Ubuntu
libtpms package

Check size of TPM2B_NAME buffer before reading

Bug #2009608 reported by Rodrigo Figueiredo Zaiden
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libtpms (Ubuntu)
Fix Released
Undecided
Rodrigo Figueiredo Zaiden
Jammy
Fix Released
Undecided
Rodrigo Figueiredo Zaiden
Kinetic
Fix Released
Undecided
Rodrigo Figueiredo Zaiden
Lunar
Fix Released
Undecided
Rodrigo Figueiredo Zaiden

Bug Description

There is a security issue with no CVE assigned in libtpms:

tpm2: Check size of TPM2B_NAME buffer before reading 2 bytes from it
 Fix the missing buffer size check that the TPM 2 errata v1.4 mentions in
 2.6.2 by adding a buffer size check before reading 2 bytes from a
 TPM2B_NAME buffer. There's no known CVE for this.

upstream commit is: https://github.com/stefanberger/libtpms/commit/92f470c1b0a50bd6d85676a7c7ae368d8da869fe

It should be included in Ubuntu libtpms package

CVE References

Rodrigo Figueiredo Zaiden (rodrigo-zaiden)
Changed in libtpms (Ubuntu Lunar):
status: In Progress → Fix Released
Changed in libtpms (Ubuntu Kinetic):
assignee: nobody → Rodrigo Figueiredo Zaiden (rodrigo-zaiden)
Changed in libtpms (Ubuntu Jammy):
assignee: nobody → Rodrigo Figueiredo Zaiden (rodrigo-zaiden)
status: New → In Progress
Changed in libtpms (Ubuntu Kinetic):
status: New → In Progress
Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

libtpms (0.9.3-0ubuntu2) lunar; urgency=medium

  * SECURITY UPDATE: out-of-bounds read/write
    - debian/patches/CVE-2023-1017_1018.patch: add a buffer size check and
      properly reduce bufferSize variable by the number of bytes that make
      up the cipherSize in CryptParameterDecryption() in
      src/tpm2/CryptUtil.c
    - CVE-2023-1017
    - CVE-2023-1018
  * SECURITY UPDATE: out-of-bounds read
    - debian/patches/tpm2-Check-size-of-TPM2B_NAME.patch: add a buffer
      size check in TPM2_PolicyAuthorize() in src/tpm2/EACommands.c.
    - No CVE number

 -- Rodrigo Figueiredo Zaiden <email address hidden> Wed, 01 Mar 2023 18:23:14 -0300

Changed in libtpms (Ubuntu Kinetic):
status: In Progress → Fix Released
Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

libtpms (0.9.3-0ubuntu1.22.10.1) kinetic-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds read/write
    - debian/patches/CVE-2023-1017_1018.patch: add a buffer size check and
      properly reduce bufferSize variable by the number of bytes that make
      up the cipherSize in CryptParameterDecryption() in
      src/tpm2/CryptUtil.c
    - CVE-2023-1017
    - CVE-2023-1018
  * SECURITY UPDATE: out-of-bounds read
    - debian/patches/tpm2-Check-size-of-TPM2B_NAME.patch: add a buffer
      size check in TPM2_PolicyAuthorize() in src/tpm2/EACommands.c.
    - No CVE number

 -- Rodrigo Figueiredo Zaiden <email address hidden> Wed, 01 Mar 2023 19:45:47 -0300

Changed in libtpms (Ubuntu Jammy):
status: In Progress → Fix Released
Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

libtpms (0.9.3-0ubuntu1.22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds read/write
    - debian/patches/CVE-2023-1017_1018.patch: add a buffer size check and
      properly reduce bufferSize variable by the number of bytes that make
      up the cipherSize in CryptParameterDecryption() in
      src/tpm2/CryptUtil.c
    - CVE-2023-1017
    - CVE-2023-1018
  * SECURITY UPDATE: out-of-bounds read
    - debian/patches/tpm2-Check-size-of-TPM2B_NAME.patch: add a buffer
      size check in TPM2_PolicyAuthorize() in src/tpm2/EACommands.c.
    - No CVE number

 -- Rodrigo Figueiredo Zaiden <email address hidden> Wed, 01 Mar 2023 15:26:10 -0300

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.