Your message dated Fri, 10 Mar 2023 22:04:55 +0000 with message-id <e1pakr9-00gkef...@fasolo.debian.org> and subject line Bug#1032420: fixed in libtpms 0.9.2-3.1~deb12u1 has caused the Debian Bug report #1032420, regarding libtpms: CVE-2023-1017 CVE-2023-1018 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1032420: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032420 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libtpms Version: 0.9.2-3 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for libtpms. CVE-2023-1017[0]: | An out-of-bounds write vulnerability exists in TPM2.0's Module Library | allowing writing of a 2-byte data past the end of TPM2.0 command in | the CryptParameterDecryption routine. An attacker who can successfully | exploit this vulnerability can lead to denial of service (crashing the | TPM chip/process or rendering it unusable) and/or arbitrary code | execution in the TPM context. CVE-2023-1018[1]: | An out-of-bounds read vulnerability exists in TPM2.0's Module Library | allowing a 2-byte read past the end of a TPM2.0 command in the | CryptParameterDecryption routine. An attacker who can successfully | exploit this vulnerability can read or access sensitive data stored in | the TPM. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1017 https://www.cve.org/CVERecord?id=CVE-2023-1017 [1] https://security-tracker.debian.org/tracker/CVE-2023-1018 https://www.cve.org/CVERecord?id=CVE-2023-1018 [2] https://github.com/stefanberger/libtpms/commit/324dbb4c27ae789c73b69dbf4611242267919dd4 [3] https://kb.cert.org/vuls/id/782720 [4] https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libtpms Source-Version: 0.9.2-3.1~deb12u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of libtpms, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1032...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libtpms package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 10 Mar 2023 22:02:22 +0100 Source: libtpms Architecture: source Version: 0.9.2-3.1~deb12u1 Distribution: bookworm-security Urgency: high Maintainer: Seunghun Han <kkama...@gmail.com> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1032420 Changes: libtpms (0.9.2-3.1~deb12u1) bookworm-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for bookworm-security . libtpms (0.9.2-3.1) unstable; urgency=medium . * Non-maintainer upload. * tpm2: Check size of buffer before accessing it (CVE-2023-1017, CVE-2023-1018) (Closes: #1032420) Checksums-Sha1: e40cc354e9c37d360420e1077492d43b444854aa 2123 libtpms_0.9.2-3.1~deb12u1.dsc 41e9ba916748672a66c38b6e27ac659ccfd60ca3 1263088 libtpms_0.9.2.orig.tar.gz d462a49b30b825ef6793f869aa7d6f7e3cadbdf3 10332 libtpms_0.9.2-3.1~deb12u1.debian.tar.xz ee366e749ed11137cb763ee1cf9ea8e7aaf0ebae 7077 libtpms_0.9.2-3.1~deb12u1_source.buildinfo Checksums-Sha256: a7e8428ca3df1770bd4cca80c5b10ba0bcbf366a27714813039c1087f07a3c1a 2123 libtpms_0.9.2-3.1~deb12u1.dsc 460047f880c5a17dfb8f5c92668fd2f0c508279d4cc3de0a779c21a09f966766 1263088 libtpms_0.9.2.orig.tar.gz edbb73604dc6a9a7392cb925896ded0653f374bfdf32b351027a304dc39855ca 10332 libtpms_0.9.2-3.1~deb12u1.debian.tar.xz eb6f99316fcb3ae8060a40f1c1217215180543c2ce71b0243b9bc11c27c91b4a 7077 libtpms_0.9.2-3.1~deb12u1_source.buildinfo Files: 6ee2117d1b5f1f7c15d6a76099e80112 2123 libs optional libtpms_0.9.2-3.1~deb12u1.dsc ebfa4f07bc220df4fe19b1f04cfdfc91 1263088 libs optional libtpms_0.9.2.orig.tar.gz fa9d48ea027bf59802135836e9a1b68a 10332 libs optional libtpms_0.9.2-3.1~deb12u1.debian.tar.xz dc270d46e9d6708afdb9f7acb8fd3320 7077 libs optional libtpms_0.9.2-3.1~deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQLmwlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ESzMP/A01x4+kRHhu0/ygyK0WJpTiRteqeESp dqe45KZ8Kfnist5ZjxZtVCCkiTFUpLcQJfABnfq5ucvp7PcP8g4ASUYwUFoVU/By aZCxP8XLebYKDgfZvRx1DzCNt19asH/OFQJPu5iaWqWvcNuQMb5SGIYfe4uX6mlx kq8F8OehI1R66bMjfHj3NKFMATa2AbfGrP/P/qeGRU465b1WZD5al2mP5Lzvye8G lnZ03s1fakan/6+ahzXl0ELKceH1dM1WGU+HFn74Gk4uSSP8pClqINBAHqHEKH5x Aer8gpc2yRtEfqBtmhXT0UcUTQNTUjs0NI9EpGlSOM3ldW2OJI8pZT87400QVE6s p8Z5TKlGEcdHqDE/T106sa+NGDWrbszUMTCGZ1tfn1AcEXSBk8T7jdSZMBC5jPnT ZSUdpmtefK8xMe3dcxjZI6fkzshQmOV9r4Il7yEsNPgcYaS0w6YGhmVqhZQzE1Ll EyJ9eSF2wSyM7rsVoRRuBsRGp/74+5DXNGV6VmGfJf+l6MSRW9WYwgPLBTT2ItWF 2p8vEsfmzVkPcJVyecScdkn1hCXAdZ6C7fbLQ1b/x3tOvmjcFt+34MxdzRSJCeL7 AzCKT/bOIkyquPw0PMXtAJGJi0FbboArTCCykNxKvmMFOrxraY5X5sktCXLD+XAq PYw2iULHmAG9 =aTDt -----END PGP SIGNATURE-----
--- End Message ---
