Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 746563 (CVE-2020-24455)

Summary: <app-crypt/tpm2-tss-{2.4.3,3.0.1}: FAPI PolicyPCR not instatiating correctly (CVE-2020-24455)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: proxy-maint, salah.coronya
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa+ cve]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Affected Policy none

Comment 1 Sam James archtester gentoo-dev Security 2020-10-04 17:17:17 UTC
Salah, can you explain the severity of the issue? Thanks!
Comment 2 Christopher Byrne 2020-10-04 23:17:01 UTC
Created attachment 663805 [details]
Affected Policy

Its an information disclosure. If a FAPI policy is created to lock against the "current" value of the PCR, it doesn't actually do so. So the above policy does not actually work as it should. See below:

# assume the TPM is provisioned already (it can be provisioned though the tss2_provision command)

tpm2_pcrreset 16
tss2_import -i pol_pcr16_read.json -p pol_pcr16_read
tss2_createkey -p HS/SRK/myCryptKey -t decrypt,noda -a "" -P pol_pcr16_read
echo "verysecret" | tss2_encrypt -p HS/SRK/myCryptKey -i -  -o secret.out
tpm2_pcrextend 16:sha256=0x0000000000000000000000000000000000000000000000000000000000000001
# this should fail
tss2_decrypt -p HS/SRK/myCryptKey -i secret.out -o secret.txt

However, due the above CVE, this is not the case, and it succeeds. FAPI policies create with explicit PCR values and non-FAPI policies created tpm2_createpolicy are not affected.
Comment 3 Larry the Git Cow gentoo-dev 2020-10-11 09:30:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dafe3d1624affb9c284e9820a4dafaee48c92694

commit dafe3d1624affb9c284e9820a4dafaee48c92694
Author:     Salah Coronya <salah.coronya@gmail.com>
AuthorDate: 2020-09-23 21:02:54 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-10-11 09:29:56 +0000

    app-crypt/tpm2-tss: Bump to 3.0.1, fix CVE-2020-24455
    
    Bug: https://bugs.gentoo.org/746563
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Salah Coronya <salah.coronya@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-crypt/tpm2-tss/Manifest              |  1 +
 app-crypt/tpm2-tss/tpm2-tss-3.0.1.ebuild | 75 ++++++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+)
Comment 4 John Helmert III gentoo-dev Security 2020-10-11 14:20:20 UTC
Maintainer, please call for stabilization when ready.
Comment 5 Christopher Byrne 2020-10-12 00:19:01 UTC
Ok to stabilize just 2.4.3. The 3.0.X series has never been stable and isn't ready for stabilization yet (it has an ABI change and opentmpfiles doesn't like it)
Comment 6 Larry the Git Cow gentoo-dev 2020-10-12 05:51:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6062e47baae7b29f8707d4324449188162ab95dd

commit 6062e47baae7b29f8707d4324449188162ab95dd
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2020-10-12 05:51:06 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-10-12 05:51:36 +0000

    app-crypt/tpm2-tss: stabilize 2.4.3 on x86
    
    Bug: https://bugs.gentoo.org/746563
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-crypt/tpm2-tss/tpm2-tss-2.4.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0cb593c0e7cd670a25bb305dccbd5c921214277

commit b0cb593c0e7cd670a25bb305dccbd5c921214277
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2020-10-12 05:50:21 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-10-12 05:51:36 +0000

    app-crypt/tpm2-tss: stabilize 2.4.3 on amd64
    
    Bug: https://bugs.gentoo.org/746563
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-crypt/tpm2-tss/tpm2-tss-2.4.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 7 Joonas Niilola gentoo-dev 2020-10-12 05:52:44 UTC
All CCd arches done.
Comment 8 John Helmert III gentoo-dev Security 2020-10-12 06:00:19 UTC
Please cleanup.

commit 6062e47baae7b29f8707d4324449188162ab95dd
Author: Joonas Niilola <juippis@gentoo.org>
Date:   Mon Oct 12 08:51:06 2020 +0300

    app-crypt/tpm2-tss: stabilize 2.4.3 on x86
    
    Bug: https://bugs.gentoo.org/746563
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

commit b0cb593c0e7cd670a25bb305dccbd5c921214277
Author: Joonas Niilola <juippis@gentoo.org>
Date:   Mon Oct 12 08:50:21 2020 +0300

    app-crypt/tpm2-tss: stabilize 2.4.3 on amd64
    
    Bug: https://bugs.gentoo.org/746563
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>
Comment 9 John Helmert III gentoo-dev Security 2020-12-27 07:38:59 UTC
Ah, looks like this was done some time ago. Needs vote.


commit fb1e50caef0adf0552e96d7d13e356bee5b8430b
Author: Salah Coronya <salah.coronya@gmail.com>
Date:   Wed Sep 23 16:04:37 2020 -0500

    app-crypt/tpm2-tss: Remove old

    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Salah Coronya <salah.coronya@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/17648
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 delete mode 100644 app-crypt/tpm2-tss/tpm2-tss-2.4.2.ebuild
 delete mode 100644 app-crypt/tpm2-tss/tpm2-tss-3.0.0.ebuild
Comment 10 Thomas Deutschmann gentoo-dev Security 2021-05-24 14:03:04 UTC
New GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2021-07-07 08:05:36 UTC
This issue was resolved and addressed in
 GLSA 202107-10 at https://security.gentoo.org/glsa/202107-10
by GLSA coordinator Sam James (sam_c).