Your message dated Wed, 08 Mar 2023 05:34:12 +0000 with message-id <e1pzmri-000dde...@fasolo.debian.org> and subject line Bug#1032420: fixed in libtpms 0.9.2-3.1 has caused the Debian Bug report #1032420, regarding libtpms: CVE-2023-1017 CVE-2023-1018 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1032420: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032420 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libtpms Version: 0.9.2-3 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for libtpms. CVE-2023-1017[0]: | An out-of-bounds write vulnerability exists in TPM2.0's Module Library | allowing writing of a 2-byte data past the end of TPM2.0 command in | the CryptParameterDecryption routine. An attacker who can successfully | exploit this vulnerability can lead to denial of service (crashing the | TPM chip/process or rendering it unusable) and/or arbitrary code | execution in the TPM context. CVE-2023-1018[1]: | An out-of-bounds read vulnerability exists in TPM2.0's Module Library | allowing a 2-byte read past the end of a TPM2.0 command in the | CryptParameterDecryption routine. An attacker who can successfully | exploit this vulnerability can read or access sensitive data stored in | the TPM. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1017 https://www.cve.org/CVERecord?id=CVE-2023-1017 [1] https://security-tracker.debian.org/tracker/CVE-2023-1018 https://www.cve.org/CVERecord?id=CVE-2023-1018 [2] https://github.com/stefanberger/libtpms/commit/324dbb4c27ae789c73b69dbf4611242267919dd4 [3] https://kb.cert.org/vuls/id/782720 [4] https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libtpms Source-Version: 0.9.2-3.1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of libtpms, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1032...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libtpms package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 07 Mar 2023 22:32:00 +0100 Source: libtpms Architecture: source Version: 0.9.2-3.1 Distribution: unstable Urgency: medium Maintainer: Seunghun Han <kkama...@gmail.com> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1032420 Changes: libtpms (0.9.2-3.1) unstable; urgency=medium . * Non-maintainer upload. * tpm2: Check size of buffer before accessing it (CVE-2023-1017, CVE-2023-1018) (Closes: #1032420) Checksums-Sha1: e9791d3e45c03dfa727aa303fe40e2ff5a34aa33 2091 libtpms_0.9.2-3.1.dsc c6c2763a86702fe8dc015e5b8b44f82f268d1cdf 10272 libtpms_0.9.2-3.1.debian.tar.xz Checksums-Sha256: 397d3ce5fb3d8853950c7f7ec29ef7abb4860c6df370e6e3e9ad82729e7220f7 2091 libtpms_0.9.2-3.1.dsc e2a50a1bfd1907512119ddf0759ff8f7d74d8183ff16febcc073728a93a21e19 10272 libtpms_0.9.2-3.1.debian.tar.xz Files: 7fa3968a75ab8bbe09a323dfc3670614 2091 libs optional libtpms_0.9.2-3.1.dsc badaa8be98643445e8a099441b42013c 10272 libs optional libtpms_0.9.2-3.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQHrqxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EYsEP/0ru85dXK6miHjdVnIBKlcB86C97teKb e4LkDYk3y0S32tCp0LMYVyBrPSd/8RmPqv6mOTxrjuGyErBQ/yLF+BcFkUvS7Sbb be5VFG/OxGuazuAnKlvTsY7edcyPckxGrnwCDAV6SEWXQr36otOki1JVi/FzqJfa 4mxKtxqXT1RpuOIX722xcaRD2x+0K7piruKebJlUimeUnQJg3AK+s08Ug3WcR2IS iLBooU4et25NJ1b4dn05VfVIpR1gPwiDxbV5XakNKYEESjrOaZGWREbY32YNDuSV JBN8d3rxj/43Z+vJVn3yxoKVna/tk0Pvw/pfxq2YsE2DPoaAivHU5HcJukGRhAwG do9lQHhYhFFVgjPCjuqMvS0amgGKi3TLu5M6BpJrtd3fW7CId/eWqd1QcK7Sl0U9 qS02F95YIRc74Iqpm4zKnDiPqIxXrpWZuUfqiE1uFVdpPCGX12hgB8n/vG947kEC d/8/bNg0NHtaFDq12lXVMUTL/6U+nXvFxPeDVkyAYLO7qy239Vs/AxZd73qzuSba 3C9japUWG+tVh52g5Z5MQ+o3yEt1kAAt64/WPgyhrs4IfkAhZMqDqs086e2CwPKc 7MmruBBXIMb89BBLlhTCc7oxToCvyXTyLeu4BbL47UxeQOqQGFYWsJ5DwNQKVrCc BQA8axqYRnSJ =opOz -----END PGP SIGNATURE-----
--- End Message ---
