Ubuntu has issued an advisory on March 7: https://ubuntu.com/security/notices/USN-5933-1 The issues are fixed upstream in 0.9.6. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 0.9.6Whiteboard: (none) => MGA8TOO
Assigning globally, but CC'ing neoclust who committed current v0.9.1 with lots of CVE corrections.
Assignee: bugsquad => pkg-bugsCC: (none) => mageia
Fedora has issued an advisory for this on March 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4WEJNRD36D3EOCZVXKGPDSJXA35DPPSE/
Hi, Cauldron has version 0.9.6 since a few days. Best regards, Nico.
Source RPM: libtpms-0.9.1-2.mga9.src.rpm => libtpms-0.9.1-1.mga8.src.rpmVersion: Cauldron => 8CC: (none) => nicolas.salgueroWhiteboard: MGA8TOO => (none)
Suggested advisory: ======================== The updated packages fix security vulnerabilities: An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context. (CVE-2023-1017) An out-of-bounds read vulnerability exists in TPM2.0's Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can read or access sensitive data stored in the TPM. (CVE-2023-1018) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1018 https://ubuntu.com/security/notices/USN-5933-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4WEJNRD36D3EOCZVXKGPDSJXA35DPPSE/ ======================== Updated packages in core/updates_testing: ======================== lib(64)tpms0-0.9.6-1.mga8 lib(64)tpms-devel-0.9.6-1.mga8 from SRPM: libtpms-0.9.6-1.mga8.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 0.9.6 => (none)
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Found previous update 28882, got basically the OK, on clean install.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0102.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED