Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in TPM2
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in TPM2
ID: USN-6796-1
Distribution: Ubuntu
Plattformen: Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.10, Ubuntu 24.04 LTS
Datum: Mi, 29. Mai 2024, 23:41
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29040
Applikationen: TPM2

Originalnachricht

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============7022852419500049883==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="------------vwwW8zSFeDSisCl8pYcpyp7X"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------vwwW8zSFeDSisCl8pYcpyp7X
Content-Type: multipart/mixed;
boundary="------------roUI0kRFnAgfOrmEhFjEPkIb";
protected-headers="v1"
From: Federico Quattrin <federico.quattrin@canonical.com>
Reply-To: security@ubuntu.com
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <2de443c2-da32-4560-9ed8-51c3bed482c2@canonical.com>
Subject: [USN-6796-1] TPM2 Software Stack vulnerabilities

--------------roUI0kRFnAgfOrmEhFjEPkIb
Content-Type: multipart/mixed;
boundary="------------k0XhKXHkKLk0p7HqKkMw0mk8"

--------------k0XhKXHkKLk0p7HqKkMw0mk8
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-6796-1
May 29, 2024

tpm2-tss vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in TPM2 Software Stack.

Software Description:
- tpm2-tss: TPM2 Software Stack library

Details:

Fergus Dall discovered that TPM2 Software Stack did not properly handle
layer arrays. An attacker could possibly use this issue to cause
TPM2 Software Stack to crash, resulting in a denial of service, or
possibly execute arbitrary code.
(CVE-2023-22745)

Jurgen Repp and Andreas Fuchs discovered that TPM2 Software Stack did not
validate the quote data after deserialization. An attacker could generate
an arbitrary quote and cause TPM2 Software Stack to have unknown behavior.
(CVE-2024-29040)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libtss2-esys-3.0.2-0t64 4.0.1-7.1ubuntu5.1
libtss2-fapi1t64 4.0.1-7.1ubuntu5.1
libtss2-mu-4.0.1-0t64 4.0.1-7.1ubuntu5.1
libtss2-policy0t64 4.0.1-7.1ubuntu5.1
libtss2-rc0t64 4.0.1-7.1ubuntu5.1
libtss2-sys1t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-cmd0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-device0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-libtpms0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-mssim0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-pcap0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-spi-helper0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-swtpm0t64 4.0.1-7.1ubuntu5.1
libtss2-tctildr0t64 4.0.1-7.1ubuntu5.1

Ubuntu 23.10
libtss2-esys-3.0.2-0 4.0.1-3ubuntu1.1
libtss2-fapi1 4.0.1-3ubuntu1.1
libtss2-mu0 4.0.1-3ubuntu1.1
libtss2-policy0 4.0.1-3ubuntu1.1
libtss2-rc0 4.0.1-3ubuntu1.1
libtss2-sys1 4.0.1-3ubuntu1.1
libtss2-tcti-cmd0 4.0.1-3ubuntu1.1
libtss2-tcti-device0 4.0.1-3ubuntu1.1
libtss2-tcti-libtpms0 4.0.1-3ubuntu1.1
libtss2-tcti-mssim0 4.0.1-3ubuntu1.1
libtss2-tcti-pcap0 4.0.1-3ubuntu1.1
libtss2-tcti-spi-helper0 4.0.1-3ubuntu1.1
libtss2-tcti-swtpm0 4.0.1-3ubuntu1.1
libtss2-tctildr0 4.0.1-3ubuntu1.1

Ubuntu 22.04 LTS
libtss2-esys-3.0.2-0 3.2.0-1ubuntu1.1
libtss2-fapi1 3.2.0-1ubuntu1.1
libtss2-mu0 3.2.0-1ubuntu1.1
libtss2-rc0 3.2.0-1ubuntu1.1
libtss2-sys1 3.2.0-1ubuntu1.1
libtss2-tcti-cmd0 3.2.0-1ubuntu1.1
libtss2-tcti-device0 3.2.0-1ubuntu1.1
libtss2-tcti-mssim0 3.2.0-1ubuntu1.1
libtss2-tcti-swtpm0 3.2.0-1ubuntu1.1
libtss2-tctildr0 3.2.0-1ubuntu1.1

Ubuntu 20.04 LTS
libtss2-esys0 2.3.2-1ubuntu0.20.04.2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6796-1
CVE-2023-22745, CVE-2024-29040

Package Information:
https://launchpad.net/ubuntu/+source/tpm2-tss/4.0.1-7.1ubuntu5.1
https://launchpad.net/ubuntu/+source/tpm2-tss/4.0.1-3ubuntu1.1
https://launchpad.net/ubuntu/+source/tpm2-tss/3.2.0-1ubuntu1.1
https://launchpad.net/ubuntu/+source/tpm2-tss/2.3.2-1ubuntu0.20.04.2

--------------k0XhKXHkKLk0p7HqKkMw0mk8
Content-Type: application/pgp-keys;
name="OpenPGP_0x703AAD91046CD76E.asc"
Content-Disposition: attachment;
filename="OpenPGP_0x703AAD91046CD76E.asc"
Content-Description: OpenPGP public key
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsBNBGYUCwcBCADePknZsI3jVCSYTZlTCqJ3mqJoaiNyxyz7rRXxhJIfWNnutXI7
IdI8e/9xORO+hC3efLRn1ZMluxQIhcVo5mBsKSeaWRNqmza+8lMaGrNBrBnL/dmP
gQLQJDF/aNEGt5rgr41Ckg28kYknxpXiStN7O+8tZYeEnPRaVd1aiSXvl0xijccZ
cpFm0oSlqMw2SQiujr8iunXHHDrF7yW9pQ5u5aIVxvBikzUakCz3WYdAy592hI3Q
J2+5a7ByR5YG0PxJXePaEKTBEgRLfEi+Q891J4I1L3t+ZWDA1x1l56AQJbzKT5xz
kgzJZ6VECdNwiECkjQ7EA/BJrirqRBnqypqtABEBAAHNM0ZlZGVyaWNvIFF1YXR0
cmluIDxmZWRlcmljby5xdWF0dHJpbkBjYW5vbmljYWwuY29tPsLAjgQTAQoAOBYh
BCscPcjoCqmp+/5PtnA6rZEEbNduBQJmFAsHAhsDBQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEHA6rZEEbNduFY0H/39060yxwRt8ctMAIc20msDGUjOJ23z4QkIC
SpocEnQdJAVNtG63ndlmiuNE+FPkRQniWbkd6nBeK302KuA8rD0C8xOknrtMwwiN
0vO69EtZZ3dUCkM6uB9YV/YZOsjhdL1DOkEGzwGbmNrpSNWQ24RwvjU7a19EtRvO
Ty4AhzouUxaEH6nyJsQ8GzbTva3QhKN6hypWUfeBed5rpdQmq+Rk79oy1YjQlLPo
IbuwXJXEBE94/+vuriGQEA8E4S6QrokrrEQWfdGmYFR6UqXQ1YpffoCCUFlUWyKU
H6bvGgdu8TKbacd8E5mvPKO+UWGIA4p5EwaRkdu/CXjoqsGhcPjOwE0EZhQLBwEI
ANSQiRO2jf6yMhHTTlyHM6z4siVyJ7YAgpc8pPxtzPtijr/K4lUWqr9+mj7FBF5F
YbwG6DPWmm1n6vG5JmhT3+57MxOR9Z4smqD0v+48F1UD+2M7LQjUWNA0Z/QmQapL
qdVn24qKl7ONiw79iykkg1e0Ruzju3Ri6lg6+ehakAYlNFqmTTVIDNcw6rTiVfMi
WcumRDBxg/giTERjzkh0R5lZN6buybitEqKNTKQm3UYkxzT6EDl13wmPU0L+PO2Z
RhgEAy6y2ubhnAnAJAlb+m2If04pjM1d3CILmilEew7t5j2pTzyDKdYpbjiEcz+Y
bVGfFzOinbeYezZUjci4BD0AEQEAAcLAdgQYAQoAIBYhBCscPcjoCqmp+/5PtnA6
rZEEbNduBQJmFAsHAhsMAAoJEHA6rZEEbNduWvMIAI16CZMlL78YVwl/jhV6npfX
0M1YMGJa/D5Fp+df02gXwQAhnAZM0fVDR3T+qNGFEYbLOWsAD6feERXaE9L7fH6G
i2j+GV82b461nXfl5MT22o5UlT9iq2GUM5rGrL8LIcbt6ypdGpcOmasC6W3FM/eg
iHx7O4VZYukGvtx+mdznFUusE3y7PIdFx8cUcCPuTHPTZXkQiFapEsF45BEmhOdx
5nUZEC+cDd3S1WRpYpSoAE7bNGhNiu6YiWUtrNSt7+Ri2qSA499uEJyNxVLzY8DU
d38osSWIfGAFJb8+chdhNOnJOUg0NYacyvcOIDsmzYpxP69fbbLgbonATayFcLk=3D
=3DSlBa
-----END PGP PUBLIC KEY BLOCK-----

--------------k0XhKXHkKLk0p7HqKkMw0mk8--

--------------roUI0kRFnAgfOrmEhFjEPkIb--

--------------vwwW8zSFeDSisCl8pYcpyp7X
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEKxw9yOgKqan7/k+2cDqtkQRs124FAmZXVHAFAwAAAAAACgkQcDqtkQRs127p
Rgf+NGbS11BNlwwoe85FcH0/KCIUE2RozQjZ/S/X6wlQd/WdLVYSwzmc7unm44FgLjObmz8Sd0xu
ZKUI8jPBP2oHyKJjhNB/JKw/MaM1GAdOBhCIp0KwR9V3Y6kpsVBE0C342dxEaH8IOevKA6bUAkRU
GVe6gl0x8KrX7JmRPD7msLOUI20UBiXJqlpXXnCk82jvBUvbOWTRw7/2kEfFqtGf0qPM4yI/NpwR
bVPSRQWuYWwdyfwrVODr80dOWzB8/sbQ4OcHBrzXYUehHnB0mYSg+Ms4T0yluvBrJYct+lMX5kFw
t5ZP6+asfNX4KaW/Vle8eUc5cIN65LX1qKBj2yQq0A==
=eQLx
-----END PGP SIGNATURE-----

--------------vwwW8zSFeDSisCl8pYcpyp7X--


--===============7022852419500049883==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============7022852419500049883==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung