Your message dated Wed, 02 Jun 2021 06:10:46 +0000
with message-id <[email protected]>
and subject line unblock tpm2-tools
has caused the Debian Bug report #989366,
regarding unblock: tpm2-tools/5.0-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
989366: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989366
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]
Please unblock package tpm2-tools
[ Reason ]
tpm2-tools has a CVE bug CVE-2021-3565.
We fixed this issue by backporting the upstream's patch.
The Debian bug is #989148
[ Impact ]
If the unblock is not granted, when users run tpm2_import command there
might be
some risks that the key will be stolen by MITM attack.
[ Tests ]
We only run manually test on computers with tpm2 external hardware.
The following command is run and still works as expected.
* tpm2_createprimary -Grsa2048:aes128cfb -C o -c parent.ctx
* dd if=/dev/urandom of=sym.key bs=1 count=16
* tpm2_import -C parent.ctx -G aes -i sym.key -u key.pub -r key.priv
The above commands are not suitable for autopkgtest because they require
tpm2 hardware.
[ Risks ]
This package is not a key package. It is a leaf package. No other
package depends on this.
These tpm2_* commands are for users who wants to manually operate tpm2
device.
The patch is quite trivial. Just don't use fixed key, instead generate
it randomly.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
unblock tpm2-tools/5.0-2
diff -Nru tpm2-tools-5.0/debian/changelog tpm2-tools-5.0/debian/changelog
--- tpm2-tools-5.0/debian/changelog 2020-11-30 15:56:37.000000000 +0800
+++ tpm2-tools-5.0/debian/changelog 2021-06-02 04:00:26.000000000 +0800
@@ -1,3 +1,11 @@
+tpm2-tools (5.0-2) unstable; urgency=low
+
+ * Add debian/patches/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
+ - Fix CVE-2021-3565 (Closes: #989148)
+ - This patch fixes the fixed AES key issue in tpm2_import command
+
+ -- Ying-Chun Liu (PaulLiu) <[email protected]> Wed, 02 Jun 2021 04:00:26
+0800
+
tpm2-tools (5.0-1) unstable; urgency=low
* New upstream release.
diff -Nru
tpm2-tools-5.0/debian/patches/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
tpm2-tools-5.0/debian/patches/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
---
tpm2-tools-5.0/debian/patches/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
1970-01-01 08:00:00.000000000 +0800
+++
tpm2-tools-5.0/debian/patches/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
2021-06-02 04:00:26.000000000 +0800
@@ -0,0 +1,44 @@
+From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
+From: William Roberts <[email protected]>
+Date: Fri, 21 May 2021 12:22:31 -0500
+Bug-Debian: https://bugs.debian.org/989148
+Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
+
+tpm2_import used a fixed AES key for the inner wrapper, which means that
+a MITM attack would be able to unwrap the imported key. Even the
+use of an encrypted session will not prevent this. The TPM only
+encrypts the first parameter which is the fixed symmetric key.
+
+To fix this, ensure the key size is 16 bytes or bigger and use
+OpenSSL to generate a secure random AES key.
+
+Fixes: #2738
+
+Signed-off-by: William Roberts <[email protected]>
+---
+ tools/tpm2_import.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+Index: tpm2-tools-5.0/tools/tpm2_import.c
+===================================================================
+--- tpm2-tools-5.0.orig/tools/tpm2_import.c
++++ tpm2-tools-5.0/tools/tpm2_import.c
+@@ -149,7 +149,17 @@ static tool_rc key_import(ESYS_CONTEXT *
+ TPM2B_DATA enc_sensitive_key = {
+ .size =
parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
+ };
+- memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
++
++ if(enc_sensitive_key.size < 16) {
++ LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u",
enc_sensitive_key.size);
++ return tool_rc_general_error;
++ }
++
++ int ossl_rc = RAND_bytes(enc_sensitive_key.buffer,
enc_sensitive_key.size);
++ if (ossl_rc != 1) {
++ LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(),
NULL));
++ return tool_rc_general_error;
++ }
+
+ /*
+ * Calculate the object name.
diff -Nru tpm2-tools-5.0/debian/patches/series
tpm2-tools-5.0/debian/patches/series
--- tpm2-tools-5.0/debian/patches/series 2020-02-02 01:35:00.000000000
+0800
+++ tpm2-tools-5.0/debian/patches/series 2021-06-01 18:48:27.000000000
+0800
@@ -1 +1,2 @@
0001_add_version_string.patch
+0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
