diff --git a/SOURCES/0001-lib-files-fix-an-error-message-in-files_load_-name.patch b/SOURCES/0001-lib-files-fix-an-error-message-in-files_load_-name.patch
new file mode 100644
index 0000000..0e0ccb2
--- /dev/null
+++ b/SOURCES/0001-lib-files-fix-an-error-message-in-files_load_-name.patch
@@ -0,0 +1,26 @@
+From 012249ad9d06d7534a94690a33638691f5104839 Mon Sep 17 00:00:00 2001
+From: Radoslav Gerganov <rgerganov@vmware.com>
+Date: Wed, 26 Feb 2020 10:40:26 +0200
+Subject: [PATCH] lib/files: fix an error message in files_load_##name
+
+Signed-off-by: Radoslav Gerganov <rgerganov@vmware.com>
+---
+ lib/files.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/files.c b/lib/files.c
+index a6beea5b8ff2..ef2170b079e1 100644
+--- a/lib/files.c
++++ b/lib/files.c
+@@ -687,7 +687,7 @@ tool_rc files_save_ESYS_TR(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *path)
+ size_t offset = 0; \
+ TSS2_RC rc = Tss2_MU_##type##_Unmarshal(buffer, size, &offset, name); \
+ if (rc != TSS2_RC_SUCCESS) { \
+- LOG_ERR("Error serializing "str(name)" structure: 0x%x", rc); \
++ LOG_ERR("Error deserializing "str(name)" structure: 0x%x", rc); \
+ LOG_ERR("The input file needs to be a valid "xstr(type)" data structure"); \
+ return false; \
+ } \
+--
+2.31.0
+
diff --git a/SOURCES/0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch b/SOURCES/0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch
new file mode 100644
index 0000000..2039f11
--- /dev/null
+++ b/SOURCES/0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch
@@ -0,0 +1,42 @@
+From a20415d6f1d3fa09300ff1181646fe7e1785fd15 Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Sun, 29 Mar 2020 10:14:28 -0700
+Subject: [PATCH] lib/files.c: Fix an issue where execution could not reach
+ function return
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ lib/files.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/lib/files.c b/lib/files.c
+index ef2170b079e1..501f88d11b48 100644
+--- a/lib/files.c
++++ b/lib/files.c
+@@ -607,9 +607,7 @@ bool files_load_bytes_from_buffer_or_file_or_stdin(const char *input_buffer,
+ return true;
+ }
+
+-// printf("Reading file: %s\n", path);
+-// printf("size: %u\n", *size);
+-
++ bool retval = true;
+ /* Read from stdin */
+ if (!input_buffer && !path) {
+ UINT16 read_bytes = 0;
+@@ -640,10 +638,10 @@ bool files_load_bytes_from_buffer_or_file_or_stdin(const char *input_buffer,
+ return true;
+ }
+ } else if (path) {
+- return files_load_bytes_from_path(path, buf, size);
++ retval = files_load_bytes_from_path(path, buf, size);
+ }
+
+- return false;
++ return retval;
+ }
+
+ tool_rc files_save_ESYS_TR(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *path) {
+--
+2.31.0
+
diff --git a/SOURCES/0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch b/SOURCES/0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch
new file mode 100644
index 0000000..509e6dc
--- /dev/null
+++ b/SOURCES/0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch
@@ -0,0 +1,63 @@
+From 77d4592e3eec9ec2c7932586f41f925b43ecc5ba Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Sun, 29 Mar 2020 10:22:42 -0700
+Subject: [PATCH] tools/tpm2_nvcertify.c: Fix incompatible pointer cast that
+ may cause memory leak
+
+Pointer "&ctx.size" and "&ctx.offset" points to an object whose effective type is
+"unsigned short" (16 bits, unsigned) but is dereferenced as a wider
+"unsigned int" (32 bits, unsigned). This may lead to memory corruption.
