CVE-2021-3446

NameCVE-2021-3446
DescriptionA flaw was found in libtpms in versions before 0.8.2. The commonly used integration of libtpms with OpenSSL contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow
Debian Bugs986799

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libtpms (PTS)sid0.8.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libtpmssource(unstable)0.8.2-1986799

Notes

https://github.com/stefanberger/libtpms/commit/32c159ab53db703749a8f90430cdc7b20b00975e

Search for package or bug name: Reporting problems