Bug 1183729 - (CVE-2021-3446) VUL-0: CVE-2021-3446: libtpms: return of wrong initialization vector when certain symmetric ciphers are used
VUL-0: CVE-2021-3446: libtpms: return of wrong initialization vector when cer...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-03-18 16:28 UTC by Robert Frohl
Modified: 2021-03-23 01:55 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-03-18 16:28:59 UTC

The commonly used integration of libtpms with OpenSSL contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller. The fix for this required the copying of the last-used IV from OpenSSL so it can be return back to the caller and used in subsequent encryption and decryption steps. The side-effect of the fix is that previously chain-encrypted data will not be decryptable anymore with the TPM 2.

Reference and upstream patch:

Comment 1 Robert Frohl 2021-03-18 16:29:39 UTC
tracking as affected:

- SUSE:SLE-15-SP3:Update/libtpms
Comment 5 Gary Ching-Pang Lin 2021-03-19 06:20:01 UTC
Fix submitted.
Comment 6 OBSbugzilla Bot 2021-03-19 08:20:08 UTC
This is an autogenerated message for OBS integration:
This bug (1183729) was mentioned in
https://build.opensuse.org/request/show/880046 Factory / libtpms