Bug 28882

Summary: libtpms new security issues CVE-2021-3446, CVE-2021-3505, CVE-2021-3623, CVE-2021-3746
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, luigiwalser, mageia, ouaurelien, sysadmin-bugs, thierry.vignaud
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libtpms-0.7.4-0.20201031git2452a24dab.1.mga8.src.rpm CVE: CVE-2021-3505
Status comment:

Description Nicolas Salguero 2021-05-06 12:42:31 CEST 
Fedora has issued an advisory on May 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NUCZX4S53TUNTSGTCRDNOQZV2V2RI4RJ/

Mageia 7 and 8 are also affected.
Nicolas Salguero 2021-05-06 12:42:44 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
Source RPM: (none) => libtpms-0.7.4-0.20201031git2452a24dab.1.mga8.src.rpm

Comment 1 Aurelien Oudelet 2021-05-06 15:51:02 CEST 
Hi, thanks for reporting this.
Assigned to the package maintainer.

CC: (none) => ouaurelien
Assignee: bugsquad => thierry.vignaud
CVE: (none) => CVE-2021-3505

Comment 2 David Walser 2021-05-29 18:54:47 CEST 
Fedora has issued an advisory on March 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/46YMIRHQHNKPCVNRVW4W27MFQQU7ZHHV/

Summary: libtpms new security issue CVE-2021-3505 => libtpms new security issues CVE-2021-3446 and CVE-2021-3505
Severity: normal => major

Comment 3 David Walser 2021-05-29 18:56:15 CEST 
The issues are fixed upstream in 0.8.2.

Status comment: (none) => Fixed upstream in 0.8.2

Comment 4 David Walser 2021-07-01 14:47:14 CEST 
Fedora has issued an advisory today (July 1):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z7KZSYMTE7Z4BBEZUWO2DIMQDWMGEP46/

The issue is fixed upstream in 0.8.4.

Mageia 8 is also affected (so is Mageia 7, but it's EOL).

Status comment: Fixed upstream in 0.8.2 => Fixed upstream in 0.8.4
Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO
Summary: libtpms new security issues CVE-2021-3446 and CVE-2021-3505 => libtpms new security issues CVE-2021-3446, CVE-2021-3505, and CVE-2021-3623

Comment 5 David Walser 2021-07-04 21:15:44 CEST 
Fedora has issued an advisory today (July 4):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DZI42OR3JUEGWRKEVCOHL2FPTJVYCYBT/

It fixes a couple more security issues (no CVEs given) that are fixed in upstream git.
Comment 6 David Walser 2021-08-18 16:37:53 CEST 
Fedora has issued an advisory today (August 18):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7UCZ7AV2UKWYYCNZ2NLLXW7QYCX7K337/

It backports more upstream security fixes from 0.8.5.

Status comment: Fixed upstream in 0.8.4 => Fixed upstream in 0.8.5

Comment 7 David Walser 2021-09-10 18:29:50 CEST 
openSUSE has issued an advisory on September 9:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/75RD2O2OFCMWPCMY5QMSZRNV5PG5BTS6/

The issue is fixed upstream in 0.8.5.

Summary: libtpms new security issues CVE-2021-3446, CVE-2021-3505, and CVE-2021-3623 => libtpms new security issues CVE-2021-3446, CVE-2021-3505, CVE-2021-3623, CVE-2021-3746

Comment 8 David Walser 2021-09-10 18:33:01 CEST 
Fedora has updated to 0.8.5 on September 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YVJSXDXD44WDR4VA2XL33IZDJTBGRXP7/

CC: (none) => luigiwalser

Comment 9 David Walser 2021-09-16 22:27:40 CEST 
Fedora has issued an advisory on September 15:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7E3B6T5RBDKAWETDTW3WPORY3NK5IR46/

It includes a post-0.8.5 upstream fix.
Comment 10 Nicolas Lécureuil 2021-12-06 23:46:14 CET 
updated in cauldron.

Whiteboard: MGA8TOO => (none)
CC: (none) => mageia
Version: Cauldron => 8

Comment 11 David Walser 2021-12-06 23:56:46 CET 
(In reply to Nicolas Lécureuil from comment #10)
> updated in cauldron.

to libtpms-0.9.1-1.mga9.
Comment 12 Nicolas Lécureuil 2021-12-14 13:14:08 CET 
fixed in mga8:

src:
    - libtpms-0.9.1-1.mga8
    - swtpm-0.7.0-5.mga8

Status comment: Fixed upstream in 0.8.5 => (none)
CC: (none) => thierry.vignaud
Assignee: thierry.vignaud => qa-bugs

Comment 13 David Walser 2021-12-14 16:57:06 CET 
What is the swtpm update for?

libtpms-devel-0.9.1-1.mga8
libtpms0-0.9.1-1.mga8
swtpm-tools-0.7.0-5.mga8
libwtpm_libtpms0-0.7.0-5.mga8
swtpm-0.7.0-5.mga8
swtpm-tools-pkcs11-0.7.0-5.mga8
libwtpm_libtpms-devel-0.7.0-5.mga8
Comment 14 Herman Viaene 2021-12-15 15:41:39 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
No previous updates, no wiki, so started looking for a tutorial, and found https://en.opensuse.org/Software_TPM_Emulator_For_QEMU
I've never ddoen anything with Qemu, the whole thing is way over my head. If someone else has an idea what to do with it,it's OK with me. Else I let itto TJ to OK iton clean install.

CC: (none) => herman.viaene

Comment 15 Thomas Andrews 2021-12-22 23:37:25 CET 
I dabbled at the edges of Qemu for an update test a few months back, but I never got beyond the most basic. A "software TPM Emulator" is far over my head, too.

I'll give it a couple of days, and if no one shows up to try it, I'll OK on the clean install.

CC: (none) => andrewsfarm

Comment 16 Lewis Smith 2021-12-24 10:55:56 CET 
Installed the following (which pulled in a lot more pkgs):
 lib64tpms0-0.7.4-0.20201031git2452a24dab.1.mga8
 swtpm-0.5.2-2.mga8
 swtpm-tools-0.5.2-2.mga8
 swtpm-tools-pkcs11-0.5.2-2.mga8
 lib64wtpm_libtpms0-0.5.2-2.mga8

Updated from updates-testing to:
 lib64tpms0-0.9.1-1.mga8
 swtpm-0.7.0-5.mga8
 swtpm-tools-0.7.0-5.mga8
 swtpm-tools-pkcs11-0.7.0-5.mga8
 lib64wtpm_libtpms0-0.7.0-5.mga8

Clinically OK for x64.

CC: (none) => lewyssmith

Comment 17 Thomas Andrews 2021-12-26 00:28:32 CET 
Validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs

Dave Hodgins 2021-12-30 03:26:12 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 18 Mageia Robot 2021-12-30 17:42:57 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0590.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Lewis Smith 2022-01-04 22:21:19 CET

CC: lewyssmith => (none)