Ubuntu CVE Tracker

Merge ~federicoquattrin/ubuntu-cve-tracker:assign_tpm2-tss_CVEs_to_federicoquattrin into ubuntu-cve-tracker:master

  1. Git
  2. lp:~federicoquattrin/ubuntu-cve-tracker
  3. assign_tpm2-tss_CVEs_to_federicoquattrin
  4. Merge into master
Proposed by Federico Quattrin
Status: Merged
Merged at revision: 7f1e593ddaa7ff7408e346b396abdbd5611b7e53
Proposed branch: ~federicoquattrin/ubuntu-cve-tracker:assign_tpm2-tss_CVEs_to_federicoquattrin
Merge into: ubuntu-cve-tracker:master
Diff against target: 37 lines (+6/-3)
2 files modified
active/CVE-2023-22745 (+1/-1)
active/CVE-2024-29040 (+5/-2)
Reviewer Review Type Date Requested Status
Rodrigo Figueiredo Zaiden Approve
Review via email: mp+466242@code.launchpad.net

Commit message

assign CVE-2023-22745 and CVE-2024-29040 to federicoquattrin

Description of the change

assign CVE-2023-22745 and CVE-2024-29040 to federicoquattrin

To post a comment you must log in.
Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

LGTM. merging

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/active/CVE-2023-22745 b/active/CVE-2023-22745
2index 08b6265..23f9166 100644
3--- a/active/CVE-2023-22745
4+++ b/active/CVE-2023-22745
5@@ -24,7 +24,7 @@ Mitigation:
6 Bugs:
7 Priority: low
8 Discovered-by:
9-Assigned-to:
10+Assigned-to: federicoquattrin
11 CVSS:
12 nvd: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H [6.4 MEDIUM]
13
14diff --git a/active/CVE-2024-29040 b/active/CVE-2024-29040
15index 8d2db34..242223a 100644
16--- a/active/CVE-2024-29040
17+++ b/active/CVE-2024-29040
18@@ -4,14 +4,17 @@ References:
19 https://www.cve.org/CVERecord?id=CVE-2024-29040
20 https://github.com/tpm2-software/tpm2-tss/commit/710cd0b6adf3a063f34a8e92da46df7a107d9a99 (4.1.0)
21 Description:
22- [Unknown description]
23+ After deserializing the quote info it was not checked whether
24+ the magic number in the attest is equal TPM2_GENERATED_VALUE.
25+ So an malicious attacker could generate arbitrary quote data
26+ which was not detected by Fapi_VerifyQuote.
27 Ubuntu-Description:
28 Notes:
29 Mitigation:
30 Bugs:
31 Priority: medium
32 Discovered-by:
33-Assigned-to:
34+Assigned-to: federicoquattrin
35 CVSS:
36
37 Patches_tpm2-tss:

Subscribers

People subscribed via source and target branches