- Package:
- src:optee-os
- Source:
- src:optee-os
- Submitter:
- Moritz Mühlenhoff
- Date:
- 2026-05-06 07:51:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for optee-os. CVE-2026-33317[0]: | OP-TEE is a Trusted Execution Environment (TEE) designed as | companion to a non-secure Linux kernel running on Arm; Cortex-A | cores using the TrustZone technology. In versions 3.13.0 through | 4.10.0, missing checks in `entry_get_attribute_value()` in | `ta/pkcs11/src/object.c` can lead to out-of-bounds read from the | PKCS#11 TA heap or a crash. When chained with the OOB read, the | PKCS#11 TA function `PKCS11_CMD_GET_ATTRIBUTE_VALUE` or | `entry_get_attribute_value()` can, with a bad template parameter, be | tricked into reading at most 7 bytes beyond the end of the template | buffer and writing beyond the end of the template buffer with the | content of an attribute value of a PKCS#11 object. Commits | e031c4e562023fd9f199e39fd2e85797e4cbdca9, | 16926d5a46934c46e6656246b4fc18385a246900, and | 149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca contain patches and are | anticipated to be part of version 4.11.0. https://github.com/OP-TEE/optee_os/security/advisories/GHSA-8cqw-mg7v-c9p9 Fixed by: https://github.com/OP-TEE/optee_os/commit/149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca (master) Fixed by: https://github.com/OP-TEE/optee_os/commit/16926d5a46934c46e6656246b4fc18385a246900 (master) Fixed by: https://github.com/OP-TEE/optee_os/commit/e031c4e562023fd9f199e39fd2e85797e4cbdca9 (master) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33317 https://www.cve.org/CVERecord?id=CVE-2026-33317 Please adjust the affected versions in the BTS as needed.
Hello, Bug #1135621 in optee-os reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/debian/optee-os/-/commit/6f6f22f6669733fbd0bdb7a3d2846372ee10ec2c Signed-off-by: Dylan Aïssi <dylan.aissi@collabora.com> ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1135621
We believe that the bug you reported is fixed in the latest version of optee-os, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1135621@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dylan Aïssi <daissi@debian.org> (supplier of updated optee-os package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Wed, 06 May 2026 09:03:54 +0200 Source: optee-os Architecture: source Version: 4.10.0-1 Distribution: unstable Urgency: medium Maintainer: Dylan Aïssi <daissi@debian.org> Changed-By: Dylan Aïssi <daissi@debian.org> Closes: 1134896 1135621 Changes: optee-os (4.10.0-1) unstable; urgency=medium . * New upstream version 4.10.0 * Add upstream patch fixing CVE-2026-33662 (Closes: #1134896) * Add upstream patches fixing CVE-2026-33317 (Closes: #1135621) * salsa-ci: enable licenserecon job Checksums-Sha1: cf2cf93a8df6590e41638b1ee6b728d13f04abb6 1982 optee-os_4.10.0-1.dsc 8773f0918b7714ff0863c924d53f0e4700e3bc63 4896220 optee-os_4.10.0.orig.tar.gz bfb7458b5354e2a1ccdbef4f2aa3f4e94ecfc592 11788 optee-os_4.10.0-1.debian.tar.xz e726a6457204947ddfa76c40e3dbf3998d3eef88 6474 optee-os_4.10.0-1_source.buildinfo Checksums-Sha256: 68761e054f82447f2a97e27795d55fc1d5050bc15c23ee1d22925526bf545df6 1982 optee-os_4.10.0-1.dsc 18633691cb075ff2249422251f1cd77c30439a95b564b46682dea1fb6580a5af 4896220 optee-os_4.10.0.orig.tar.gz 95bc648812e65b89cba46150b5f3559cb0a6c58339a1cac30248b9060fe60cb7 11788 optee-os_4.10.0-1.debian.tar.xz af092f340ed0b043a38d637a33496688a3e55875d0b0b8e463267370871adb9c 6474 optee-os_4.10.0-1_source.buildinfo Files: 4b8554f1217e245971981527857f20e4 1982 devel optional optee-os_4.10.0-1.dsc 7c40e02da7ecba5f871b6597cbed6c3a 4896220 devel optional optee-os_4.10.0.orig.tar.gz a6664e58e095ed3ddafceaf032316951 11788 devel optional optee-os_4.10.0-1.debian.tar.xz b290bc80f0e414cc47ad39919d004f0f 6474 devel optional optee-os_4.10.0-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAmn67XoACgkQYS7xYT4F D1QR3g//aV6SKBqBUbQf28IyE3b5hk6XhITMpeyfcAdYtW1brmS+Kd5fnr/q9vZb /GmRvsSWS/an8YMalpshJza1wvivtjMiLXHa2RSxIT/edyB7A+KIw7QtUkQ4cWU3 N3+95MHh57iFnYekV3Uml7Q8kr942LaFQBZZ3a0boDG3isrKasE7uHC4dgtxdMgZ J8QGz0mt8CG8ijM5KjKGxYhTG/K17nJ/FlCvWvjTfC3f9nJxCzDGI5W9BXgmxBob 2G5ce+/F1NcQojVQqjzKOANKIVE+o/YmXRx1HVxg/vA0Yk965FppBHPPWM6KUBKB 1b57vT9OKjVrdGkNiFTGWgliXCDPtr+oF6mtghJDnVXG6zenDbkku/b+v/HO1DOK wzIfw8ssY/vCHhzDCN0YNAtNmjrgjvHevdZ4Kgb+TxQUigcGKaX8n5hpQLgvBq4a gYh7Tt9HAFpqIRaMMQLvYkmXwGOMQKKmqqRf7VWhfaJ7FV+e6ZhzgDil1KDA9+vM 5FjuAFOl5r4TNfYZqhsw/AIyHF9Cc0wQzpRhk3UI6AfH6DF88H2EMjIgCIw52zVF RVOVikRHeXxWOEtC1eClGPxcgxNW2yQNpOPdGgfkphKUTNZeXgVAO/GcsoszGmKj lulk6ms8y1aWc2nE4kKVJV33pxZcc7090Sgznbdn78x9wt2+5pw= =AkyW -----END PGP SIGNATURE-----