SUSE-SU-2025:20151-1: moderate: Security update for tpm2.0-tools, tpm2-0-tss
SLE-SECURITY-UPDATES
null at suse.de
Wed Jun 4 08:52:32 UTC 2025
# Security update for tpm2.0-tools, tpm2-0-tss
Announcement ID: SUSE-SU-2025:20151-1
Release Date: 2025-03-18T10:58:11Z
Rating: moderate
References:
* bsc#1223687
* bsc#1223689
* bsc#1223690
Cross-References:
* CVE-2024-29038
* CVE-2024-29039
* CVE-2024-29040
CVSS scores:
* CVE-2024-29038 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
* CVE-2024-29039 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
* CVE-2024-29040 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected Products:
* SUSE Linux Micro 6.0
An update that solves three vulnerabilities can now be installed.
## Description:
This update for tpm2.0-tools, tpm2-0-tss fixes the following issues:
tpm2-0-tss: Update to version 4.1: \+ Security \- CVE-2024-29040: arbitrary
quote data may go undetected by Fapi_VerifyQuote (bsc#1223690)
* Fixed
* fapi: Fix length check on FAPI auth callbacks
* mu: Correct error message for errors
* tss2-rc: fix unknown laer handler dropping bits.
* fapi: Fix deviation from CEL specification (template_value was used instead of template_data).
* fapi: Fix json syntax error in FAPI profiles which was ignored by json-c.
* build: fix build fail after make clean.
* mu: Fix unneeded size check in TPM2B unmarshaling.
* fapi: Fix missing parameter encryption.
* build: Fix failed build with --disable-vendor.
* fapi: Fix flush of persistent handles.
* fapi: Fix test provisioning with template with self generated certificate disabled.
* fapi: Fix error in Fapi_GetInfo it TPM supports SHA3 hash algs.
* fapi: Revert pcr extension for EV_NO_ACTION events.
* fapi: Fix strange error messages if nv, ext, or policy path does not exits.
* fapi: Fix segfault caused by wrong allocation of pcr policy.
* esys: Fix leak in Esys_EvictControl for persistent handles.
* tss2-tcti: tcti-libtpms: fix test failure on big-endian platform.
* esys: Add reference counting for Esys_TR_FromTPMPublic.
* esys: Fix HMAC error if session bind key has an auth value with a trailing 0.
* fapi: fix usage of self signed certificates in TPM.
* fapi: Usage of self signed certificates.
* fapi: A segfault after the error handling of non existing keys.
* fapi: Fix several leaks.
* fapi: Fix error handling for policy execution.
* fapi: Fix usage of persistent handles (should not be flushed)
* fapi: Fix test provisioning with template (skip test without self generated certificate).
* fapi: Fix pcr extension for EV_NO_ACTION
* test: Fix fapi-key-create-policy-signed-keyedhash with P_ECC384 profile
* tcti_spi_helper_transmit: ensure FIFO is accessed only after TPM reports commandReady bit is set
* fapi: Fix read large system eventlog (> UINT16_MAX).
* esys tests: Fix layer check for TPM2_RC_COMMAND_CODE (for /dev/tpmrm0)
* test: unit: tcti-libtpms: fix test failed at 32-bit platforms.
* fapi: Fix possible null pointer dereferencing in Fapi_List.
* sys: Fix size check in Tss2_Sys_GetCapability.
* esys: Fix leak in Esys_TR_FromTPMPublic.
* esys: fix unchecked return value in esys crypto.
* fapi: Fix wrong usage of local variable in provisioning.
* fapi: Fix memset 0 in ifapi_json_TPMS_POLICYNV_deserialize.
* fapi: Fix possible out of bound array access in IMA parser.
* tcti device: Fix possible unmarshalling from uninitialized variable.
* fapi: Fix error checking authorization of signing key.
* fapi: Fix cleanup of policy sessions.
* fapi: Eventlog H-CRTM events and different localities.
* fapi: Fix missing synchronization of quote and eventlog.
* faii: Fix invalid free in Fapi_Quote with empty eventlog.
* Added
* tcti: LetsTrust-TPM2Go TCTI module spi-ltt2go.
* mbedtls: add sha512 hmac.
* fapi: Enable usage of external keys for Fapi_Encrypt.
* fapi: Support download of AMD certificates.
* tcti: Add USB TPM (FTDI MPSSE USB to SPI bridge) TCTI module.
* fapi: The recreation of primaries (except EK) in the owner hierarchy instead the endorsement hierarchy is fixed.
* rc: New TPM return codes added.
* fapi: Further Nuvoton certificates added.
* tpm_types/esys: Add support for Attestable TPM changes in latest TPM spec.
* tcti: Add '/dev/tcm0' to default conf
* fapi: New Nuvoton certificates added.
* esys: Fix leak in Esys_TR_FromTPMPublic.
