debcrafters-packages team mailing list archive

Thread
Date
[Bug 2130092] [NEW] Merge libtpms from Debian Unstable for resolute

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Lena Voytek <2130092@xxxxxxxxxxxxxxxxxx>
Date: Tue, 28 Oct 2025 20:18:04 -0000
Reply-to: Bug 2130092 <2130092@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

Scheduled-For: ubuntu-25.11
Ubuntu: 0.9.3-0ubuntu5
Debian Unstable: 0.10.1-2

The current version in Ubuntu went ahead of Debian in the past, so this
package may be diverged from Debian and require more review than usual
to get back to mergeability.

If this package should not be considered for merges or syncs in the
future, you may wish to consider adding it to the `sync-blocklist` at:
https://code.launchpad.net/~ubuntu-archive/+git/sync-blocklist

A new release of libtpms is available for merging from Debian Unstable.

If it turns out this needs a sync rather than a merge, please change the
tagging from ['dcr-merge'] to ['dcr-sync'], and (optionally) update the
title as desired.

### New Debian Changes ###

libtpms (0.10.1-2) unstable; urgency=medium

  * d/t/control: allow-stderr

 -- Luca Boccassi <bluca@xxxxxxxxxx>  Wed, 01 Oct 2025 09:05:28 +0200

libtpms (0.10.1-1) unstable; urgency=medium

  * Implement package salvaging protocol (Closes: #1113720)
  * Import autopkgtest from Ubuntu (Closes: #998654)
  * d/control: bump Standards-Version to 4.7.2, no changes
  * New upstream version 0.10.1 (Closes: #1032182)
  * Drop CVE patches, merged upstream
  * Refresh do_not_inline_makeiv.patch for new upstream release
  * Run wrap-and-sort for build deps
  * Switch from pkg-config to pkgconf
  * Build with package-notes ELF stamping
  * Mark libtpms-dev as MA: same
  * Update symbols file for 0.10.1
  * d/rules: drop unused dh_usrlocal override
  * Enable hardening options
  * Drop 0004-fix-ftbfs-bug.patch, no longer needed
  * Drop do_not_inline_makeiv.patch, no longer needed
  * Rework no_local_check.patch
  * Set forwarded tag in 0003-set-man-page-date-to-last-changelog.patch
  * Add d/salsa-ci.yml
  * Backport patch to fix dist-clean (Closes: #1046479)

 -- Luca Boccassi <bluca@xxxxxxxxxx>  Mon, 22 Sep 2025 12:44:18 +0100


### Old Ubuntu Delta ###

libtpms (0.9.3-0ubuntu5) questing; urgency=medium

  * SECURITY UPDATE: Out of bounds access, denial of service
    - debian/patches/CVE-2025-49133.patch: Fix potential out-of-
      bound access & abort due to HMAC signing issue in tpm2/CryptUtil.c
    - CVE-2025-49133
  * debian/patches/do_not_inline_makeiv.patch: updated patch to set noinline 
    attribute for all arch's instead of just ppc64 to fix compiler warning 
    causing ftbfs in tpm2/AlgorithmTests.c
  * debian/patches/fix_ftbfs_crpytomacend.patch: add assertions to quiet
    compiler warning causing ftbfs in tpm2/crypto/openssl/CryptCmacEnd.c

 -- Elise Hlady <elise.hlady@xxxxxxxxxxxxx>  Wed, 25 Jun 2025 11:54:50
-0700

libtpms (0.9.3-0ubuntu4) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- Steve Langasek <steve.langasek@xxxxxxxxxx>  Sun, 31 Mar 2024
19:48:06 +0000

libtpms (0.9.3-0ubuntu3) noble; urgency=medium

  * No-change rebuild against libssl3t64

 -- Steve Langasek <steve.langasek@xxxxxxxxxx>  Mon, 04 Mar 2024
18:29:28 +0000

libtpms (0.9.3-0ubuntu2) lunar; urgency=medium

  * SECURITY UPDATE: out-of-bounds read/write
    - debian/patches/CVE-2023-1017_1018.patch: add a buffer size check and
      properly reduce bufferSize variable by the number of bytes that make
      up the cipherSize in CryptParameterDecryption() in
      src/tpm2/CryptUtil.c
    - CVE-2023-1017
    - CVE-2023-1018
  * SECURITY UPDATE: out-of-bounds read
    - debian/patches/tpm2-Check-size-of-TPM2B_NAME.patch: add a buffer
      size check in TPM2_PolicyAuthorize() in src/tpm2/EACommands.c.
    - No CVE number

