From 6848f4dcdec545d6ee1639a5a3591f9f039e439d Mon Sep 17 00:00:00 2001 From: Muhammad Falak R Wani Date: Fri, 8 Sep 2023 12:48:09 +0530 Subject: [PATCH] Upgrade opencryptoki 3.13.0 -> 3.17.0 to address CVE-2021-3798 (#6163) Signed-off-by: Muhammad Falak R Wani --- .../opencryptoki/opencryptoki.signatures.json | 8 +- SPECS-EXTENDED/opencryptoki/opencryptoki.spec | 140 +++++++++--------- cgmanifest.json | 4 +- 3 files changed, 76 insertions(+), 76 deletions(-) diff --git a/SPECS-EXTENDED/opencryptoki/opencryptoki.signatures.json b/SPECS-EXTENDED/opencryptoki/opencryptoki.signatures.json index 004a29e29b..06351a648e 100644 --- a/SPECS-EXTENDED/opencryptoki/opencryptoki.signatures.json +++ b/SPECS-EXTENDED/opencryptoki/opencryptoki.signatures.json @@ -1,6 +1,6 @@ { - "Signatures": { - "opencryptoki-3.13.0.tar.gz": "af2983bb9d8059bbad604c562cb7d78e59f999f597cff0a02ab7763064301f39", - "opencryptoki.module": "d335359abeb5d4d1e684841f055ac99b98e8fcc77578e480ef86ef2621ab363d" - } + "Signatures": { + "opencryptoki.module": "d335359abeb5d4d1e684841f055ac99b98e8fcc77578e480ef86ef2621ab363d", + "opencryptoki-3.17.0.tar.gz": "785596925738855b33b29bdff2399f613b892e7c6000d9ffbf79fe32c2aeaeee" + } } \ No newline at end of file diff --git a/SPECS-EXTENDED/opencryptoki/opencryptoki.spec b/SPECS-EXTENDED/opencryptoki/opencryptoki.spec index e6eb8da1af..f570084b8e 100644 --- a/SPECS-EXTENDED/opencryptoki/opencryptoki.spec +++ b/SPECS-EXTENDED/opencryptoki/opencryptoki.spec @@ -1,41 +1,38 @@ +Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 +Name: opencryptoki +Version: 3.17.0 +Release: 1%{?dist} +License: CPL Vendor: Microsoft Corporation Distribution: Mariner -Name: opencryptoki -Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 -Version: 3.13.0 -Release: 2%{?dist} -License: CPL -URL: https://github.com/opencryptoki/opencryptoki -Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz -Source1: opencryptoki.module +URL: https://github.com/opencryptoki/opencryptoki +Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz +Source1: opencryptoki.module # https://bugzilla.redhat.com/show_bug.cgi?id=732756 -Patch0: opencryptoki-3.11.0-group.patch - +Patch0: opencryptoki-3.11.0-group.patch # bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/* -Patch1: opencryptoki-3.11.0-lockdir.patch - -# Use --no-undefined to debug missing symbols -#Patch100: %%{name}-3.2-no-undefined.patch - -Requires(pre): coreutils -BuildRequires: gcc -BuildRequires: openssl-devel -BuildRequires: trousers-devel -BuildRequires: openldap-devel -BuildRequires: autoconf automake libtool -BuildRequires: bison flex -BuildRequires: systemd -BuildRequires: expect +Patch1: opencryptoki-3.11.0-lockdir.patch +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bison +BuildRequires: expect +BuildRequires: flex +BuildRequires: gcc +BuildRequires: libtool +BuildRequires: openldap-devel +BuildRequires: openssl-devel +BuildRequires: systemd +BuildRequires: trousers-devel +Requires: %{name}(token) +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires(post): systemd +Requires(postun): systemd +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires(pre): coreutils +Requires(preun): systemd %ifarch s390 s390x -BuildRequires: libica-devel >= 2.3 +BuildRequires: libica-devel >= 2.3 %endif -Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}(token) -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd - %description Opencryptoki implements the PKCS#11 specification v2.11 for a set of @@ -45,10 +42,9 @@ token implementation that can be used without any cryptographic hardware. This package contains the Slot Daemon (pkcsslotd) and general utilities. - %package libs -Summary: The run-time libraries for opencryptoki package -Requires(pre): shadow-utils +Summary: The run-time libraries for opencryptoki package +Requires(pre): shadow-utils %description libs Opencryptoki implements the PKCS#11 specification v2.11 for a set of @@ -60,21 +56,19 @@ This package contains the PKCS#11 library implementation, and requires at least one token implementation (packaged separately) to be fully functional. - %package devel -Summary: Development files for openCryptoki -Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Summary: Development files for openCryptoki +Requires: %{name}-libs%{?_isa} = %{version}-%{release} %description devel This package contains the development header files for building opencryptoki and PKCS#11 based applications - %package swtok -Summary: The software token implementation for opencryptoki -Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Provides: %{name}(token) +Summary: The software token implementation for opencryptoki +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) %description swtok Opencryptoki implements the PKCS#11 specification v2.11 for a set of @@ -85,12 +79,11 @@ hardware. This package brings the software token implementation to use opencryptoki without any specific cryptographic hardware. - %package tpmtok -Summary: Trusted Platform Module (TPM) device support for opencryptoki -Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Provides: %{name}(token) +Summary: Trusted Platform Module (TPM) device support for opencryptoki +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) %description tpmtok Opencryptoki implements the PKCS#11 specification v2.11 for a set of @@ -101,12 +94,11 @@ hardware. This package brings the necessary libraries and files to support Trusted Platform Module (TPM) devices in the opencryptoki stack. - %package icsftok -Summary: ICSF token support for opencryptoki -Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Provides: %{name}(token) +Summary: ICSF token support for opencryptoki +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) %description icsftok Opencryptoki implements the PKCS#11 specification v2.11 for a set of @@ -117,13 +109,12 @@ hardware. This package brings the necessary libraries and files to support ICSF token in the opencryptoki stack. - %ifarch s390 s390x %package icatok -Summary: ICA cryptographic devices (clear-key) support for opencryptoki -Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Provides: %{name}(token) +Summary: ICA cryptographic devices (clear-key) support for opencryptoki +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) %description icatok Opencryptoki implements the PKCS#11 specification v2.11 for a set of @@ -137,10 +128,10 @@ cryptographic hardware such as IBM 4764 or 4765 that uses the "accelerator" or "clear-key" path. %package ccatok -Summary: CCA cryptographic devices (secure-key) support for opencryptoki -Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Provides: %{name}(token) +Summary: CCA cryptographic devices (secure-key) support for opencryptoki +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) %description ccatok Opencryptoki implements the PKCS#11 specification v2.11 for a set of @@ -154,10 +145,10 @@ cryptographic hardware such as IBM 4764 or 4765 that uses the "co-processor" or "secure-key" path. %package ep11tok -Summary: CCA cryptographic devices (secure-key) support for opencryptoki -Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Provides: %{name}(token) +Summary: CCA cryptographic devices (secure-key) support for opencryptoki +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) %description ep11tok Opencryptoki implements the PKCS#11 specification v2.11 for a set of @@ -190,8 +181,8 @@ make %{?_smp_mflags} CHGRP=/bin/true %install -make install DESTDIR=$RPM_BUILD_ROOT CHGRP=/bin/true -install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opencryptoki.module +make install DESTDIR=%{buildroot} CHGRP=/bin/true +install -Dpm 644 %{SOURCE1} %{buildroot}%{_datadir}/p11-kit/modules/opencryptoki.module %pre libs @@ -210,7 +201,6 @@ fi %postun %systemd_postun_with_restart pkcsslotd.service - %files %doc ChangeLog FAQ README.md %doc doc/opencryptoki-howto.md @@ -221,8 +211,13 @@ fi %{_unitdir}/pkcsslotd.service %{_sbindir}/pkcsconf %{_sbindir}/pkcsslotd +%{_sbindir}/p11sak +%{_sbindir}/pkcstok_migrate %{_mandir}/man1/pkcsconf.1* +%{_mandir}/man1/p11sak.1* +%{_mandir}/man1/pkcstok_migrate.1* %{_mandir}/man5/%{name}.conf.5* +%{_mandir}/man5/p11sak_defined_attrs.conf.5* %{_mandir}/man7/%{name}.7* %{_mandir}/man8/pkcsslotd.8* %{_libdir}/opencryptoki/methods @@ -237,7 +232,7 @@ fi %{_sysconfdir}/ld.so.conf.d/* # Unversioned .so symlinks usually belong to -devel packages, but opencryptoki # needs them in the main package, because: -# documentation suggests that programs should dlopen "PKCS11_API.so". +# documentation suggests that programs should dlopen "PKCS11_API.so". %dir %{_libdir}/opencryptoki %{_libdir}/opencryptoki/libopencryptoki.* %{_libdir}/opencryptoki/PKCS11_API.so @@ -306,6 +301,11 @@ fi %changelog +* Mon Sep 04 2023 Muhammad Falak - 3.17.0-1 +- Upgrade version to address CVE-2021-3798 +- Lint spec +- License verified + * Thu Mar 18 2021 Henry Li - 3.13.0-2 - Initial CBL-Mariner import from Fedora 32 (license: MIT). - Remove libitm-devel from build requirement because gcc already includes the necessary binaries it covers diff --git a/cgmanifest.json b/cgmanifest.json index e439c59314..7a09a2f0c5 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -15244,8 +15244,8 @@ "type": "other", "other": { "name": "opencryptoki", - "version": "3.13.0", - "downloadUrl": "https://github.com/opencryptoki/opencryptoki/archive/v3.13.0/opencryptoki-3.13.0.tar.gz" + "version": "3.17.0", + "downloadUrl": "https://github.com/opencryptoki/opencryptoki/archive/v3.17.0/opencryptoki-3.17.0.tar.gz" } } },