Security update for libtpms SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:2051-1 Final 1 1 2023-04-27T09:30:10Z current 2023-04-27T09:30:10Z 2023-04-27T09:30:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libtpms This update for libtpms fixes the following issues: - CVE-2023-1017: Fixed out-of-bounds write in CryptParameterDecryption (bsc#1206022). - CVE-2023-1018: Fixed out-of-bounds read in CryptParameterDecryption (bsc#1206023). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sles/15.5/virt-launcher:0.58.0-2023-2051,SUSE-2023-2051,SUSE-SLE-Micro-5.3-2023-2051,SUSE-SLE-Micro-5.4-2023-2051,SUSE-SLE-Module-Server-Applications-15-SP4-2023-2051,SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-2051,SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-2051,SUSE-SLE-Product-RT-15-SP3-2023-2051,SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-2051,SUSE-SLE-Product-SLES_SAP-15-SP3-2023-2051,SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2023-2051,SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-2051,SUSE-SUSE-MicroOS-5.1-2023-2051,SUSE-SUSE-MicroOS-5.2-2023-2051,SUSE-Storage-7.1-2023-2051,openSUSE-Leap-Micro-5.3-2023-2051,openSUSE-SLE-15.4-2023-2051 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20232051-1/ Link for SUSE-SU-2023:2051-1 https://lists.suse.com/pipermail/sle-updates/2023-April/029030.html E-Mail link for SUSE-SU-2023:2051-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1206022 SUSE Bug 1206022 https://bugzilla.suse.com/1206023 SUSE Bug 1206023 https://www.suse.com/security/cve/CVE-2023-1017/ SUSE CVE CVE-2023-1017 page https://www.suse.com/security/cve/CVE-2023-1018/ SUSE CVE CVE-2023-1018 page Container suse/sles/15.5/virt-launcher:0.58.0 SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 SUSE Linux Enterprise Module for Server Applications 15 SP4 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Proxy 4.2 SUSE Manager Server 4.2 openSUSE Leap 15.4 openSUSE Leap Micro 5.3 libtpms0-0.8.2-150300.3.9.1 libtpms-devel-0.8.2-150300.3.9.1 libtpms0-0.8.2-150300.3.9.1 as a component of Container suse/sles/15.5/virt-launcher:0.58.0 libtpms-devel-0.8.2-150300.3.9.1 as a component of SUSE Enterprise Storage 7.1 libtpms0-0.8.2-150300.3.9.1 as a component of SUSE Enterprise Storage 7.1 libtpms-devel-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS libtpms0-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS libtpms-devel-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS libtpms0-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS libtpms0-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise Micro 5.1 libtpms0-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise Micro 5.2 libtpms0-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise Micro 5.3 libtpms0-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise Micro 5.4 libtpms-devel-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP4 libtpms0-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP4 libtpms-devel-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise Real Time 15 SP3 libtpms0-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise Real Time 15 SP3 libtpms-devel-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS libtpms0-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS libtpms-devel-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 libtpms0-0.8.2-150300.3.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 libtpms-devel-0.8.2-150300.3.9.1 as a component of SUSE Manager Proxy 4.2 libtpms0-0.8.2-150300.3.9.1 as a component of SUSE Manager Proxy 4.2 libtpms-devel-0.8.2-150300.3.9.1 as a component of SUSE Manager Server 4.2 libtpms0-0.8.2-150300.3.9.1 as a component of SUSE Manager Server 4.2 libtpms-devel-0.8.2-150300.3.9.1 as a component of openSUSE Leap 15.4 libtpms0-0.8.2-150300.3.9.1 as a component of openSUSE Leap 15.4 libtpms0-0.8.2-150300.3.9.1 as a component of openSUSE Leap Micro 5.3 An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context. CVE-2023-1017 Container suse/sles/15.5/virt-launcher:0.58.0:libtpms0-0.8.2-150300.3.9.1 SUSE Enterprise Storage 7.1:libtpms-devel-0.8.2-150300.3.9.1 SUSE Enterprise Storage 7.1:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:libtpms-devel-0.8.2-150300.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:libtpms-devel-0.8.2-150300.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Micro 5.1:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Micro 5.2:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Micro 5.3:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Micro 5.4:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:libtpms-devel-0.8.2-150300.3.9.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Real Time 15 SP3:libtpms-devel-0.8.2-150300.3.9.1 SUSE Linux Enterprise Real Time 15 SP3:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Server 15 SP3-LTSS:libtpms-devel-0.8.2-150300.3.9.1 SUSE Linux Enterprise Server 15 SP3-LTSS:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:libtpms-devel-0.8.2-150300.3.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:libtpms0-0.8.2-150300.3.9.1 SUSE Manager Proxy 4.2:libtpms-devel-0.8.2-150300.3.9.1 SUSE Manager Proxy 4.2:libtpms0-0.8.2-150300.3.9.1 SUSE Manager Server 4.2:libtpms-devel-0.8.2-150300.3.9.1 SUSE Manager Server 4.2:libtpms0-0.8.2-150300.3.9.1 openSUSE Leap 15.4:libtpms-devel-0.8.2-150300.3.9.1 openSUSE Leap 15.4:libtpms0-0.8.2-150300.3.9.1 openSUSE Leap Micro 5.3:libtpms0-0.8.2-150300.3.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232051-1/ https://www.suse.com/security/cve/CVE-2023-1017.html CVE-2023-1017 https://bugzilla.suse.com/1206022 SUSE Bug 1206022 An out-of-bounds read vulnerability exists in TPM2.0's Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can read or access sensitive data stored in the TPM. CVE-2023-1018 Container suse/sles/15.5/virt-launcher:0.58.0:libtpms0-0.8.2-150300.3.9.1 SUSE Enterprise Storage 7.1:libtpms-devel-0.8.2-150300.3.9.1 SUSE Enterprise Storage 7.1:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:libtpms-devel-0.8.2-150300.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:libtpms-devel-0.8.2-150300.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Micro 5.1:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Micro 5.2:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Micro 5.3:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Micro 5.4:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:libtpms-devel-0.8.2-150300.3.9.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Real Time 15 SP3:libtpms-devel-0.8.2-150300.3.9.1 SUSE Linux Enterprise Real Time 15 SP3:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Server 15 SP3-LTSS:libtpms-devel-0.8.2-150300.3.9.1 SUSE Linux Enterprise Server 15 SP3-LTSS:libtpms0-0.8.2-150300.3.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:libtpms-devel-0.8.2-150300.3.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:libtpms0-0.8.2-150300.3.9.1 SUSE Manager Proxy 4.2:libtpms-devel-0.8.2-150300.3.9.1 SUSE Manager Proxy 4.2:libtpms0-0.8.2-150300.3.9.1 SUSE Manager Server 4.2:libtpms-devel-0.8.2-150300.3.9.1 SUSE Manager Server 4.2:libtpms0-0.8.2-150300.3.9.1 openSUSE Leap 15.4:libtpms-devel-0.8.2-150300.3.9.1 openSUSE Leap 15.4:libtpms0-0.8.2-150300.3.9.1 openSUSE Leap Micro 5.3:libtpms0-0.8.2-150300.3.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232051-1/ https://www.suse.com/security/cve/CVE-2023-1018.html CVE-2023-1018 https://bugzilla.suse.com/1206023 SUSE Bug 1206023