SUSE-SU-2025:20151-1: moderate: Security update for tpm2.0-tools, tpm2-0-tss

SLE-SECURITY-UPDATES null at suse.de
Wed Jun 4 08:52:32 UTC 2025



# Security update for tpm2.0-tools, tpm2-0-tss

Announcement ID: SUSE-SU-2025:20151-1  
Release Date: 2025-03-18T10:58:11Z  
Rating: moderate  
References:

  * bsc#1223687
  * bsc#1223689
  * bsc#1223690

  
Cross-References:

  * CVE-2024-29038
  * CVE-2024-29039
  * CVE-2024-29040

  
CVSS scores:

  * CVE-2024-29038 ( SUSE ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  * CVE-2024-29039 ( SUSE ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  * CVE-2024-29040 ( SUSE ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

  
Affected Products:

  * SUSE Linux Micro 6.0

  
  
An update that solves three vulnerabilities can now be installed.

## Description:

This update for tpm2.0-tools, tpm2-0-tss fixes the following issues:

tpm2-0-tss: Update to version 4.1: \+ Security \- CVE-2024-29040: arbitrary
quote data may go undetected by Fapi_VerifyQuote (bsc#1223690)

  * Fixed

    * fapi: Fix length check on FAPI auth callbacks
    * mu: Correct error message for errors
    * tss2-rc: fix unknown laer handler dropping bits.
    * fapi: Fix deviation from CEL specification (template_value was used instead of template_data).
    * fapi: Fix json syntax error in FAPI profiles which was ignored by json-c.
    * build: fix build fail after make clean.
    * mu: Fix unneeded size check in TPM2B unmarshaling.
    * fapi: Fix missing parameter encryption.
    * build: Fix failed build with --disable-vendor.
    * fapi: Fix flush of persistent handles.
    * fapi: Fix test provisioning with template with self generated certificate disabled.
    * fapi: Fix error in Fapi_GetInfo it TPM supports SHA3 hash algs.
    * fapi: Revert pcr extension for EV_NO_ACTION events.
    * fapi: Fix strange error messages if nv, ext, or policy path does not exits.
    * fapi: Fix segfault caused by wrong allocation of pcr policy.
    * esys: Fix leak in Esys_EvictControl for persistent handles.
    * tss2-tcti: tcti-libtpms: fix test failure on big-endian platform.
    * esys: Add reference counting for Esys_TR_FromTPMPublic.
    * esys: Fix HMAC error if session bind key has an auth value with a trailing 0.
    * fapi: fix usage of self signed certificates in TPM.
    * fapi: Usage of self signed certificates.
    * fapi: A segfault after the error handling of non existing keys.
    * fapi: Fix several leaks.
    * fapi: Fix error handling for policy execution.
    * fapi: Fix usage of persistent handles (should not be flushed)
    * fapi: Fix test provisioning with template (skip test without self generated certificate).
    * fapi: Fix pcr extension for EV_NO_ACTION
    * test: Fix fapi-key-create-policy-signed-keyedhash with P_ECC384 profile
    * tcti_spi_helper_transmit: ensure FIFO is accessed only after TPM reports commandReady bit is set
    * fapi: Fix read large system eventlog (> UINT16_MAX).
    * esys tests: Fix layer check for TPM2_RC_COMMAND_CODE (for /dev/tpmrm0)
    * test: unit: tcti-libtpms: fix test failed at 32-bit platforms.
    * fapi: Fix possible null pointer dereferencing in Fapi_List.
    * sys: Fix size check in Tss2_Sys_GetCapability.
    * esys: Fix leak in Esys_TR_FromTPMPublic.
    * esys: fix unchecked return value in esys crypto.
    * fapi: Fix wrong usage of local variable in provisioning.
    * fapi: Fix memset 0 in ifapi_json_TPMS_POLICYNV_deserialize.
    * fapi: Fix possible out of bound array access in IMA parser.
    * tcti device: Fix possible unmarshalling from uninitialized variable.
    * fapi: Fix error checking authorization of signing key.
    * fapi: Fix cleanup of policy sessions.
    * fapi: Eventlog H-CRTM events and different localities.
    * fapi: Fix missing synchronization of quote and eventlog.
    * faii: Fix invalid free in Fapi_Quote with empty eventlog.
  * Added