* Removed
* Testing on Ubuntu 18.04 as it's near EOL (May 2023).
tpm2.0-tools: Update to version 5.7: \+ Security \- CVE-2024-29038: arbitrary
quote data may go undetected by tpm2_checkquote (bsc#1223687) \- CVE-2024-29039:
pcr selection value is not compared with the attest (bsc#1223689) \+ Fixed \-
Fix eventlog test \- Fix issues with reading NV indexes \- Fix context save
error on tpm2_create \- tpm2_sessionconfig: fix handling of --disable-continue
session so that the subsequent command will not fail \- when attempting to
context save a flushed session. \- detection of functions within libcrypto when
CRYPTO_LIBS is set and system has install libcrypto. \- tpm2_send: fix EOF
detection on input stream. \- tpm2_policy.c fix compilation error caused by
format directive for size_t on 32 bit systems. \- tpm2_nvread: fix input
handling no nv index. \- Auth file: Ensure 0-termination when reading auths from
a file. \- configure.ac: fix bashisms. configure scripts need to be runnable
with a POSIX-compliant /bin/sh. \- cirrus.yml fix tss compilation with libtpms
for FreeBSD. \- tpm2_tool.c Fix missing include for basename to enable
compilation on netbsd. \- options: fix TCTI handling to avoid failures for
commands that should work with no options. \- tpm2_getekcertificate.c Fix leak.
ek_uri was not freed if get_ek_server_address failed. \+ Added \- Add the
possibility for autoflush (environment variable "TPM2TOOLS_AUTOFLUSH", or -R
option) \+ Removed \- Testing on Ubuntu 18.04 as it's near EOL (May
2023).m2_policy.c fix compilation error caused by format directive for size_t on
32 bit systems. \- tpm2_nvread: fix input handling no nv index.
* Update to version 5.6
* tpm2_eventlog:
* add H-CRTM event support
* add support of efivar versions less than 38
* Add support to check for efivar/efivar.h manually
* Minor formatting fixes
* tpm2_eventlog: add support for replay with different StartupLocality
* Fix pcr extension for EV_NO_ACTION
* Extend test of yaml string representation
* Use helper for printing a string dump
* Fix upper bound on unique data size
* Fix YAML string formatting
* tpm2_policy:
* Add support for parsing forward seal TPM values
* Use forward seal values in creating policies
* Move dgst_size in evaluate_populate_pcr_digests()
* Allow more than 8 PCRs for sealing
* Move dgst_size in evaluate_populate_pcr_digests
* Allow more than 8 PCRs for sealing
* Make __wrap_Esys_PCR_Read() more dynamic to enable testing more PCRs
* tpm2_encryptdecrypt: Fix pkcs7 padding stripping
* tpm2_duplicate:
* Support -a option for attributes
* Add --key-algorithm option
* tpm2_encodeobject: Use the correct -O option instead of -C
* tpm2_unseal: Add qualifier static to enhance the privacy of unseal function
* tpm2_sign:
* Remove -m option which was added mistakenly
* Revert sm2 sign and verifysignature
* tpm2_createek:
* Correct man page example
* Fix usage of nonce
* Fix integrating nonce
* tpm2_clear: add more details about the action
* tpm2_startauthsession: allow the file attribute for policy authorization.
* tpm2_getekcertificate: Add AMD EK support
* tpm2_ecdhzgen: Add public-key parameter
* tpm2_nvreadpublic: Prevent free of unallocated pointers on failure
* Bug-fixes:
* The readthedocs build failed with module 'jinja2' has no attribute 'contextfilter' a requirement file was added to fix this problem
* An error caused by the flags -flto -_FORTIFY_SOURCE=3 in kdfa implementation. This error can be avoided by switching off the optimization with pragma
* Changed wrong function name of "Esys_Load" to "Esys_Load"
* Function names beginning with Esys_ are wrongly written as Eys_
* Reading and writing a serialized persistent ESYS_TR handles
* cirrus-ci update image-family to freebsd-13-2 from 13-1
* misc:
* Change the default Python version to Python3 in the helper's code
* Skip test which uses the sign operator for comparison in abrmd_policynv.sh
* tools/tr_encode: Add a tool that can encode serialized ESYS_TR for persistent handles from the TPM2B_PUBLIC and the raw persistent TPM2_HANDLE
* Add safe directory in config
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-250=1
## Package List:
* SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
* tpm2.0-tools-5.7-1.1
* libtss2-tcti-device0-4.1.0-1.1
* libtss2-rc0-debuginfo-4.1.0-1.1
* tpm2-0-tss-4.1.0-1.1
* libtss2-sys1-debuginfo-4.1.0-1.1
* tpm2-0-tss-debugsource-4.1.0-1.1
* libtss2-tcti-spi-helper0-4.1.0-1.1
* efivar-debugsource-38-3.1
* libtss2-tcti-device0-debuginfo-4.1.0-1.1
* tpm2.0-tools-debugsource-5.7-1.1
* libtss2-mu0-4.1.0-1.1
* libtss2-fapi1-4.1.0-1.1
* libtss2-fapi-common-4.1.0-1.1
* libtss2-fapi1-debuginfo-4.1.0-1.1
* libtss2-tctildr0-4.1.0-1.1
* libtss2-tcti-spidev0-debuginfo-4.1.0-1.1
* libefivar1-38-3.1
* libtss2-rc0-4.1.0-1.1
* libtss2-tcti-spi-helper0-debuginfo-4.1.0-1.1
* libtss2-esys0-4.1.0-1.1
* libefivar1-debuginfo-38-3.1
* tpm2.0-tools-debuginfo-5.7-1.1
* libtss2-tctildr0-debuginfo-4.1.0-1.1
* libtss2-sys1-4.1.0-1.1
* libtss2-tcti-spidev0-4.1.0-1.1
* libtss2-esys0-debuginfo-4.1.0-1.1
* libtss2-mu0-debuginfo-4.1.0-1.1
## References:
* https://www.suse.com/security/cve/CVE-2024-29038.html
* https://www.suse.com/security/cve/CVE-2024-29039.html
* https://www.suse.com/security/cve/CVE-2024-29040.html
* https://bugzilla.suse.com/show_bug.cgi?id=1223687
* https://bugzilla.suse.com/show_bug.cgi?id=1223689
* https://bugzilla.suse.com/show_bug.cgi?id=1223690
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20250604/b685da12/attachment.htm>
More information about the sle-security-updates
mailing list