Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 898504 (CVE-2023-1017, CVE-2023-1018) - <dev-libs/libtpms-0.9.6: Out-of-bounds access
Summary: <dev-libs/libtpms-0.9.6: Out-of-bounds access
Status: UNCONFIRMED
Alias: CVE-2023-1017, CVE-2023-1018
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa?]
Keywords: PullRequest
Depends on: 901383
Blocks:
  Show dependency tree
 
Reported: 2023-02-28 23:36 UTC by Christopher Byrne
Modified: 2023-04-19 04:30 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Byrne 2023-02-28 23:36:37 UTC
See https://github.com/advisories/GHSA-cr8w-xxqw-fm2m. 

An out-of-bounds read vulnerability exists in TPM2.0's Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can read or access sensitive data stored in the TPM.

This is CVE-2023-1018
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-03-11 04:26:35 UTC
Thanks! CVE-2023-1017 too, right?

https://github.com/advisories/GHSA-c6qh-28m2-rfvf
Comment 2 Larry the Git Cow gentoo-dev 2023-03-11 17:15:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=23a58fcc488cbf098048cc82d65461c05ef629c0

commit 23a58fcc488cbf098048cc82d65461c05ef629c0
Author:     Christopher Byrne <salah.coronya@gmail.com>
AuthorDate: 2023-02-28 23:52:26 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-11 17:15:00 +0000

    dev-libs/libtpms: add 0.9.6
    
    Bug: https://bugs.gentoo.org/898504
    Signed-off-by: Christopher Byrne <salah.coronya@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/29913
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libtpms/Manifest             |  1 +
 dev-libs/libtpms/libtpms-0.9.6.ebuild | 48 +++++++++++++++++++++++++++++++++++
 dev-libs/libtpms/metadata.xml         |  3 +++
 3 files changed, 52 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-19 04:28:20 UTC
Thanks!
Comment 4 Larry the Git Cow gentoo-dev 2023-04-19 04:29:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ecb866a1c0c6d1136257f3d4abb1d45638d15480

commit ecb866a1c0c6d1136257f3d4abb1d45638d15480
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-04-19 04:28:45 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-04-19 04:28:45 +0000

    dev-libs/libtpms: drop 0.9.4, 0.9.5
    
    Bug: https://bugs.gentoo.org/898504
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-libs/libtpms/Manifest             |  2 --
 dev-libs/libtpms/libtpms-0.9.4.ebuild | 47 ----------------------------------
 dev-libs/libtpms/libtpms-0.9.5.ebuild | 48 -----------------------------------
 3 files changed, 97 deletions(-)