Bugzilla – Bug 1183729
VUL-0: CVE-2021-3446: libtpms: return of wrong initialization vector when certain symmetric ciphers are used
Last modified: 2021-03-23 01:55:14 UTC
rh#1939664 The commonly used integration of libtpms with OpenSSL contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller. The fix for this required the copying of the last-used IV from OpenSSL so it can be return back to the caller and used in subsequent encryption and decryption steps. The side-effect of the fix is that previously chain-encrypted data will not be decryptable anymore with the TPM 2. Reference and upstream patch: https://github.com/stefanberger/libtpms/commit/32c159ab53db703749a8f90430cdc7b20b00975e References: https://bugzilla.redhat.com/show_bug.cgi?id=1939664 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3446 https://access.redhat.com/security/cve/CVE-2021-3446
tracking as affected: - SUSE:SLE-15-SP3:Update/libtpms
Fix submitted.
This is an autogenerated message for OBS integration: This bug (1183729) was mentioned in https://build.opensuse.org/request/show/880046 Factory / libtpms