Bug 1194004 - (CVE-2022-23951) VUL-0: CVE-2022-23951: keylime: Get Quote Response Contains Possibly Untrusted ZIP Data
VUL-0: CVE-2022-23951: keylime: Get Quote Response Contains Possibly Untruste...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
Blocks: 1191739
  Show dependency treegraph
Reported: 2021-12-22 11:12 UTC by Matthias Gerstner
Modified: 2022-02-18 09:53 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2021-12-22 11:12:13 UTC
This bug is to keep track of keylime review report item 4.b:

 ### b) Get Quote Response Contains Possibly Untrusted ZIP Data
 The verifier process periodically performs quote operations on registered
 agents. As part of this `process_quote_response()` is called and furthermore
 `check_quote()` and finally `_tpm2_checkquote()`. In `tpm_main.py:1018` a
 couple of ZIP data streams are uncompressed via `zlib.decompress()`.
 Since this is processing possibly untrusted data - the verifier is attempting
 to verify the current trust status of the node after all - it needs to be
 assumed that malicous data can also be supplied here.
 Therefore the question arises whether `zlib.decompress()` is robust against
 processing invalid ZIP data streams. One thing I already found out is that it
 is not robust against delivering ZIP bombs that will cause a memory exhaustion
 in the verifier process.
Comment 1 Matthias Gerstner 2022-01-26 09:32:53 UTC
The issue has been confirmed by upstream and has been assigned CVE-2022-23951.
Comment 3 Matthias Gerstner 2022-01-28 09:35:15 UTC
the issue public now via the following security advisory:

Comment 4 Gianluca Gabrielli 2022-02-18 09:53:07 UTC
Fixed in version 6.3.0 and both SLE-15-SP4 and Factory are updated.