e5d7805ea7
For more information about the release, see:
- https://github.com/tpm2-software/tpm2-tss/releases/tag/3.2.3
Fixes the following vulnerability:
- CVE-2024-29040
The JSON Quote Info returned by Fapi_Quote has to be deserialized by
Fapi_VerifyQuote to the TPM Structure `TPMS_ATTEST`. For the field
`TPM2_GENERATED magic` of this structure any number can be used in the
JSON structure. The verifier can receive a state which does not
represent the actual, possibly malicious state of the device under test.
The malicious device might get access to data it shouldn't, or can use
services it shouldn't be able to.
For more information, see:
- https://nvd.nist.gov/vuln/detail/cve-2024-29040
- https://github.com/tpm2-software/tpm2-tss/security/advisories/GHSA-837m-jw3m-h9p6
(cherry picked from commit 04533b70e6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>