 -- Rodrigo Figueiredo Zaiden <rodrigo.zaiden@xxxxxxxxxxxxx>  Wed, 01
Mar 2023 18:23:14 -0300

libtpms (0.9.3-0ubuntu1) jammy; urgency=medium

  * merge 0.9.3 from upstram to stabilize libtpms in jammy; related to
    but not fixing (LP: 1948748)
    - d/p/lp-1948748-tpm2-Address-Coverity-Issue-by-casting-1-before-shif.patch:
      avoid bad shift
    - drop d/p/fix-openssl3-compat.patch: part of 0.9.3
    - drop d/p/uninitialized-variable.patch: no more needed
    - ppc64 fixes from upstream as identified and added to debian 0.9.2-3
      + d/p/do_not_inline_makeiv.patch
      + d/p/no_local_check.patch
    - d/p/lp-1948748-tpm2-Check-return-code-of-BN_div.patch: fix
      coverity finding

 -- Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>  Wed, 30 Mar
2022 09:04:10 +0200

libtpms (0.9.0-0ubuntu4) jammy; urgency=medium

  * d/p/fix-openssl3-compat.patch: Cherry-picked from upstream (LP:
#1962601)

 -- Simon Chopin <simon.chopin@xxxxxxxxxxxxx>  Thu, 24 Mar 2022 19:11:59
+0100

libtpms (0.9.0-0ubuntu3) jammy; urgency=medium

  * No-change rebuild against openssl3

 -- Simon Chopin <simon.chopin@xxxxxxxxxxxxx>  Wed, 24 Nov 2021 13:54:17
+0000

libtpms (0.9.0-0ubuntu2) jammy; urgency=medium

  * Add autopkgtest.

 -- Steve Langasek <steve.langasek@xxxxxxxxxx>  Fri, 05 Nov 2021
16:10:38 +0000

libtpms (0.9.0-0ubuntu1) jammy; urgency=medium

  * New upstream release.

 -- Steve Langasek <steve.langasek@xxxxxxxxxx>  Thu, 04 Nov 2021
14:46:26 -0700

libtpms (0.8.2-1ubuntu1) impish; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - debian/patches/uninitialized-variable.patch: fix issues of variables
      that may be used before initialization.

 -- Steve Langasek <steve.langasek@xxxxxxxxxx>  Tue, 27 Apr 2021
23:55:31 -0700

** Affects: libtpms (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: dcr-merge

** Changed in: libtpms (Ubuntu)
    Milestone: None => ubuntu-25.11

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to libtpms in Ubuntu.
https://bugs.launchpad.net/bugs/2130092

Title:
  Merge libtpms from Debian Unstable for resolute

Status in libtpms package in Ubuntu:
  New

Bug description:
  Scheduled-For: ubuntu-25.11
  Ubuntu: 0.9.3-0ubuntu5
  Debian Unstable: 0.10.1-2

  The current version in Ubuntu went ahead of Debian in the past, so
  this package may be diverged from Debian and require more review than
  usual to get back to mergeability.

  If this package should not be considered for merges or syncs in the
  future, you may wish to consider adding it to the `sync-blocklist` at:
  https://code.launchpad.net/~ubuntu-archive/+git/sync-blocklist

  A new release of libtpms is available for merging from Debian
  Unstable.

  If it turns out this needs a sync rather than a merge, please change
  the tagging from ['dcr-merge'] to ['dcr-sync'], and (optionally)
  update the title as desired.

  ### New Debian Changes ###

  libtpms (0.10.1-2) unstable; urgency=medium

    * d/t/control: allow-stderr

   -- Luca Boccassi <bluca@xxxxxxxxxx>  Wed, 01 Oct 2025 09:05:28 +0200

  libtpms (0.10.1-1) unstable; urgency=medium

    * Implement package salvaging protocol (Closes: #1113720)
    * Import autopkgtest from Ubuntu (Closes: #998654)
    * d/control: bump Standards-Version to 4.7.2, no changes
    * New upstream version 0.10.1 (Closes: #1032182)
    * Drop CVE patches, merged upstream
    * Refresh do_not_inline_makeiv.patch for new upstream release
    * Run wrap-and-sort for build deps
    * Switch from pkg-config to pkgconf
    * Build with package-notes ELF stamping
    * Mark libtpms-dev as MA: same
    * Update symbols file for 0.10.1
    * d/rules: drop unused dh_usrlocal override
    * Enable hardening options
    * Drop 0004-fix-ftbfs-bug.patch, no longer needed
    * Drop do_not_inline_makeiv.patch, no longer needed
    * Rework no_local_check.patch
    * Set forwarded tag in 0003-set-man-page-date-to-last-changelog.patch
    * Add d/salsa-ci.yml
    * Backport patch to fix dist-clean (Closes: #1046479)

