intel

[Feature] Update tboot to version 1.8.2

Bug #1350140 reported by Yingying Zhao
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
intel
Fix Released
Undecided
Unassigned
tboot (Ubuntu)
Fix Released
Undecided
Tim Gardner
Ubuntu ubuntu-14.10
Trusty
Fix Released
Undecided
Tim Gardner
Utopic
Fix Released
Undecided
Tim Gardner
Ubuntu ubuntu-14.10

Bug Description

This release is to fix one security issue: TBOOT Argument Measurement Vulnerability for GRUB2 + ELF Kernels

Source package tboot-1.8.2.tar.gz can be downloaded from sourceforge.net:
http://sourceforge.net/projects/tboot/files/tboot/tboot-1.8.2.tar.gz/download

Major changes since 1.8.1 (20140516)
         Security Fix: TBOOT Argument Measurement Vulnerability for GRUB2 + ELF Kernels
         fix werror in 32 bit build environment

Please consider to update tboot to v1.8.2 in 14.10.

CVE References

Tim Gardner (timg-tpi)
information type: Proprietary → Public
Changed in tboot (Ubuntu Utopic):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tboot - 1.8.2-0ubuntu1

---------------
tboot (1.8.2-0ubuntu1) utopic; urgency=medium

  * Security Fix: TBOOT Argument Measurement Vulnerability for GRUB2 + ELF Kernels
  * fix werror in 32 bit build environment
    -LP: #1350140
 -- Tim Gardner <email address hidden> Wed, 30 Jul 2014 07:47:02 -0600

Changed in tboot (Ubuntu Utopic):
status: In Progress → Fix Released
Revision history for this message
Yingying Zhao (yingying-zhao) wrote :

Tim, thanks for the quick response!

I attached the bug report from the original reporter, and this vulnerability already has a CVE ID assigned now: http://seclists.org/oss-sec/2014/q3/260.

Considering the security impact, can we update tboot in 14.04 LTS to v1.8.2?

Revision history for this message
Yingying Zhao (yingying-zhao) wrote :
Tim Gardner (timg-tpi)
Changed in tboot (Ubuntu Utopic):
milestone: none → ubuntu-14.10
Changed in tboot (Ubuntu Trusty):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → In Progress
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Unsubscribing ubuntu-security-sponsors, since there is no actionable item for now. Please re-subscribe when a debdiff with the minimal fix is available for sponsoring.

Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello Yingying, or anyone else affected,

Accepted tboot into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/tboot/1.8.2~0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in tboot (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Yingying Zhao (yingying-zhao) wrote :

We have finished the validation of tboot 1.8.2 package at ubuntu14.04.1 with both legacy and efiboot mode. And we didn't find new bugs except the known issues.

Change the tag to verification-done.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Chris J Arges (arges) wrote : Update Released

The verification of the Stable Release Update for tboot has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tboot - 1.8.2~0ubuntu1

---------------
tboot (1.8.2~0ubuntu1) trusty; urgency=medium

  * Security Fix: TBOOT Argument Measurement Vulnerability for GRUB2 + ELF Kernels
    CVE-2014-5118 - seclists.org/oss-sec/2014/q3/260
    sourceforge.net/p/tboot/code/ci/0efdaf7c5348701484d24562e6e5323d85bb94d3/
  * fix werror in 32 bit build environment
    dropped debian/patches/fix-werror-format.patch, merged upstream
    -LP: #1350140
  * Added debian/patches/hg_archival.patch to satisfy packaging against
    upstream orig tarball using Debian Quilt 3.0
 -- Tim Gardner <email address hidden> Wed, 30 Jul 2014 07:47:02 -0600

Changed in tboot (Ubuntu Trusty):
status: Fix Committed → Fix Released
Leann Ogasawara (leannogasawara)
Changed in intel:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.