Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 637942 (CVE-2017-16837) - <sys-boot/tboot-1.9.6_p20171118: Arbitrary code execution vulnerability (CVE-2017-16837)
Summary: <sys-boot/tboot-1.9.6_p20171118: Arbitrary code execution vulnerability (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2017-16837
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://hg.code.sf.net/p/tboot/code/re...
Whiteboard: ~1 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-17 15:02 UTC by GLSAMaker/CVETool Bot
Modified: 2017-11-19 04:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-17 15:02:23 UTC 
CVE-2017-16837 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16837):
  Certain function pointers in Trusted Boot (tboot) through 1.9.6 are not
  validated and can cause arbitrary code execution, which allows local users
  to overwrite dynamic PCRs of Trusted Platform Module (TPM) by hooking these
  function pointers.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-17 15:05:00 UTC 
@Maintainer please refer to URL for the patch that fixes this issue. A new release should be available in ~2 months so it's your call if apply the patch or to wait until new release.

Thank you
Comment 2 Jason Zaman gentoo-dev 2017-11-18 08:58:44 UTC 
@security: i added a snapshot ebuild with the patch, and dropped the old versions. the package has never been stable so keywords are already what they need to be.

fixed version: sys-boot/tboot-1.9.6_p20171118
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-19 04:01:56 UTC 
(In reply to Jason Zaman from comment #2)
> @security: i added a snapshot ebuild with the patch, and dropped the old
> versions. the package has never been stable so keywords are already what
> they need to be.
> 
> fixed version: sys-boot/tboot-1.9.6_p20171118

Thank you

Closing since everything is fixed.