Security update for tpm2.0-tools, tpm2-0-tss

Announcement ID:	SUSE-SU-2025:20151-1
Release Date:	2025-03-18T10:58:11Z
Rating:	moderate
References:	bsc#1223687 bsc#1223689 bsc#1223690
Cross-References:	CVE-2024-29038 CVE-2024-29039 CVE-2024-29040
CVSS scores:	CVE-2024-29038 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2024-29039 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2024-29040 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected Products:	SUSE Linux Micro 6.0

An update that solves three vulnerabilities can now be installed.

Description:

This update for tpm2.0-tools, tpm2-0-tss fixes the following issues:

tpm2-0-tss: Update to version 4.1: + Security - CVE-2024-29040: arbitrary quote data may go undetected by Fapi_VerifyQuote (bsc#1223690)

• Fixed

  • fapi: Fix length check on FAPI auth callbacks
  • mu: Correct error message for errors
  • tss2-rc: fix unknown laer handler dropping bits.
  • fapi: Fix deviation from CEL specification (template_value was used instead of template_data).
  • fapi: Fix json syntax error in FAPI profiles which was ignored by json-c.
  • build: fix build fail after make clean.
  • mu: Fix unneeded size check in TPM2B unmarshaling.
  • fapi: Fix missing parameter encryption.
  • build: Fix failed build with --disable-vendor.
  • fapi: Fix flush of persistent handles.
  • fapi: Fix test provisioning with template with self generated certificate disabled.
  • fapi: Fix error in Fapi_GetInfo it TPM supports SHA3 hash algs.
  • fapi: Revert pcr extension for EV_NO_ACTION events.
  • fapi: Fix strange error messages if nv, ext, or policy path does not exits.
  • fapi: Fix segfault caused by wrong allocation of pcr policy.
  • esys: Fix leak in Esys_EvictControl for persistent handles.
  • tss2-tcti: tcti-libtpms: fix test failure on big-endian platform.
  • esys: Add reference counting for Esys_TR_FromTPMPublic.
  • esys: Fix HMAC error if session bind key has an auth value with a trailing 0.
  • fapi: fix usage of self signed certificates in TPM.
  • fapi: Usage of self signed certificates.
  • fapi: A segfault after the error handling of non existing keys.
  • fapi: Fix several leaks.
  • fapi: Fix error handling for policy execution.
  • fapi: Fix usage of persistent handles (should not be flushed)
  • fapi: Fix test provisioning with template (skip test without self generated certificate).
  • fapi: Fix pcr extension for EV_NO_ACTION
  • test: Fix fapi-key-create-policy-signed-keyedhash with P_ECC384 profile
  • tcti_spi_helper_transmit: ensure FIFO is accessed only after TPM reports commandReady bit is set
  • fapi: Fix read large system eventlog (> UINT16_MAX).
  • esys tests: Fix layer check for TPM2_RC_COMMAND_CODE (for /dev/tpmrm0)
  • test: unit: tcti-libtpms: fix test failed at 32-bit platforms.
  • fapi: Fix possible null pointer dereferencing in Fapi_List.
  • sys: Fix size check in Tss2_Sys_GetCapability.
  • esys: Fix leak in Esys_TR_FromTPMPublic.
  • esys: fix unchecked return value in esys crypto.
  • fapi: Fix wrong usage of local variable in provisioning.
  • fapi: Fix memset 0 in ifapi_json_TPMS_POLICYNV_deserialize.
  • fapi: Fix possible out of bound array access in IMA parser.
  • tcti device: Fix possible unmarshalling from uninitialized variable.
  • fapi: Fix error checking authorization of signing key.
  • fapi: Fix cleanup of policy sessions.
  • fapi: Eventlog H-CRTM events and different localities.
  • fapi: Fix missing synchronization of quote and eventlog.
  • faii: Fix invalid free in Fapi_Quote with empty eventlog.

• Added

  • tcti: LetsTrust-TPM2Go TCTI module spi-ltt2go.
  • mbedtls: add sha512 hmac.
  • fapi: Enable usage of external keys for Fapi_Encrypt.
  • fapi: Support download of AMD certificates.
  • tcti: Add USB TPM (FTDI MPSSE USB to SPI bridge) TCTI module.
  • fapi: The recreation of primaries (except EK) in the owner hierarchy instead the endorsement hierarchy is fixed.
  • rc: New TPM return codes added.
  • fapi: Further Nuvoton certificates added.
  • tpm_types/esys: Add support for Attestable TPM changes in latest TPM spec.
  • tcti: Add '/dev/tcm0' to default conf
  • fapi: New Nuvoton certificates added.
  • esys: Fix leak in Esys_TR_FromTPMPublic.

• Removed

  • Testing on Ubuntu 18.04 as it's near EOL (May 2023).

tpm2.0-tools: Update to version 5.7: + Security - CVE-2024-29038: arbitrary quote data may go undetected by tpm2_checkquote (bsc#1223687) - CVE-2024-29039: pcr selection value is not compared with the attest (bsc#1223689) + Fixed - Fix eventlog test - Fix issues with reading NV indexes - Fix context save error on tpm2_create - tpm2_sessionconfig: fix handling of --disable-continue session so that the subsequent command will not fail - when attempting to context save a flushed session. - detection of functions within libcrypto when CRYPTO_LIBS is set and system has install libcrypto. - tpm2_send: fix EOF detection on input stream. - tpm2_policy.c fix compilation error caused by format directive for size_t on 32 bit systems. - tpm2_nvread: fix input handling no nv index. - Auth file: Ensure 0-termination when reading auths from a file. - configure.ac: fix bashisms. configure scripts need to be runnable with a POSIX-compliant /bin/sh. - cirrus.yml fix tss compilation with libtpms for FreeBSD. - tpm2_tool.c Fix missing include for basename to enable compilation on netbsd. - options: fix TCTI handling to avoid failures for commands that should work with no options. - tpm2_getekcertificate.c Fix leak. ek_uri was not freed if get_ek_server_address failed. + Added - Add the possibility for autoflush (environment variable "TPM2TOOLS_AUTOFLUSH", or -R option) + Removed - Testing on Ubuntu 18.04 as it's near EOL (May 2023).m2_policy.c fix compilation error caused by format directive for size_t on 32 bit systems. - tpm2_nvread: fix input handling no nv index.

