28882 – libtpms new security issues CVE-2021-3446, CVE-2021-3505, CVE-2021-3623, CVE-2021-3746

Bug 28882 - libtpms new security issues CVE-2021-3446, CVE-2021-3505, CVE-2021-3623, CVE-2021-3746

Summary: libtpms new security issues CVE-2021-3446, CVE-2021-3505, CVE-2021-3623, CVE-...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-05-06 12:42 CEST by Nicolas Salguero
Modified:	2022-01-04 22:21 CET (History)
CC List:	8 users (show)

See Also:
Source RPM:	libtpms-0.7.4-0.20201031git2452a24dab.1.mga8.src.rpm
CVE:	CVE-2021-3505
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2021-05-06 12:42:31 CEST

Fedora has issued an advisory on May 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NUCZX4S53TUNTSGTCRDNOQZV2V2RI4RJ/

Mageia 7 and 8 are also affected.

Nicolas Salguero 2021-05-06 12:42:44 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
Source RPM: (none) => libtpms-0.7.4-0.20201031git2452a24dab.1.mga8.src.rpm

Comment 1 Aurelien Oudelet 2021-05-06 15:51:02 CEST

Hi, thanks for reporting this.
Assigned to the package maintainer.

CC: (none) => ouaurelien
Assignee: bugsquad => thierry.vignaud
CVE: (none) => CVE-2021-3505

Comment 2 David Walser 2021-05-29 18:54:47 CEST

Fedora has issued an advisory on March 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/46YMIRHQHNKPCVNRVW4W27MFQQU7ZHHV/

Summary: libtpms new security issue CVE-2021-3505 => libtpms new security issues CVE-2021-3446 and CVE-2021-3505
Severity: normal => major

Comment 3 David Walser 2021-05-29 18:56:15 CEST

The issues are fixed upstream in 0.8.2.

Status comment: (none) => Fixed upstream in 0.8.2

Comment 4 David Walser 2021-07-01 14:47:14 CEST

Fedora has issued an advisory today (July 1):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z7KZSYMTE7Z4BBEZUWO2DIMQDWMGEP46/

The issue is fixed upstream in 0.8.4.

Mageia 8 is also affected (so is Mageia 7, but it's EOL).

Status comment: Fixed upstream in 0.8.2 => Fixed upstream in 0.8.4
Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO
Summary: libtpms new security issues CVE-2021-3446 and CVE-2021-3505 => libtpms new security issues CVE-2021-3446, CVE-2021-3505, and CVE-2021-3623

Comment 5 David Walser 2021-07-04 21:15:44 CEST

Fedora has issued an advisory today (July 4):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DZI42OR3JUEGWRKEVCOHL2FPTJVYCYBT/

It fixes a couple more security issues (no CVEs given) that are fixed in upstream git.

Comment 6 David Walser 2021-08-18 16:37:53 CEST

Fedora has issued an advisory today (August 18):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7UCZ7AV2UKWYYCNZ2NLLXW7QYCX7K337/

It backports more upstream security fixes from 0.8.5.

Status comment: Fixed upstream in 0.8.4 => Fixed upstream in 0.8.5

Comment 7 David Walser 2021-09-10 18:29:50 CEST

openSUSE has issued an advisory on September 9:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/75RD2O2OFCMWPCMY5QMSZRNV5PG5BTS6/

The issue is fixed upstream in 0.8.5.

Summary: libtpms new security issues CVE-2021-3446, CVE-2021-3505, and CVE-2021-3623 => libtpms new security issues CVE-2021-3446, CVE-2021-3505, CVE-2021-3623, CVE-2021-3746

Comment 8 David Walser 2021-09-10 18:33:01 CEST

Fedora has updated to 0.8.5 on September 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YVJSXDXD44WDR4VA2XL33IZDJTBGRXP7/

CC: (none) => luigiwalser

Comment 9 David Walser 2021-09-16 22:27:40 CEST

Fedora has issued an advisory on September 15:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7E3B6T5RBDKAWETDTW3WPORY3NK5IR46/

It includes a post-0.8.5 upstream fix.

Comment 10 Nicolas Lécureuil 2021-12-06 23:46:14 CET

updated in cauldron.

Whiteboard: MGA8TOO => (none)
CC: (none) => mageia
Version: Cauldron => 8

Comment 11 David Walser 2021-12-06 23:56:46 CET

(In reply to Nicolas Lécureuil from comment #10)
> updated in cauldron.

to libtpms-0.9.1-1.mga9.

Comment 12 Nicolas Lécureuil 2021-12-14 13:14:08 CET

fixed in mga8:

src:
    - libtpms-0.9.1-1.mga8
    - swtpm-0.7.0-5.mga8

Status comment: Fixed upstream in 0.8.5 => (none)
CC: (none) => thierry.vignaud
Assignee: thierry.vignaud => qa-bugs

Comment 13 David Walser 2021-12-14 16:57:06 CET

What is the swtpm update for?

libtpms-devel-0.9.1-1.mga8
libtpms0-0.9.1-1.mga8
swtpm-tools-0.7.0-5.mga8
libwtpm_libtpms0-0.7.0-5.mga8
swtpm-0.7.0-5.mga8
swtpm-tools-pkcs11-0.7.0-5.mga8
libwtpm_libtpms-devel-0.7.0-5.mga8

Comment 14 Herman Viaene 2021-12-15 15:41:39 CET

MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
No previous updates, no wiki, so started looking for a tutorial, and found https://en.opensuse.org/Software_TPM_Emulator_For_QEMU
I've never ddoen anything with Qemu, the whole thing is way over my head. If someone else has an idea what to do with it,it's OK with me. Else I let itto TJ to OK iton clean install.

CC: (none) => herman.viaene

Comment 15 Thomas Andrews 2021-12-22 23:37:25 CET

I dabbled at the edges of Qemu for an update test a few months back, but I never got beyond the most basic. A "software TPM Emulator" is far over my head, too.

I'll give it a couple of days, and if no one shows up to try it, I'll OK on the clean install.

CC: (none) => andrewsfarm

Comment 16 Lewis Smith 2021-12-24 10:55:56 CET

Installed the following (which pulled in a lot more pkgs):
 lib64tpms0-0.7.4-0.20201031git2452a24dab.1.mga8
 swtpm-0.5.2-2.mga8
 swtpm-tools-0.5.2-2.mga8
 swtpm-tools-pkcs11-0.5.2-2.mga8
 lib64wtpm_libtpms0-0.5.2-2.mga8

Updated from updates-testing to:
 lib64tpms0-0.9.1-1.mga8
 swtpm-0.7.0-5.mga8
 swtpm-tools-0.7.0-5.mga8
 swtpm-tools-pkcs11-0.7.0-5.mga8
 lib64wtpm_libtpms0-0.7.0-5.mga8

Clinically OK for x64.

CC: (none) => lewyssmith

Comment 17 Thomas Andrews 2021-12-26 00:28:32 CET

Validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs

Dave Hodgins 2021-12-30 03:26:12 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 18 Mageia Robot 2021-12-30 17:42:57 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0590.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Lewis Smith 2022-01-04 22:21:19 CET

CC: lewyssmith => (none)

Note You need to log in before you can comment on or make changes to this bug.