fixed package pushed into mga8/9


src:
    - tpm2-tools-5.0-1.1.mga8

Version: Cauldron => 8
Status comment: Fixed upstream in 5.1.1 => (none)
CC: (none) => mageia
Assignee: thierry.vignaud => qa-bugs
Whiteboard: MGA8TOO => (none)

mga8, x86_64

"A bunch of TPM testing toolS build upon tpm2-tss"
Trusted Platform Module.

Four packages involved:
lib64tss2-tctildr0
lib64tss2-fapi1
lib64tss2-rc0
tpm2-tools

CVE-2021-3565
https://bugzilla.redhat.com/show_bug.cgi?id=1964427
"A flaw was found in tpm2-tools. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a MITM attacker to unwrap the inner portion and reveal the key being imported. The highest threat from this vulnerability is to data confidentiality."

No man pages and no helpful information in the README.md file in /usr/share/doc but there are 99 tpm2 entries in /bin; 98 are symbolic links.
       tpm2(1)   -  A  single  small  executable  that  combines  the  various
       tpm2-tools much like a BusyBox that provides a fairly complete environ‐
       ment for any small or embedded system.

$ tpm2 getrandom 8
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:254:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:416:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
ERROR: Could not load tcti, got: "(null)"

$ tpm2_getrandom --help
Usage: tpm2_getrandom [<options>] <arguments>
Where <options> are:
    [ -o | --output=<value>] [ -f | --force=<value>] [ --hex] [ -S | --session=<value>]
    [ --cphash=<value>] [ --rphash=<value>]
$ tpm2 checkquote
ERROR: --pubkey (-u), --msg (-m) and --sig (-s) are required
Usage: checkquote [<options>]
Where <options> are:
    [ -g | --hash-algorithm=<value>] [ -m | --message=<value>] [ -F | --format=<value>] [ -s | --signature=<value>]
    [ -e | --eventlog=<value>] [ -f | --pcr=<value>] [ -l | --pcr-list=<value>] [ -u | --public=<value>]
    [ -q | --qualification=<value>]

This preamble shows that tpm2 is not a subject for casual enquiry.

Updated to tpm2-tools-5.0-1.1
$ tpm2 --version
tool="tpm2" version="5.0" tctis="libtss2-tctildr" tcti-default=(null)

Passing it on the basis of a clean update.
There may be useful information in this report for an advisory.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Advisory:
========================

Updated tpm2-tools package fixes security vulnerability:

  A flaw was found in tpm2-tools. tpm2_import used a fixed AES key for the inner
  wrapper, potentially allowing a MITM attacker to unwrap the inner portion and
  reveal the key being imported. The highest threat from this vulnerability is
  to data confidentiality (CVE-2021-3565).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29194
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3565
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XK5M7I66PBXSN663TSLAZ3V6TWWFCV7C/
========================

Updated packages in core/updates_testing:
========================
tpm2-tools-5.0-1.1.mga8

from SRPM:
tpm2-tools-5.0-1.1.mga8


Validating.

Keywords: (none) => advisory, validated_update
CVE: (none) => CVE-2021-3565
CC: (none) => ouaurelien, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0353.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED