Advisories ยป MGASA-2023-0102

Updated libtpms packages fix security vulnerability

Publication date: 18 Mar 2023
Modification date: 18 Mar 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2023-1017 , CVE-2023-1018

Description

An out-of-bounds write vulnerability exists in TPM2.0's Module Library
allowing writing of a 2-byte data past the end of TPM2.0 command in the
CryptParameterDecryption routine. An attacker who can successfully exploit
this vulnerability can lead to denial of service (crashing the TPM
chip/process or rendering it unusable) and/or arbitrary code execution in
the TPM context. (CVE-2023-1017)
An out-of-bounds read vulnerability exists in TPM2.0's Module Library
allowing a 2-byte read past the end of a TPM2.0 command in the
CryptParameterDecryption routine. An attacker who can successfully exploit
this vulnerability can read or access sensitive data stored in the TPM.
(CVE-2023-1018)
                

References

SRPMS

8/core