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ tools/tpm2_nvcertify.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/tools/tpm2_nvcertify.c b/tools/tpm2_nvcertify.c
+index b49f38dbff20..414cbea85574 100644
+--- a/tools/tpm2_nvcertify.c
++++ b/tools/tpm2_nvcertify.c
+@@ -80,6 +80,7 @@ static bool set_signature_format(char *value) {
+ static bool on_option(char key, char *value) {
+
+ bool result = true;
++ uint32_t input_value;
+
+ switch (key) {
+ case 'C':
+@@ -110,18 +111,30 @@ static bool on_option(char key, char *value) {
+ ctx.policy_qualifier_arg = value;
+ break;
+ case 0:
+- result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.size);
++ result = tpm2_util_string_to_uint32(value, &input_value);
+ if (!result) {
+ LOG_ERR("Could not convert size to number, got: \"%s\"", value);
+ return false;
+ }
++ if (input_value > UINT16_MAX) {
++ LOG_ERR("Specified size is larger than that allowed by command");
++ return false;
++ } else {
++ ctx.size = input_value;
++ }
+ break;
+ case 1:
+- result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.offset);
++ result = tpm2_util_string_to_uint32(value, &input_value);
+ if (!result) {
+ LOG_ERR("Could not convert offset to number, got: \"%s\"", value);
+ return false;
+ }
++ if (input_value > UINT16_MAX) {
++ LOG_ERR("Specified offset is larger than that allowed by command");
++ return false;
++ } else {
++ ctx.offset = input_value;
++ }
+ break;
+ case 2:
+ ctx.certify_info_path = value;
+--
+2.31.0
+
diff --git a/SOURCES/0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch b/SOURCES/0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch
new file mode 100644
index 0000000..7d53c71
--- /dev/null
+++ b/SOURCES/0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch
@@ -0,0 +1,25 @@
+From 023ec5c0eafe8dfb5b71e400cb0c2c337fb8c108 Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Sun, 29 Mar 2020 10:49:12 -0700
+Subject: [PATCH] tools/tpm2_nvreadpublic: Fix resource leak
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ tools/tpm2_nvreadpublic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/tpm2_nvreadpublic.c b/tools/tpm2_nvreadpublic.c
+index 7f8e46cbf863..eca1fd715a79 100644
+--- a/tools/tpm2_nvreadpublic.c
++++ b/tools/tpm2_nvreadpublic.c
+@@ -41,6 +41,7 @@ static tool_rc print_nv_public(ESYS_CONTEXT *context, TPMI_RH_NV_INDEX index, TP
+ rc = tpm2_tr_get_name(context, tr_handle,
+ &name);
+ if (rc != tool_rc_success) {
++ free(attrs);
+ return rc;
+ }
+
+--
+2.31.0
+
diff --git a/SOURCES/0001-tpm2_getekcertificate-add-default-web-address.patch b/SOURCES/0001-tpm2_getekcertificate-add-default-web-address.patch
new file mode 100644
index 0000000..0183c76
--- /dev/null
+++ b/SOURCES/0001-tpm2_getekcertificate-add-default-web-address.patch
@@ -0,0 +1,49 @@
+From 8c72f7402d8977807f531b08976760d62676cf8a Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Thu, 23 Jan 2020 11:21:58 -0700
+Subject: [PATCH] tpm2_getekcertificate: add default web address
+
+Currently only Intel (R) PTT certificates are hosted online.
+A default web address pointing to the endorsement key certificate
+hosting will help reduce user input.
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ test/integration/tests/getekcertificate.sh | 6 ++----
+ tools/tpm2_getekcertificate.c | 1 +
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/test/integration/tests/getekcertificate.sh b/test/integration/tests/getekcertificate.sh
+index 33f4f8b2e4c0..e8c521756d2a 100755
+--- a/test/integration/tests/getekcertificate.sh
++++ b/test/integration/tests/getekcertificate.sh
+@@ -38,12 +38,10 @@ else
+ fi
+ fi
+
+-tpm2_getekcertificate -u test_ek.pub -x -X -o ECcert.bin \
+-https://ekop.intel.com/ekcertservice/
++tpm2_getekcertificate -u test_ek.pub -x -X -o ECcert.bin
+
+ # Test that stdoutput is the same
+-tpm2_getekcertificate -u test_ek.pub -x https://ekop.intel.com/ekcertservice/ \
+--X > ECcert2.bin
++tpm2_getekcertificate -u test_ek.pub -x -X > ECcert2.bin
+
+ # stdout file should match -E file.
+ cmp ECcert.bin ECcert2.bin
+diff --git a/tools/tpm2_getekcertificate.c b/tools/tpm2_getekcertificate.c
+index 233d04d8b3d7..6a8fe894bb1c 100644
+--- a/tools/tpm2_getekcertificate.c
++++ b/tools/tpm2_getekcertificate.c
+@@ -32,6 +32,7 @@ struct tpm_getekcertificate_ctx {
+
+ static tpm_getekcertificate_ctx ctx = {
+ .is_tpm2_device_active = true,
++ .ek_server_addr = "https://ekop.intel.com/ekcertservice/",
+ };
+
+ static unsigned char *hash_ek_public(void) {
+--
+2.31.0
+
diff --git a/SOURCES/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch b/SOURCES/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
new file mode 100644
index 0000000..53814a4
--- /dev/null
+++ b/SOURCES/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
@@ -0,0 +1,46 @@
+From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Fri, 21 May 2021 12:22:31 -0500
+Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
+
+tpm2_import used a fixed AES key for the inner wrapper, which means that
+a MITM attack would be able to unwrap the imported key. Even the
+use of an encrypted session will not prevent this. The TPM only
+encrypts the first parameter which is the fixed symmetric key.
+
+To fix this, ensure the key size is 16 bytes or bigger and use
+OpenSSL to generate a secure random AES key.
+
+Fixes: #2738
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ tools/tpm2_import.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c
+index cfb6f207ba9c..f44326c87e7e 100644
+--- a/tools/tpm2_import.c
++++ b/tools/tpm2_import.c
+@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub,
+ TPM2B_DATA enc_sensitive_key = {
+ .size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
+ };
+- memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
++
++ if(enc_sensitive_key.size < 16) {
++ LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
++ return tool_rc_general_error;
++ }
++
++ int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
++ if (ossl_rc != 1) {
++ LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
++ return tool_rc_general_error;
++ }
+
+ /*
+ * Calculate the object name.
