CVE-2024-29039

tpm2 is the source repository for the Trusted Platform Module (TPM2.0) tools. This vulnerability allows attackers to manipulate tpm2checkquote outputs by altering the TPMLPCR_SELECTION in the PCR input file. As a result, digest values are incorrectly mapped to PCR slots and banks, providing a misleading picture of the TPM state. This issue has been patched in version 5.7.

References

Affected packages

Debian:11 / tpm2-tools

Package

Name: tpm2-tools
Purl: pkg:deb/debian/tpm2-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.0-2

5.2-1

5.3-1

5.4-1

5.6-1

5.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / tpm2-tools

Package

Name: tpm2-tools
Purl: pkg:deb/debian/tpm2-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.4-1

5.6-1

5.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / tpm2-tools

Package

Name: tpm2-tools
Purl: pkg:deb/debian/tpm2-tools?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.7-1

Affected versions

5.*

5.4-1

5.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}