Your message dated Fri, 11 Jul 2025 10:22:00 +0000
with message-id <[email protected]>
and subject line Bug#1109075: fixed in optee-os 4.5.0-2
has caused the Debian Bug report #1109075,
regarding optee-os: CVE-2025-46733
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109075: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109075
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: optee-os
Version: 4.5.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for optee-os.
CVE-2025-46733[0]:
| OP-TEE is a Trusted Execution Environment (TEE) designed as
| companion to a non-secure Linux kernel running on Arm; Cortex-A
| cores using the TrustZone technology. In version 4.5.0, using a
| specially crafted tee-supplicant binary running in REE userspace, an
| attacker can trigger a panic in a TA that uses the libutee Secure
| Storage API. Many functions in libutee, specifically those which
| make up the Secure Storage API, will panic if a system call returns
| an unexpected return code. This behavior is mandated by the TEE
| Internal Core API specification. However, in OP-TEE’s
| implementation, return codes of secure storage operations are passed
| through unsanitized from the REE tee-supplicant, through the Linux
| kernel tee-driver, through the OP-TEE kernel, back to libutee. Thus,
| an attacker with access to REE userspace, and the ability to stop
| tee-supplicant and replace it with their own process (generally
| trivial for a root user, and depending on the way permissions are
| set up, potentially available even to less privileged users) can run
| a malicious tee-supplicant process that responds to storage requests
| with unexpected response codes, triggering a panic in the requesting
| TA. This is particularly dangerous for TAs built with
| `TA_FLAG_SINGLE_INSTANCE` (corresponding to `gpd.ta.singleInstance`
| and `TA_FLAG_INSTANCE_KEEP_ALIVE` (corresponding to
| `gpd.ta.keepAlive`). The behavior of these TAs may depend on memory
| that is preserved between sessions, and the ability of an attacker
| to panic the TA and reload it with a clean memory space can
| compromise the behavior of those TAs. A critical example of this is
| the optee_ftpm TA. It uses the kept alive memory to hold PCR values,
| which crucially must be non-resettable. An attacker who can trigger
| a panic in the fTPM TA can reset the PCRs, and then extend them PCRs
| with whatever they choose, falsifying boot measurements, accessing
| sealed data, and potentially more. The impact of this issue depends
| significantly on the behavior of affected TAs. For some, it could
| manifest as a denial of service, while for others, like the fTPM TA,
| it can result in the disclosure of sensitive data. Anyone running
| the fTPM TA is affected, but similar attacks may be possible on
| other TAs that leverage the Secure Storage API. A fix is available
| in commit 941a58d78c99c4754fbd4ec3079ec9e1d596af8f.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-46733
https://www.cve.org/CVERecord?id=CVE-2025-46733
[1] https://github.com/OP-TEE/optee_os/security/advisories/GHSA-f35r-hm2m-p6c3
[2]
https://github.com/OP-TEE/optee_os/commit/941a58d78c99c4754fbd4ec3079ec9e1d596af8f
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: optee-os
Source-Version: 4.5.0-2
Done: Dylan Aïssi <[email protected]>
We believe that the bug you reported is fixed in the latest version of
optee-os, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dylan Aïssi <[email protected]> (supplier of updated optee-os package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 11 Jul 2025 11:44:01 +0200
Source: optee-os
Built-For-Profiles: nocheck cross
Architecture: source
Version: 4.5.0-2
Distribution: unstable
Urgency: medium
Maintainer: Dylan Aïssi <[email protected]>
Changed-By: Dylan Aïssi <[email protected]>
Closes: 1109075
Changes:
optee-os (4.5.0-2) unstable; urgency=medium
.
* Cherry-pick upstream patch fixing CVE-2025-46733 (Closes: #1109075)
Checksums-Sha1:
21fa5f14e0c56bb025156369658182991fbcfa60 1975 optee-os_4.5.0-2.dsc
96e018b5bd28456ef1a4c211a05c4d7a586e1c12 10196 optee-os_4.5.0-2.debian.tar.xz
98cae6b51aeab963f72652c8bcb8b9540e2a8954 6742 optee-os_4.5.0-2_arm64.buildinfo
Checksums-Sha256:
07dc7c1b76c5f55f73703283fc2cdf0e6f2fbe9bbccec02ba0abda318b58146d 1975
optee-os_4.5.0-2.dsc
389fe30d52872ea3675b32e3e6549d6048681192b70cfb8d1e7c3b586fcac9e7 10196
optee-os_4.5.0-2.debian.tar.xz
6807690f8ebe56e770559efb1d898273023ff6b7937302f1fc61e78f5dabbe0e 6742
optee-os_4.5.0-2_arm64.buildinfo
Files:
9884a507b4a0557311e3d0f05309b4b3 1975 devel optional optee-os_4.5.0-2.dsc
7406f48743286917e4367078bf33b4e4 10196 devel optional
optee-os_4.5.0-2.debian.tar.xz
0518986f478bb060ba87730b2da72c1b 6742 devel optional
optee-os_4.5.0-2_arm64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAmhw4CYACgkQYS7xYT4F
D1QIJBAAma3rGcYZvcBEMaaT2az/PXPoY82Osuj/1R/NdBLwAp6v0VGvHMFtza1N
JTPsIyshrlvGSbHxnIFyeyJlIeSheTgkBgSsOzGvsHgY5qzBhZQKcjiz1CjDKy2s
8l/tzkwleDHjNdzy8Ro/L2aiD63oKe+R1VVfIeF2jzmBm3ck15izBw82TEsIX9gz
/vQ40K+H7RmG0t06rznp0y/nuujPq1Opwcd9O47AnnGRqetC1MSrUMduNGv8CgJ/
ABosb673oqgyJ3pNJ2FLLpKMtWZx62z0/+YpmYX3jex+0JNPUlqPTSboLjz7I96N
GKhXx0pKt1c2H4COHoJdTX6stD2aA4b0+zlNcJiVPRng1o2Vuqx6B3E7fuMT4YP4
452PLbG5JopyhIaATDjha5dH4H/2e3ycHELLA9gnp101Zqhh0e/Z8IW+WcrFqClY
TvywSPiwErnp11WijqwQW1WlKUd++x51GfdazbvWuv672fpsfSJsTFQ+Uzuj2u48
qGiuC9C2XKh6o973veDzb1DENZBC76DoimtXtmOjXUo1X0cO5n/MasRukDvnHYJ0
aeThCiw3DhxtNIwhkWHKL98fRhFg7XXygkJoL4jq93Kqb544IboYGjilMOUA1i6L
GAO4/cZGnGSzHe5cVbXKYaouD+fwHnm4lwFgXr05qVlkPdxKjMg=
=TNt4
-----END PGP SIGNATURE-----
pgpibBI8_vcEj.pgp
Description: PGP signature
--- End Message ---