    * tcti: LetsTrust-TPM2Go TCTI module spi-ltt2go.
    * mbedtls: add sha512 hmac.
    * fapi: Enable usage of external keys for Fapi_Encrypt.
    * fapi: Support download of AMD certificates.
    * tcti: Add USB TPM (FTDI MPSSE USB to SPI bridge) TCTI module.
    * fapi: The recreation of primaries (except EK) in the owner hierarchy instead the endorsement hierarchy is fixed.
    * rc: New TPM return codes added.
    * fapi: Further Nuvoton certificates added.
    * tpm_types/esys: Add support for Attestable TPM changes in latest TPM spec.
    * tcti: Add '/dev/tcm0' to default conf
    * fapi: New Nuvoton certificates added.
    * esys: Fix leak in Esys_TR_FromTPMPublic.
  * Removed

    * Testing on Ubuntu 18.04 as it's near EOL (May 2023).

tpm2.0-tools: Update to version 5.7: \+ Security \- CVE-2024-29038: arbitrary
quote data may go undetected by tpm2_checkquote (bsc#1223687) \- CVE-2024-29039:
pcr selection value is not compared with the attest (bsc#1223689) \+ Fixed \-
Fix eventlog test \- Fix issues with reading NV indexes \- Fix context save
error on tpm2_create \- tpm2_sessionconfig: fix handling of --disable-continue
session so that the subsequent command will not fail \- when attempting to
context save a flushed session. \- detection of functions within libcrypto when
CRYPTO_LIBS is set and system has install libcrypto. \- tpm2_send: fix EOF
detection on input stream. \- tpm2_policy.c fix compilation error caused by
format directive for size_t on 32 bit systems. \- tpm2_nvread: fix input
handling no nv index. \- Auth file: Ensure 0-termination when reading auths from
a file. \- configure.ac: fix bashisms. configure scripts need to be runnable
with a POSIX-compliant /bin/sh. \- cirrus.yml fix tss compilation with libtpms
for FreeBSD. \- tpm2_tool.c Fix missing include for basename to enable
compilation on netbsd. \- options: fix TCTI handling to avoid failures for
commands that should work with no options. \- tpm2_getekcertificate.c Fix leak.
ek_uri was not freed if get_ek_server_address failed. \+ Added \- Add the
possibility for autoflush (environment variable "TPM2TOOLS_AUTOFLUSH", or -R
option) \+ Removed \- Testing on Ubuntu 18.04 as it's near EOL (May
2023).m2_policy.c fix compilation error caused by format directive for size_t on
32 bit systems. \- tpm2_nvread: fix input handling no nv index.

