libtpms-devel-0.10.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16306 Final 1 1 2025-07-03T00:00:00Z current 2025-07-03T00:00:00Z 2025-07-03T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libtpms-devel-0.10.1-1.1 on GA media These are all security issues fixed in the libtpms-devel-0.10.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16306 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-49133/ SUSE CVE CVE-2025-49133 page openSUSE Tumbleweed libtpms-devel-0.10.1-1.1 libtpms0-0.10.1-1.1 libtpms-devel-0.10.1-1.1 as a component of openSUSE Tumbleweed libtpms0-0.10.1-1.1 as a component of openSUSE Tumbleweed Libtpms is a library that targets the integration of TPM functionality into hypervisors, primarily into Qemu. Libtpms, which is derived from the TPM 2.0 reference implementation code published by the Trusted Computing Group, is prone to a potential out of bounds (OOB) read vulnerability. The vulnerability occurs in the 'CryptHmacSign' function with an inconsistent pairing of the signKey and signScheme parameters, where the signKey is ALG_KEYEDHASH key and inScheme is an ECC or RSA scheme. The reported vulnerability is in the 'CryptHmacSign' function, which is defined in the "Part 4: Supporting Routines - Code" document, section "7.151 - /tpm/src/crypt/CryptUtil.c ". This vulnerability can be triggered from user-mode applications by sending malicious commands to a TPM 2.0/vTPM (swtpm) whose firmware is based on an affected TCG reference implementation. The effect on libtpms is that it will cause an abort due to the detection of the out-of-bounds access, thus for example making a vTPM (swtpm) unavailable to a VM. This vulnerability is fixed in 0.7.12, 0.8.10, 0.9.7, and 0.10.1. CVE-2025-49133 openSUSE Tumbleweed:libtpms-devel-0.10.1-1.1 openSUSE Tumbleweed:libtpms0-0.10.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-49133.html CVE-2025-49133 https://bugzilla.suse.com/1244528 SUSE Bug 1244528