Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 898504 (CVE-2023-1017, CVE-2023-1018)

Summary: <dev-libs/libtpms-0.9.6: Out-of-bounds access
Product: Gentoo Security Reporter: Christopher Byrne <salah.coronya>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: UNCONFIRMED ---    
Severity: minor CC: proxy-maint, salah.coronya, virtualization
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/29913
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 901383    
Bug Blocks:    

Description Christopher Byrne 2023-02-28 23:36:37 UTC 
See https://github.com/advisories/GHSA-cr8w-xxqw-fm2m. 

An out-of-bounds read vulnerability exists in TPM2.0's Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can read or access sensitive data stored in the TPM.

This is CVE-2023-1018
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-03-11 04:26:35 UTC 
Thanks! CVE-2023-1017 too, right?

https://github.com/advisories/GHSA-c6qh-28m2-rfvf
Comment 2 Larry the Git Cow gentoo-dev 2023-03-11 17:15:37 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=23a58fcc488cbf098048cc82d65461c05ef629c0

commit 23a58fcc488cbf098048cc82d65461c05ef629c0
Author:     Christopher Byrne <salah.coronya@gmail.com>
AuthorDate: 2023-02-28 23:52:26 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-11 17:15:00 +0000

    dev-libs/libtpms: add 0.9.6
    
    Bug: https://bugs.gentoo.org/898504
    Signed-off-by: Christopher Byrne <salah.coronya@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/29913
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libtpms/Manifest             |  1 +
 dev-libs/libtpms/libtpms-0.9.6.ebuild | 48 +++++++++++++++++++++++++++++++++++
 dev-libs/libtpms/metadata.xml         |  3 +++
 3 files changed, 52 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-19 04:28:20 UTC 
Thanks!
Comment 4 Larry the Git Cow gentoo-dev 2023-04-19 04:29:16 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ecb866a1c0c6d1136257f3d4abb1d45638d15480

commit ecb866a1c0c6d1136257f3d4abb1d45638d15480
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-04-19 04:28:45 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-04-19 04:28:45 +0000

    dev-libs/libtpms: drop 0.9.4, 0.9.5
    
    Bug: https://bugs.gentoo.org/898504
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-libs/libtpms/Manifest             |  2 --
 dev-libs/libtpms/libtpms-0.9.4.ebuild | 47 ----------------------------------
 dev-libs/libtpms/libtpms-0.9.5.ebuild | 48 -----------------------------------
 3 files changed, 97 deletions(-)