[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989366: marked as done (unblock: tpm2-tools/5.0-2)

Your message dated Wed, 02 Jun 2021 06:10:46 +0000
with message-id <E1loK5W-0005B0-TM@respighi.debian.org>
and subject line unblock tpm2-tools
has caused the Debian Bug report #989366,
regarding unblock: tpm2-tools/5.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989366: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989366
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: paulliu@debian.org


Please unblock package tpm2-tools

[ Reason ]

tpm2-tools has a CVE bug CVE-2021-3565.

We fixed this issue by backporting the upstream's patch.

The Debian bug is #989148


[ Impact ]
If the unblock is not granted, when users run tpm2_import command there
might be

some risks that the key will be stolen by MITM attack.


[ Tests ]

We only run manually test on computers with tpm2 external hardware.

The following command is run and still works as expected.

 * tpm2_createprimary -Grsa2048:aes128cfb -C o -c parent.ctx
 * dd if=/dev/urandom of=sym.key bs=1 count=16
 * tpm2_import -C parent.ctx -G aes -i sym.key -u key.pub -r key.priv


The above commands are not suitable for autopkgtest because they require

tpm2 hardware.


[ Risks ]

This package is not a key package. It is a leaf package. No other
package depends on this.

These tpm2_* commands are for users who wants to manually operate tpm2
device.

The patch is quite trivial. Just don't use fixed key, instead generate
it randomly.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

unblock tpm2-tools/5.0-2


diff -Nru tpm2-tools-5.0/debian/changelog tpm2-tools-5.0/debian/changelog
--- tpm2-tools-5.0/debian/changelog	2020-11-30 15:56:37.000000000 +0800
+++ tpm2-tools-5.0/debian/changelog	2021-06-02 04:00:26.000000000 +0800
@@ -1,3 +1,11 @@
+tpm2-tools (5.0-2) unstable; urgency=low
+
+  * Add debian/patches/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
+    - Fix CVE-2021-3565 (Closes: #989148)
+    - This patch fixes the fixed AES key issue in tpm2_import command
+
+ -- Ying-Chun Liu (PaulLiu) <paulliu@debian.org>  Wed, 02 Jun 2021 04:00:26 +0800
+
 tpm2-tools (5.0-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru tpm2-tools-5.0/debian/patches/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch tpm2-tools-5.0/debian/patches/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
--- tpm2-tools-5.0/debian/patches/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch	1970-01-01 08:00:00.000000000 +0800
+++ tpm2-tools-5.0/debian/patches/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch	2021-06-02 04:00:26.000000000 +0800
@@ -0,0 +1,44 @@
+From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Fri, 21 May 2021 12:22:31 -0500
+Bug-Debian: https://bugs.debian.org/989148
+Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
+
+tpm2_import used a fixed AES key for the inner wrapper, which means that
+a MITM attack would be able to unwrap the imported key. Even the
+use of an encrypted session will not prevent this. The TPM only
+encrypts the first parameter which is the fixed symmetric key.
+
+To fix this, ensure the key size is 16 bytes or bigger and use
+OpenSSL to generate a secure random AES key.
+
+Fixes: #2738
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ tools/tpm2_import.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+Index: tpm2-tools-5.0/tools/tpm2_import.c
+===================================================================
+--- tpm2-tools-5.0.orig/tools/tpm2_import.c
++++ tpm2-tools-5.0/tools/tpm2_import.c
+@@ -149,7 +149,17 @@ static tool_rc key_import(ESYS_CONTEXT *
+     TPM2B_DATA enc_sensitive_key = {
+         .size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
+     };
+-    memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
++
++    if(enc_sensitive_key.size < 16) {
++        LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
++        return tool_rc_general_error;
++    }
++
++    int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
++    if (ossl_rc != 1) {
++        LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
++        return tool_rc_general_error;
++    }
+ 
+     /*
+      * Calculate the object name.
diff -Nru tpm2-tools-5.0/debian/patches/series tpm2-tools-5.0/debian/patches/series
--- tpm2-tools-5.0/debian/patches/series	2020-02-02 01:35:00.000000000 +0800
+++ tpm2-tools-5.0/debian/patches/series	2021-06-01 18:48:27.000000000 +0800
@@ -1 +1,2 @@
 0001_add_version_string.patch
+0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: