package/tpm2-tools: security bump to version 4.3.2

- Fix CVE-2021-3565: A flaw was found in tpm2-tools in versions before
  5.1.1 and before 4.3.2. tpm2_import used a fixed AES key for the inner
  wrapper, potentially allowing a MITM attacker to unwrap the inner
  portion and reveal the key being imported. The highest threat from
  this vulnerability is to data confidentiality.
- LICENSE moved in doc directory since
  https://github.com/tpm2-software/tpm2-tools/commit/23aa5dca660f596b2ad89542d5100bd4ef0c871a
  and hash updated due to the following line added with
  https://github.com/tpm2-software/tpm2-tools/commit/305011b2a7d091740fa01dbfbd27a48a76f670f7
  Copyright 2019      Fraunhofer SIT sponsored by Infineon Technologies AG
- libuuid and wchar (for mbstate_t) are mandatory since version 4.2 and
  https://github.com/tpm2-software/tpm2-tools/commit/eca77c1419617a8e2d6d8008bac716878b0c27ca

https://github.com/tpm2-software/tpm2-tools/blob/4.3.2/doc/CHANGELOG.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

diff --git a/package/tpm2-tools/Config.in b/package/tpm2-tools/Config.in
index 35ca63bf64d222c1f04923c532f365f8e2970777..cbdfeb6801736704814c1df91b5e3910c6c5a205 100644 (file)
--- a/package/tpm2-tools/Config.in
+++ b/package/tpm2-tools/Config.in
@@ -1,9 +1,12 @@
 config BR2_PACKAGE_TPM2_TOOLS
        bool "tpm2-tools"
        depends on !BR2_STATIC_LIBS # tpm2-tss
+       depends on BR2_USE_WCHAR
        select BR2_PACKAGE_LIBCURL
        select BR2_PACKAGE_OPENSSL
        select BR2_PACKAGE_TPM2_TSS
+       select BR2_PACKAGE_UTIL_LINUX
+       select BR2_PACKAGE_UTIL_LINUX_LIBUUID
        help
          TPM (Trusted Platform Module) 2.0 CLI tools based on system
          API of TPM2-TSS. These tools can be used to manage keys,
@@ -18,5 +21,5 @@ config BR2_PACKAGE_TPM2_TOOLS
 
          https://github.com/tpm2-software/tpm2-tools
 
-comment "tpm2-tools needs a toolchain w/ dynamic library"
-       depends on BR2_STATIC_LIBS
+comment "tpm2-tools needs a toolchain w/ dynamic library, wchar"
+       depends on BR2_STATIC_LIBS || !BR2_USE_WCHAR

diff --git a/package/tpm2-tools/tpm2-tools.hash b/package/tpm2-tools/tpm2-tools.hash
index dd55834825d42bcf9044b2939bdc23f9d287815f..bfb7e9b2207fe4b3a862e63ddafb1c41f46e1084 100644 (file)
--- a/package/tpm2-tools/tpm2-tools.hash
+++ b/package/tpm2-tools/tpm2-tools.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  175472b63d1e047c2ad38314d06c36bd734ae37e0c6abfa2a804c0d6eb3f2936  tpm2-tools-4.1.2.tar.gz
-sha256  e10dce74279166bf7bc463eb6e462c2025bceb3e50cadfe865d92c1c3dc0bb21  LICENSE
+sha256  e2802d4093a24b2c65b1f913d0f4c68eadde9b8fd8a9b7a3b17a6e50765e8350  tpm2-tools-4.3.2.tar.gz
+sha256  f6995d52c8b8e4d2c3bace7fc9c330a77a90d808166fbad4d7ead7e8ba2fc66c  doc/LICENSE

diff --git a/package/tpm2-tools/tpm2-tools.mk b/package/tpm2-tools/tpm2-tools.mk
index 83be53d54be434a1166ea0027e08a57e8b01f8cc..e83db416aa919847a2c8be74705119679bdc8b3d 100644 (file)
--- a/package/tpm2-tools/tpm2-tools.mk
+++ b/package/tpm2-tools/tpm2-tools.mk
@@ -4,11 +4,11 @@
 #
 ################################################################################
 
-TPM2_TOOLS_VERSION = 4.1.2
+TPM2_TOOLS_VERSION = 4.3.2
 TPM2_TOOLS_SITE = https://github.com/tpm2-software/tpm2-tools/releases/download/$(TPM2_TOOLS_VERSION)
 TPM2_TOOLS_LICENSE = BSD-3-Clause
-TPM2_TOOLS_LICENSE_FILES = LICENSE
-TPM2_TOOLS_DEPENDENCIES = libcurl openssl tpm2-tss host-pkgconf
+TPM2_TOOLS_LICENSE_FILES = doc/LICENSE
+TPM2_TOOLS_DEPENDENCIES = libcurl openssl tpm2-tss host-pkgconf util-linux
 
 # -fstack-protector-all and FORTIFY_SOURCE=2 is used by
 # default. Disable that so the BR2_SSP_* / BR2_FORTIFY_SOURCE_* options