   -- Luca Boccassi <bluca@xxxxxxxxxx>  Mon, 22 Sep 2025 12:44:18 +0100


  ### Old Ubuntu Delta ###

  libtpms (0.9.3-0ubuntu5) questing; urgency=medium

    * SECURITY UPDATE: Out of bounds access, denial of service
      - debian/patches/CVE-2025-49133.patch: Fix potential out-of-
        bound access & abort due to HMAC signing issue in tpm2/CryptUtil.c
      - CVE-2025-49133
    * debian/patches/do_not_inline_makeiv.patch: updated patch to set noinline 
      attribute for all arch's instead of just ppc64 to fix compiler warning 
      causing ftbfs in tpm2/AlgorithmTests.c
    * debian/patches/fix_ftbfs_crpytomacend.patch: add assertions to quiet
      compiler warning causing ftbfs in tpm2/crypto/openssl/CryptCmacEnd.c

   -- Elise Hlady <elise.hlady@xxxxxxxxxxxxx>  Wed, 25 Jun 2025 11:54:50
  -0700

  libtpms (0.9.3-0ubuntu4) noble; urgency=medium

    * No-change rebuild for CVE-2024-3094

   -- Steve Langasek <steve.langasek@xxxxxxxxxx>  Sun, 31 Mar 2024
  19:48:06 +0000

  libtpms (0.9.3-0ubuntu3) noble; urgency=medium

    * No-change rebuild against libssl3t64

   -- Steve Langasek <steve.langasek@xxxxxxxxxx>  Mon, 04 Mar 2024
  18:29:28 +0000

  libtpms (0.9.3-0ubuntu2) lunar; urgency=medium

    * SECURITY UPDATE: out-of-bounds read/write
      - debian/patches/CVE-2023-1017_1018.patch: add a buffer size check and
        properly reduce bufferSize variable by the number of bytes that make
        up the cipherSize in CryptParameterDecryption() in
        src/tpm2/CryptUtil.c
      - CVE-2023-1017
      - CVE-2023-1018
    * SECURITY UPDATE: out-of-bounds read
      - debian/patches/tpm2-Check-size-of-TPM2B_NAME.patch: add a buffer
        size check in TPM2_PolicyAuthorize() in src/tpm2/EACommands.c.
      - No CVE number

   -- Rodrigo Figueiredo Zaiden <rodrigo.zaiden@xxxxxxxxxxxxx>  Wed, 01
  Mar 2023 18:23:14 -0300

  libtpms (0.9.3-0ubuntu1) jammy; urgency=medium

    * merge 0.9.3 from upstram to stabilize libtpms in jammy; related to
      but not fixing (LP: 1948748)
      - d/p/lp-1948748-tpm2-Address-Coverity-Issue-by-casting-1-before-shif.patch:
        avoid bad shift
      - drop d/p/fix-openssl3-compat.patch: part of 0.9.3
      - drop d/p/uninitialized-variable.patch: no more needed
      - ppc64 fixes from upstream as identified and added to debian 0.9.2-3
        + d/p/do_not_inline_makeiv.patch
        + d/p/no_local_check.patch
      - d/p/lp-1948748-tpm2-Check-return-code-of-BN_div.patch: fix
        coverity finding

   -- Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>  Wed, 30 Mar
  2022 09:04:10 +0200

  libtpms (0.9.0-0ubuntu4) jammy; urgency=medium

    * d/p/fix-openssl3-compat.patch: Cherry-picked from upstream (LP:
  #1962601)

   -- Simon Chopin <simon.chopin@xxxxxxxxxxxxx>  Thu, 24 Mar 2022
  19:11:59 +0100

  libtpms (0.9.0-0ubuntu3) jammy; urgency=medium

    * No-change rebuild against openssl3

   -- Simon Chopin <simon.chopin@xxxxxxxxxxxxx>  Wed, 24 Nov 2021
  13:54:17 +0000

  libtpms (0.9.0-0ubuntu2) jammy; urgency=medium

    * Add autopkgtest.

   -- Steve Langasek <steve.langasek@xxxxxxxxxx>  Fri, 05 Nov 2021
  16:10:38 +0000

  libtpms (0.9.0-0ubuntu1) jammy; urgency=medium

    * New upstream release.

   -- Steve Langasek <steve.langasek@xxxxxxxxxx>  Thu, 04 Nov 2021
  14:46:26 -0700

  libtpms (0.8.2-1ubuntu1) impish; urgency=low

    * Merge from Debian unstable. Remaining changes:
      - debian/patches/uninitialized-variable.patch: fix issues of variables
        that may be used before initialization.

   -- Steve Langasek <steve.langasek@xxxxxxxxxx>  Tue, 27 Apr 2021
  23:55:31 -0700

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libtpms/+bug/2130092/+subscriptions