Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 554
Alerts This Week
Warning Icon 1 554

Mageia 8 MGASA-2023-0102 Critical: Libtpms Out-Of-Bounds Risk

mageia
Calendar Grey March 18, 2023
Dist Mageia Esm H88
The latest update for the libtpms package resolves serious out-of-bounds vulnerabilities, essential for enhancing both Mageia system security and TPM operations.
An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine

Summary

An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context. (CVE-2023-1017) An out-of-bounds read vulnerability exists in TPM2.0's Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can read or access sensitive data stored in the TPM. (CVE-2023-1018)

References

- https://bugs.mageia.org/show_bug.cgi?id=31651

- https://ubuntu.com/security/notices/USN-5933-1

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4WEJNRD36D3EOCZVXKGPDSJXA35DPPSE/

- https://www.cve.org/CVERecord?id=CVE-2023-1017

- https://www.cve.org/CVERecord?id=CVE-2023-1018

Resolution

SRPMS

- 8/core/libtpms-0.9.6-1.mga8

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 18 Mar 2023
URL: https://advisories.mageia.org/MGASA-2023-0102.html
Type: security
CVE: CVE-2023-1017, CVE-2023-1018

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.