Your message dated Wed, 06 May 2026 07:49:50 +0000
with message-id <[email protected]>
and subject line Bug#1135621: fixed in optee-os 4.10.0-1
has caused the Debian Bug report #1135621,
regarding optee-os: CVE-2026-33317
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135621: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135621
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: optee-os
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for optee-os.
CVE-2026-33317[0]:
| OP-TEE is a Trusted Execution Environment (TEE) designed as
| companion to a non-secure Linux kernel running on Arm; Cortex-A
| cores using the TrustZone technology. In versions 3.13.0 through
| 4.10.0, missing checks in `entry_get_attribute_value()` in
| `ta/pkcs11/src/object.c` can lead to out-of-bounds read from the
| PKCS#11 TA heap or a crash. When chained with the OOB read, the
| PKCS#11 TA function `PKCS11_CMD_GET_ATTRIBUTE_VALUE` or
| `entry_get_attribute_value()` can, with a bad template parameter, be
| tricked into reading at most 7 bytes beyond the end of the template
| buffer and writing beyond the end of the template buffer with the
| content of an attribute value of a PKCS#11 object. Commits
| e031c4e562023fd9f199e39fd2e85797e4cbdca9,
| 16926d5a46934c46e6656246b4fc18385a246900, and
| 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca contain patches and are
| anticipated to be part of version 4.11.0.
https://github.com/OP-TEE/optee_os/security/advisories/GHSA-8cqw-mg7v-c9p9
Fixed by:
https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca
(master)
Fixed by:
https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900
(master)
Fixed by:
https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9
(master)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33317
https://www.cve.org/CVERecord?id=CVE-2026-33317
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: optee-os
Source-Version: 4.10.0-1
Done: Dylan Aïssi <[email protected]>
We believe that the bug you reported is fixed in the latest version of
optee-os, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dylan Aïssi <[email protected]> (supplier of updated optee-os package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 06 May 2026 09:03:54 +0200
Source: optee-os
Architecture: source
Version: 4.10.0-1
Distribution: unstable
Urgency: medium
Maintainer: Dylan Aïssi <[email protected]>
Changed-By: Dylan Aïssi <[email protected]>
Closes: 1134896 1135621
Changes:
optee-os (4.10.0-1) unstable; urgency=medium
.
* New upstream version 4.10.0
* Add upstream patch fixing CVE-2026-33662 (Closes: #1134896)
* Add upstream patches fixing CVE-2026-33317 (Closes: #1135621)
* salsa-ci: enable licenserecon job
Checksums-Sha1:
cf2cf93a8df6590e41638b1ee6b728d13f04abb6 1982 optee-os_4.10.0-1.dsc
8773f0918b7714ff0863c924d53f0e4700e3bc63 4896220 optee-os_4.10.0.orig.tar.gz
bfb7458b5354e2a1ccdbef4f2aa3f4e94ecfc592 11788 optee-os_4.10.0-1.debian.tar.xz
e726a6457204947ddfa76c40e3dbf3998d3eef88 6474
optee-os_4.10.0-1_source.buildinfo
Checksums-Sha256:
68761e054f82447f2a97e27795d55fc1d5050bc15c23ee1d22925526bf545df6 1982
optee-os_4.10.0-1.dsc
18633691cb075ff2249422251f1cd77c30439a95b564b46682dea1fb6580a5af 4896220
optee-os_4.10.0.orig.tar.gz
95bc648812e65b89cba46150b5f3559cb0a6c58339a1cac30248b9060fe60cb7 11788
optee-os_4.10.0-1.debian.tar.xz
af092f340ed0b043a38d637a33496688a3e55875d0b0b8e463267370871adb9c 6474
optee-os_4.10.0-1_source.buildinfo
Files:
4b8554f1217e245971981527857f20e4 1982 devel optional optee-os_4.10.0-1.dsc
7c40e02da7ecba5f871b6597cbed6c3a 4896220 devel optional
optee-os_4.10.0.orig.tar.gz
a6664e58e095ed3ddafceaf032316951 11788 devel optional
optee-os_4.10.0-1.debian.tar.xz
b290bc80f0e414cc47ad39919d004f0f 6474 devel optional
optee-os_4.10.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAmn67XoACgkQYS7xYT4F
D1QR3g//aV6SKBqBUbQf28IyE3b5hk6XhITMpeyfcAdYtW1brmS+Kd5fnr/q9vZb
/GmRvsSWS/an8YMalpshJza1wvivtjMiLXHa2RSxIT/edyB7A+KIw7QtUkQ4cWU3
N3+95MHh57iFnYekV3Uml7Q8kr942LaFQBZZ3a0boDG3isrKasE7uHC4dgtxdMgZ
J8QGz0mt8CG8ijM5KjKGxYhTG/K17nJ/FlCvWvjTfC3f9nJxCzDGI5W9BXgmxBob
2G5ce+/F1NcQojVQqjzKOANKIVE+o/YmXRx1HVxg/vA0Yk965FppBHPPWM6KUBKB
1b57vT9OKjVrdGkNiFTGWgliXCDPtr+oF6mtghJDnVXG6zenDbkku/b+v/HO1DOK
wzIfw8ssY/vCHhzDCN0YNAtNmjrgjvHevdZ4Kgb+TxQUigcGKaX8n5hpQLgvBq4a
gYh7Tt9HAFpqIRaMMQLvYkmXwGOMQKKmqqRf7VWhfaJ7FV+e6ZhzgDil1KDA9+vM
5FjuAFOl5r4TNfYZqhsw/AIyHF9Cc0wQzpRhk3UI6AfH6DF88H2EMjIgCIw52zVF
RVOVikRHeXxWOEtC1eClGPxcgxNW2yQNpOPdGgfkphKUTNZeXgVAO/GcsoszGmKj
lulk6ms8y1aWc2nE4kKVJV33pxZcc7090Sgznbdn78x9wt2+5pw=
=AkyW
-----END PGP SIGNATURE-----
pgpjKsgWJHi6n.pgp
Description: PGP signature
--- End Message ---
