Stay Secure with the Latest Linux Advisories

security advisorymoderateSUSE

SUSE: 2025:20151-1 moderate: tpm2.0-tools, tpm2-0-tss security update

* bsc#1223687 * bsc#1223689 * bsc#1223690 Cross-References: . # Security update for tpm2.0-tools, tpm2-0-tss Announcement ID: SUSE-SU-2025:20151-1 Release Date: 2025-03-18T10:58:11Z Rating: moderate References: * bsc#1223687 * bsc#1223689 * bsc#1223690 Cross-References: * CVE-2024-29038 * CVE-2024-29039 * CVE-2024-29040 CVSS scores: * CVE-2024-29038 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N * CVE-2024-29039 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N * CVE-2024-29040 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Affected Products: * SUSE Linux Micro 6.0 An update that solves three vulnerabilities can now be installed. ## Description: This update for tpm2.0-tools, tpm2-0-tss fixes the following issues: tpm2-0-tss: Update to version 4.1: \+ Security \- CVE-2024-29040: arbitrary quote data may go undetected by Fapi_VerifyQuote (bsc#1223690) * Fixed * fapi: Fix length check on FAPI auth callbacks * mu: Correct error message for errors * tss2-rc: fix unknown laer handler dropping bits. * fapi: Fix deviation from CEL specification (template_value was used instead of template_data). * fapi: Fix json syntax error in FAPI profiles which was ignored by json-c. * build: fix build fail after make clean. * mu: Fix unneeded size check in TPM2B unmarshaling. * fapi: Fix missing parameter encryption. * build: Fix failed build with --disable-vendor. * fapi: Fix flush of persistent handles. * fapi: Fix test provisioning with template with self generated certificate disabled. * fapi: Fix error in Fapi_GetInfo it TPM supports SHA3 hash algs. * fapi: Revert pcr extension for EV_NO_ACTION events. * fapi: Fix strange error messages if nv, ext, or policy path does not exits. * fapi: Fix segfault caused by wrong allocation of pcr policy. * esys: Fix leak in Esys_EvictControl for persistent handles. * tss2-tcti: tcti-libtpms: fix test failure on big-endianplatform. * esys: Add reference counting for Esys_TR_FromTPMPublic. * esys: Fix HMAC error if session bind key has an auth value with a trailing 0. * fapi: fix usage of self signed certificates in TPM. * fapi: Usage of self signed certificates. * fapi: A segfault after the error handling of non existing keys. * fapi: Fix several leaks. * fapi: Fix error handling for policy execution. * fapi: Fix usage of persistent handles (should not be flushed) * fapi: Fix test provisioning with template (skip test without self generated certificate). * fapi: Fix pcr extension for EV_NO_ACTION * test: Fix fapi-key-create-policy-signed-keyedhash with P_ECC384 profile * tcti_spi_helper_transmit: ensure FIFO is accessed only after TPM reports commandReady bit is set * fapi: Fix read large system eventlog (> UINT16_MAX). * esys tests: Fix layer check for TPM2_RC_COMMAND_CODE (for /dev/tpmrm0) * test: unit: tcti-libtpms: fix test failed at 32-bit platforms. * fapi: Fix possible null pointer dereferencing in Fapi_List. * sys: Fix size check in Tss2_Sys_GetCapability. * esys: Fix leak in Esys_TR_FromTPMPublic. * esys: fix unchecked return value in esys crypto. * fapi: Fix wrong usage of local variable in provisioning. * fapi: Fix memset 0 in ifapi_json_TPMS_POLICYNV_deserialize. * fapi: Fix possible out of bound array access in IMA parser. * tcti device: Fix possible unmarshalling from uninitialized variable. * fapi: Fix error checking authorization of signing key. * fapi: Fix cleanup of policy sessions. * fapi: Eventlog H-CRTM events and different localities. * fapi: Fix missing synchronization of quote and eventlog. * faii: Fix invalid free in Fapi_Quote with empty eventlog. * Added * tcti: LetsTrust-TPM2Go TCTI module spi-ltt2go. * mbedtls: add sha512 hmac. * fapi: Enable usage of external keys for Fapi_Encrypt. * fapi: Support download of AMD certificates. * tcti: Add USB TPM (FTDI MPSSE USB toSPI bridge) TCTI module. * fapi: The recreation of primaries (except EK) in the owner hierarchy instead the endorsement hierarchy is fixed. * rc: New TPM return codes added. * fapi: Further Nuvoton certificates added. * tpm_types/esys: Add support for Attestable TPM changes in latest TPM spec. * tcti: Add '/dev/tcm0' to default conf * fapi: New Nuvoton certificates added. * esys: Fix leak in Esys_TR_FromTPMPublic. * Removed * Testing on Ubuntu 18.04 as it's near EOL (May 2023). tpm2.0-tools: Update to version 5.7: \+ Security \- CVE-2024-29038: arbitrary quote data may go undetected by tpm2_checkquote (bsc#1223687) \- CVE-2024-29039: pcr selection value is not compared with the attest (bsc#1223689) \+ Fixed \- Fix eventlog test \- Fix issues with reading NV indexes \- Fix context save error on tpm2_create \- tpm2_sessionconfig: fix handling of --disable-continue session so that the subsequent command will not fail \- when attempting to context save a flushed session. \- detection of functions within libcrypto when CRYPTO_LIBS is set and system has install