  * Update to version 5.6
    * tpm2_eventlog:
    * add H-CRTM event support
    * add support of efivar versions less than 38
    * Add support to check for efivar/efivar.h manually
    * Minor formatting fixes
    * tpm2_eventlog: add support for replay with different StartupLocality
    * Fix pcr extension for EV_NO_ACTION
    * Extend test of yaml string representation
    * Use helper for printing a string dump
    * Fix upper bound on unique data size
    * Fix YAML string formatting
    * tpm2_policy:
    * Add support for parsing forward seal TPM values
    * Use forward seal values in creating policies
    * Move dgst_size in evaluate_populate_pcr_digests()
    * Allow more than 8 PCRs for sealing
    * Move dgst_size in evaluate_populate_pcr_digests
    * Allow more than 8 PCRs for sealing
    * Make __wrap_Esys_PCR_Read() more dynamic to enable testing more PCRs
    * tpm2_encryptdecrypt: Fix pkcs7 padding stripping
    * tpm2_duplicate:
    * Support -a option for attributes
    * Add --key-algorithm option
    * tpm2_encodeobject: Use the correct -O option instead of -C
    * tpm2_unseal: Add qualifier static to enhance the privacy of unseal function
    * tpm2_sign:
    * Remove -m option which was added mistakenly
    * Revert sm2 sign and verifysignature
    * tpm2_createek:
    * Correct man page example
    * Fix usage of nonce
    * Fix integrating nonce
    * tpm2_clear: add more details about the action
    * tpm2_startauthsession: allow the file attribute for policy authorization.
    * tpm2_getekcertificate: Add AMD EK support
    * tpm2_ecdhzgen: Add public-key parameter
    * tpm2_nvreadpublic: Prevent free of unallocated pointers on failure
    * Bug-fixes:
    * The readthedocs build failed with module 'jinja2' has no attribute 'contextfilter' a requirement file was added to fix this problem
    * An error caused by the flags -flto -_FORTIFY_SOURCE=3 in kdfa implementation. This error can be avoided by switching off the optimization with pragma
    * Changed wrong function name of "Esys_Load" to "Esys_Load"
    * Function names beginning with Esys_ are wrongly written as Eys_
    * Reading and writing a serialized persistent ESYS_TR handles
    * cirrus-ci update image-family to freebsd-13-2 from 13-1
    * misc:
    * Change the default Python version to Python3 in the helper's code
    * Skip test which uses the sign operator for comparison in abrmd_policynv.sh
    * tools/tr_encode: Add a tool that can encode serialized ESYS_TR for persistent handles from the TPM2B_PUBLIC and the raw persistent TPM2_HANDLE
    * Add safe directory in config

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.0  
    zypper in -t patch SUSE-SLE-Micro-6.0-250=1

## Package List:

  * SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
    * tpm2.0-tools-5.7-1.1
    * libtss2-tcti-device0-4.1.0-1.1
    * libtss2-rc0-debuginfo-4.1.0-1.1
    * tpm2-0-tss-4.1.0-1.1
    * libtss2-sys1-debuginfo-4.1.0-1.1
    * tpm2-0-tss-debugsource-4.1.0-1.1
    * libtss2-tcti-spi-helper0-4.1.0-1.1
    * efivar-debugsource-38-3.1
    * libtss2-tcti-device0-debuginfo-4.1.0-1.1
    * tpm2.0-tools-debugsource-5.7-1.1
    * libtss2-mu0-4.1.0-1.1
    * libtss2-fapi1-4.1.0-1.1
    * libtss2-fapi-common-4.1.0-1.1
    * libtss2-fapi1-debuginfo-4.1.0-1.1
    * libtss2-tctildr0-4.1.0-1.1
    * libtss2-tcti-spidev0-debuginfo-4.1.0-1.1
    * libefivar1-38-3.1
    * libtss2-rc0-4.1.0-1.1
    * libtss2-tcti-spi-helper0-debuginfo-4.1.0-1.1
    * libtss2-esys0-4.1.0-1.1
    * libefivar1-debuginfo-38-3.1
    * tpm2.0-tools-debuginfo-5.7-1.1
    * libtss2-tctildr0-debuginfo-4.1.0-1.1
    * libtss2-sys1-4.1.0-1.1
    * libtss2-tcti-spidev0-4.1.0-1.1
    * libtss2-esys0-debuginfo-4.1.0-1.1
    * libtss2-mu0-debuginfo-4.1.0-1.1

## References:

  * https://www.suse.com/security/cve/CVE-2024-29038.html
  * https://www.suse.com/security/cve/CVE-2024-29039.html
  * https://www.suse.com/security/cve/CVE-2024-29040.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1223687
  * https://bugzilla.suse.com/show_bug.cgi?id=1223689
  * https://bugzilla.suse.com/show_bug.cgi?id=1223690

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20250604/b685da12/attachment.htm>


More information about the sle-security-updates mailing list