+--
+2.31.0
+
diff --git a/SOURCES/0001-tpm2_policy.c-restrict-policy-digest-size.patch b/SOURCES/0001-tpm2_policy.c-restrict-policy-digest-size.patch
new file mode 100644
index 0000000..c481309
--- /dev/null
+++ b/SOURCES/0001-tpm2_policy.c-restrict-policy-digest-size.patch
@@ -0,0 +1,28 @@
+From e556da0a2099573f82391c16477fba08584a7a12 Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Tue, 10 Mar 2020 09:15:55 -0700
+Subject: [PATCH] tpm2_policy.c: restrict policy digest size
+
+Fixes #1916
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ lib/tpm2_policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/tpm2_policy.c b/lib/tpm2_policy.c
+index 6c352b2b41ae..01387ba01645 100644
+--- a/lib/tpm2_policy.c
++++ b/lib/tpm2_policy.c
+@@ -163,7 +163,7 @@ tool_rc tpm2_policy_build_policyauthorize(ESYS_CONTEXT *ectx,
+ bool result = true;
+ TPM2B_DIGEST approved_policy = { .size = 0 };
+ if (policy_digest_path) {
+- approved_policy.size = UINT16_MAX;
++ approved_policy.size = sizeof(TPMU_HA);
+ result = files_load_bytes_from_path(policy_digest_path,
+ approved_policy.buffer, &approved_policy.size);
+ }
+--
+2.31.0
+
diff --git a/SOURCES/0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch b/SOURCES/0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch
new file mode 100644
index 0000000..ea4bab1
--- /dev/null
+++ b/SOURCES/0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch
@@ -0,0 +1,30 @@
+From cab7b3edcc6a44aece0642c0c2621a4bb70d449b Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Tue, 10 Mar 2020 18:19:04 -0700
+Subject: [PATCH] tpm2_policycountertimer: Fix an issue where operandB array
+ was reversed
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ tools/tpm2_policycountertimer.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tpm2_policycountertimer.c b/tools/tpm2_policycountertimer.c
+index 1c72d525dab7..170a544f2203 100644
+--- a/tools/tpm2_policycountertimer.c
++++ b/tools/tpm2_policycountertimer.c
+@@ -81,7 +81,10 @@ static bool convert_keyvalue_to_operand_buffer(const char *value,
+ }
+
+ ctx.operand_b.size = size;
+- memcpy(ctx.operand_b.buffer, &data.b, size);
++ size_t i = 0;
++ for (i = 0; i < size; i++) {
++ ctx.operand_b.buffer[i] = *(&data.b + size - i - 1);
++ }
+
+ return true;
+ }
+--
+2.31.0
+
diff --git a/SPECS/tpm2-tools.spec b/SPECS/tpm2-tools.spec
index 8a9b583..65f2e6f 100644
--- a/SPECS/tpm2-tools.spec
+++ b/SPECS/tpm2-tools.spec
@@ -1,6 +1,6 @@
Name: tpm2-tools
Version: 4.1.1
-Release: 2%{?dist}
+Release: 5%{?dist}
Summary: A TPM2.0 testing tool build upon TPM2.0-TSS
License: BSD
@@ -13,6 +13,14 @@ Patch3: 0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch
Patch4: 0001-Fix-ESYS_TR-hierarchy-transition.patch
Patch5: 0001-Refactor-fix_esys_hierarchies.patch
Patch6: 0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch
+Patch7: 0001-tpm2_getekcertificate-add-default-web-address.patch
+Patch8: 0001-lib-files-fix-an-error-message-in-files_load_-name.patch
+Patch9: 0001-tpm2_policy.c-restrict-policy-digest-size.patch
+Patch10: 0001-tpm2_policycountertimer-Fix-an-issue-where-operandB-.patch
+Patch11: 0001-tools-tpm2_nvcertify.c-Fix-incompatible-pointer-cast.patch
+Patch12: 0001-tools-tpm2_nvreadpublic-Fix-resource-leak.patch
+Patch13: 0001-lib-files.c-Fix-an-issue-where-execution-could-not-r.patch
+Patch14: 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
BuildRequires: gcc-c++
BuildRequires: libtool
@@ -53,6 +61,22 @@ tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss.
%{_mandir}/man1/tpm2_*.1.gz
%changelog
+* Mon Aug 09 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-5
+- Bump nvr to trigger osci.
+resolves: rhbz#1965981
+
+* Tue Jun 01 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-4
+- Fix CVE-2021-3565
+resolves: rhbz#1965981
+
+* Fri May 14 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-3
+- Fix resource leak.
+- Fix to restrict policy digest size.
+- Fix incompatible pointer cast.
+- Fix error message in files_load_##name
+- Fix issue where execution couldn't reach function return.
+resolves: rhbz#1920821
+
* Mon Nov 16 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-2
- Fix ESYS_TR hierarchy transition.
- Refactor fix_esys_hierarchies to return actual TSS2_RC return code.