libcrypto. \- tpm2_send: fix EOF detection on input stream. \- tpm2_policy.c fix compilation error caused by format directive for size_t on 32 bit systems. \- tpm2_nvread: fix input handling no nv index. \- Auth file: Ensure 0-termination when reading auths from a file. \- configure.ac: fix bashisms. configure scripts need to be runnable with a POSIX-compliant /bin/sh. \- cirrus.yml fix tss compilation with libtpms for FreeBSD. \- tpm2_tool.c Fix missing include for basename to enable compilation on netbsd. \- options: fix TCTI handling to avoid failures for commands that should work with no options. \- tpm2_getekcertificate.c Fix leak. ek_uri was not freed if get_ek_server_address failed. \+ Added \- Add the possibility for autoflush (environment variable "TPM2TOOLS_AUTOFLUSH", or -R option) \+ Removed \- Testing on Ubuntu 18.04 as it's near EOL (May 2023).m2_policy.c fix compilation error caused by format directive forsize_t on 32 bit systems. \- tpm2_nvread: fix input handling no nv index. * Update to version 5.6 * tpm2_eventlog: * add H-CRTM event support * add support of efivar versions less than 38 * Add support to check for efivar/efivar.h manually * Minor formatting fixes * tpm2_eventlog: add support for replay with different StartupLocality * Fix pcr extension for EV_NO_ACTION * Extend test of yaml string representation * Use helper for printing a string dump * Fix upper bound on unique data size * Fix YAML string formatting * tpm2_policy: * Add support for parsing forward seal TPM values * Use forward seal values in creating policies * Move dgst_size in evaluate_populate_pcr_digests() * Allow more than 8 PCRs for sealing * Move dgst_size in evaluate_populate_pcr_digests * Allow more than 8 PCRs for sealing * Make __wrap_Esys_PCR_Read() more dynamic to enable testing more PCRs * tpm2_encryptdecrypt: Fix pkcs7 padding stripping * tpm2_duplicate: * Support -a option for attributes * Add --key-algorithm option * tpm2_encodeobject: Use the correct -O option instead of -C * tpm2_unseal: Add qualifier static to enhance the privacy of unseal function * tpm2_sign: * Remove -m option which was added mistakenly * Revert sm2 sign and verifysignature * tpm2_createek: * Correct man page example * Fix usage of nonce * Fix integrating nonce * tpm2_clear: add more details about the action * tpm2_startauthsession: allow the file attribute for policy authorization. * tpm2_getekcertificate: Add AMD EK support * tpm2_ecdhzgen: Add public-key parameter * tpm2_nvreadpublic: Prevent free of unallocated pointers on failure * Bug-fixes: * The readthedocs build failed with module 'jinja2' has no attribute 'contextfilter' a requirement file was added to fix this problem * An error caused by the flags -flto -_FORTIFY_SOURCE=3 in kdfa implementation. This error can be avoided byswitching off the optimization with pragma * Changed wrong function name of "Esys_Load" to "Esys_Load" * Function names beginning with Esys_ are wrongly written as Eys_ * Reading and writing a serialized persistent ESYS_TR handles * cirrus-ci update image-family to freebsd-13-2 from 13-1 * misc: * Change the default Python version to Python3 in the helper's code * Skip test which uses the sign operator for comparison in abrmd_policynv.sh * tools/tr_encode: Add a tool that can encode serialized ESYS_TR for persistent handles from the TPM2B_PUBLIC and the raw persistent TPM2_HANDLE * Add safe directory in config ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.0 zypper in -t patch SUSE-SLE-Micro-6.0-250=1 ## Package List: * SUSE Linux Micro 6.0 (aarch64 s390x x86_64) * tpm2.0-tools-5.7-1.1 * libtss2-tcti-device0-4.1.0-1.1 * libtss2-rc0-debuginfo-4.1.0-1.1 * tpm2-0-tss-4.1.0-1.1 * libtss2-sys1-debuginfo-4.1.0-1.1 * tpm2-0-tss-debugsource-4.1.0-1.1 * libtss2-tcti-spi-helper0-4.1.0-1.1 * efivar-debugsource-38-3.1 * libtss2-tcti-device0-debuginfo-4.1.0-1.1 * tpm2.0-tools-debugsource-5.7-1.1 * libtss2-mu0-4.1.0-1.1 * libtss2-fapi1-4.1.0-1.1 * libtss2-fapi-common-4.1.0-1.1 * libtss2-fapi1-debuginfo-4.1.0-1.1 * libtss2-tctildr0-4.1.0-1.1 * libtss2-tcti-spidev0-debuginfo-4.1.0-1.1 * libefivar1-38-3.1 * libtss2-rc0-4.1.0-1.1 * libtss2-tcti-spi-helper0-debuginfo-4.1.0-1.1 * libtss2-esys0-4.1.0-1.1 * libefivar1-debuginfo-38-3.1 * tpm2.0-tools-debuginfo-5.7-1.1 * libtss2-tctildr0-debuginfo-4.1.0-1.1 * libtss2-sys1-4.1.0-1.1 * libtss2-tcti-spidev0-4.1.0-1.1 * libtss2-esys0-debuginfo-4.1.0-1.1 * libtss2-mu0-debuginfo-4.1.0-1.1 ## References: *https://www.suse.com/security/cve/CVE-2024-29038.html * https://www.suse.com/security/cve/CVE-2024-29039.html * https://www.suse.com/security/cve/CVE-2024-29040.html * https://bugzilla.suse.com/show_bug.cgi?id=1223687 * https://bugzilla.suse.com/show_bug.cgi?id=1223689 * https://bugzilla.suse.com/show_bug.cgi?id=1223690 . An important patch resolves moderate vulnerabilities in tpm2.0-tools and tpm2-0-tss for SUSE, introducing significant improvements.. SUSE security,tpm2.0-tools update,security advisory. . LinuxSecurity.com Team

Jun 04, 2025 SuSE