-WError.patch Outdated
Comment on lines 1 to 13
diff --git a/configure.ac b/configure.ac
index 40d2c7f..809f8e0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -304,7 +304,7 @@ if test "x$enable_hardening" != "xno"; then
AC_SUBST([HARDENING_LDFLAGS])
fi

-CFLAGS="$CFLAGS $COVERAGE_CFLAGS -Wall -Werror -Wreturn-type -Wsign-compare -Wno-self-assign"
+CFLAGS="$CFLAGS $COVERAGE_CFLAGS -Wall -Wreturn-type -Wsign-compare -Wno-self-assign"
CFLAGS="$CFLAGS -Wmissing-prototypes"
LDFLAGS="$LDFLAGS $COVERAGE_LDFLAGS"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any chance to get this upstreamed? It's annoying having to carry this kind of patch around version after version.

@gentoo-bot gentoo-bot closed this in 305e05f Mar 6, 2021
@salahcoronya salahcoronya deleted the libtpms branch May 20, 2021 01:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juippis juippis juippis approved these changes

Assignees
No one assigned
Labels
assigned PR successfully assigned to the package maintainer(s). bug linked Bug/Closes found in footer, and cross-linked with the PR. security PR that needs to be merged promptly as it addresses security issues self-maintained The PR changes only packages that are maintained by the submitter (i.e. no need to ask anybody else)
Projects
None yet
Milestone
No milestone
5 participants
@salahcoronya @gentoo-repo-qa-bot @thesamesam @gentoo-bot @juippis