CVE-2021-3505 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Private key recovery
Description	A security issue was found in libtpms before version 0.8.0. The TPM 2 implementation returns 2048 bit keys with ~1984 bit strength due to a bug in the TCG specification. The bug is in the key creation algorithm in RsaAdjustPrimeCandidate(), which is called before the prime number check. Upgrading to a fixed release (0.8.0+) is not sufficient. The only way to fix it is to unseal all data, delete the old TPM state file, generate a new one, then reseal the data.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1832	libtpms	0.7.5-1	0.8.0-1	Medium	Fixed

References
https://bugzilla.redhat.com/show_bug.cgi?id=1950046 https://github.com/stefanberger/libtpms/issues/183 https://github.com/stefanberger/libtpms/commit/625171be0c8225824740b5d0fb7e8562f6a1c6a8 https://github.com/stefanberger/libtpms/commit/c1f7bf55099fcd427715aa65e130475c6e836a6b

References

https://bugzilla.redhat.com/show_bug.cgi?id=1950046
https://github.com/stefanberger/libtpms/issues/183
https://github.com/stefanberger/libtpms/commit/625171be0c8225824740b5d0fb7e8562f6a1c6a8
https://github.com/stefanberger/libtpms/commit/c1f7bf55099fcd427715aa65e130475c6e836a6b