• Update to version 5.6
  • tpm2_eventlog:
  • add H-CRTM event support
  • add support of efivar versions less than 38
  • Add support to check for efivar/efivar.h manually
  • Minor formatting fixes
  • tpm2_eventlog: add support for replay with different StartupLocality
  • Fix pcr extension for EV_NO_ACTION
  • Extend test of yaml string representation
  • Use helper for printing a string dump
  • Fix upper bound on unique data size
  • Fix YAML string formatting
  • tpm2_policy:
  • Add support for parsing forward seal TPM values
  • Use forward seal values in creating policies
  • Move dgst_size in evaluate_populate_pcr_digests()
  • Allow more than 8 PCRs for sealing
  • Move dgst_size in evaluate_populate_pcr_digests
  • Allow more than 8 PCRs for sealing
  • Make __wrap_Esys_PCR_Read() more dynamic to enable testing more PCRs
  • tpm2_encryptdecrypt: Fix pkcs7 padding stripping
  • tpm2_duplicate:
  • Support -a option for attributes
  • Add --key-algorithm option
  • tpm2_encodeobject: Use the correct -O option instead of -C
  • tpm2_unseal: Add qualifier static to enhance the privacy of unseal function
  • tpm2_sign:
  • Remove -m option which was added mistakenly
  • Revert sm2 sign and verifysignature
  • tpm2_createek:
  • Correct man page example
  • Fix usage of nonce
  • Fix integrating nonce
  • tpm2_clear: add more details about the action
  • tpm2_startauthsession: allow the file attribute for policy authorization.
  • tpm2_getekcertificate: Add AMD EK support
  • tpm2_ecdhzgen: Add public-key parameter
  • tpm2_nvreadpublic: Prevent free of unallocated pointers on failure
  • Bug-fixes:
  • The readthedocs build failed with module 'jinja2' has no attribute 'contextfilter' a requirement file was added to fix this problem
  • An error caused by the flags -flto -_FORTIFY_SOURCE=3 in kdfa implementation. This error can be avoided by switching off the optimization with pragma
  • Changed wrong function name of "Esys_Load" to "Esys_Load"
  • Function names beginning with Esys_ are wrongly written as Eys_
  • Reading and writing a serialized persistent ESYS_TR handles
  • cirrus-ci update image-family to freebsd-13-2 from 13-1
  • misc:
  • Change the default Python version to Python3 in the helper's code
  • Skip test which uses the sign operator for comparison in abrmd_policynv.sh
  • tools/tr_encode: Add a tool that can encode serialized ESYS_TR for persistent handles from the TPM2B_PUBLIC and the raw persistent TPM2_HANDLE
  • Add safe directory in config

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Micro 6.0
  zypper in -t patch SUSE-SLE-Micro-6.0-250=1

Package List:

• SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
  • tpm2.0-tools-5.7-1.1
  • libtss2-tcti-device0-4.1.0-1.1
  • libtss2-rc0-debuginfo-4.1.0-1.1
  • tpm2-0-tss-4.1.0-1.1
  • libtss2-sys1-debuginfo-4.1.0-1.1
  • tpm2-0-tss-debugsource-4.1.0-1.1
  • libtss2-tcti-spi-helper0-4.1.0-1.1
  • efivar-debugsource-38-3.1
  • libtss2-tcti-device0-debuginfo-4.1.0-1.1
  • tpm2.0-tools-debugsource-5.7-1.1
  • libtss2-mu0-4.1.0-1.1
  • libtss2-fapi1-4.1.0-1.1
  • libtss2-fapi-common-4.1.0-1.1
  • libtss2-fapi1-debuginfo-4.1.0-1.1
  • libtss2-tctildr0-4.1.0-1.1
  • libtss2-tcti-spidev0-debuginfo-4.1.0-1.1
  • libefivar1-38-3.1
  • libtss2-rc0-4.1.0-1.1
  • libtss2-tcti-spi-helper0-debuginfo-4.1.0-1.1
  • libtss2-esys0-4.1.0-1.1
  • libefivar1-debuginfo-38-3.1
  • tpm2.0-tools-debuginfo-5.7-1.1
  • libtss2-tctildr0-debuginfo-4.1.0-1.1
  • libtss2-sys1-4.1.0-1.1
  • libtss2-tcti-spidev0-4.1.0-1.1
  • libtss2-esys0-debuginfo-4.1.0-1.1
  • libtss2-mu0-debuginfo-4.1.0-1.1

References:

• https://www.suse.com/security/cve/CVE-2024-29038.html
• https://www.suse.com/security/cve/CVE-2024-29039.html
• https://www.suse.com/security/cve/CVE-2024-29040.html
• https://bugzilla.suse.com/show_bug.cgi?id=1223687
• https://bugzilla.suse.com/show_bug.cgi?id=1223689
• https://bugzilla.suse.com/show_bug.cgi?id=1223690