- Package:
- src:optee-os
- Source:
- src:optee-os
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-23 16:37:04 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for optee-os. CVE-2026-45614[0]: | OP-TEE is a Trusted Execution Environment (TEE) designed as | companion to a non-secure Linux kernel running on Arm; Cortex-A | cores using the TrustZone technology. Prior to version 4.11.0, on | many of the ECDH shared secret paths, the public key isn't verified | to be a point on the correct curve. By passing approximately 30-40 | crafted public keys to OP-TEE, the private key can be reconstructed | by a normal world attacker. When calling TEE_DeriveKey the public | key is provided with full X and Y values, but the (X, Y) point might | not satisfy the `Y^2 == X^3 + aX + b mod P` math for the specific | curve that is used. When those public keys aren't rejected, the | attacker can select public keys such that each DeriveKey call will | leak `d % r` where `d` is the private key and `r` comes from the | relationship between the correct curve and the attacker selected | curve. With enough leaked data the Chinese remainder theorem can be | used to recover the full private key. Version 4.11.0 fixes the | issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-45614 https://www.cve.org/CVERecord?id=CVE-2026-45614 [1] https://github.com/OP-TEE/optee_os/security/advisories/GHSA-g6qf-hwf7-mg9h Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hello, Bug #1138879 in optee-os reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/debian/optee-os/-/commit/d8ca4a62fd5026679bfb7282b2307e7442a08976 Signed-off-by: Dylan Aïssi <dylan.aissi@collabora.com> ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1138879
We believe that the bug you reported is fixed in the latest version of
optee-os, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138879@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dylan Aïssi <daissi@debian.org> (supplier of updated optee-os package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 23 Jun 2026 18:14:28 +0200
Source: optee-os
Architecture: source
Version: 4.10.0-2
Distribution: unstable
Urgency: medium
Maintainer: Dylan Aïssi <daissi@debian.org>
Changed-By: Dylan Aïssi <daissi@debian.org>
Closes: 1138878 1138879 1138880
Changes:
optee-os (4.10.0-2) unstable; urgency=medium
.
* Import upstream patches fixing:
- CVE-2026-40290 (Closes: #1138878)
- CVE-2026-45614 (Closes: #1138879)
- CVE-2026-45702 (Closes: #1138880)
Checksums-Sha1:
8cf8f03bcd85b3822f36d0680873955674ea7a1a 2080 optee-os_4.10.0-2.dsc
0fb93a3771f6266982cbcd28c56322d48caf91ec 15960 optee-os_4.10.0-2.debian.tar.xz
c20b30d750259912d2066dda2864978fe2249b36 6622 optee-os_4.10.0-2_source.buildinfo
Checksums-Sha256:
3775e59ac3b9193294533ec2d3511aea02ef0c08a906a96c100adbeeac1f13cc 2080 optee-os_4.10.0-2.dsc
4f0bad3d39b5623da371845a337bfcae826916e871c54f35017c9931178f01d4 15960 optee-os_4.10.0-2.debian.tar.xz
5e88dc9d1996c2b40c565af71de9b632def0c3ee451e4dde6f5895ba32bb233b 6622 optee-os_4.10.0-2_source.buildinfo
Files:
8a809fc33e4157c188e71e767d417075 2080 devel optional optee-os_4.10.0-2.dsc
2a1386ed7a92f26faebec6aedc3bce6e 15960 devel optional optee-os_4.10.0-2.debian.tar.xz
78e0fdc02a427644f52cbdc5b3a3c960 6622 devel optional optee-os_4.10.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJqOrE6CRBhLvFhPgUPVEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmeZ6/8MTgMgFAd6NAg5gbk53MOrXSZTVf3gimgg23bz
6RYhBJo8B70G3i9BboE6XWEu8WE+BQ9UAADc5hAAopLYmaGhDxaCUprTQ6+MLPcl
OIs46++/2XwBRI9NuJZFlwstGasduZHpepQDKksE82SVmTTJlPS4xXV8zlaPgqS6
63fp7mW4wKDUU4nVl7UcrEIUMAXoHnswiu9HQZc4bI6ldQkrlboF3do4UEmyZIBX
rb2qL8uT+bv7kzatZnJ1mKvTXE3nj1A61srniTk316voaCsMTSUTeyzZDccgZDCx
BOHKhNdIvd4ueirYZ2WD8PJnWV+WbEkye3MGQcvNj1qI2i8X/gGCCMzecbr2OK+b
HUUsokredlAKsJaDDHP2XzGkvXwuZIOXj0+OSPrW3RQ6sAa6vR1P9LKqqCePzOkA
H4YMay2iNSVONr9h7GX9k3lkGlDsLdOYH31zmbw8TFTDilfZ2a6JSOi1+RDA4T7A
vkX7RHIxQtUESoTxVIrzEa4zRLguK+Rm+w7UeubAibCsN6rCNhONi/7VqH1mb2yJ
E2CTQAOWINa3PEvBcGLpUb3hPDz5/cRnYGLMjyEObfv5pQOugJiWtGymx4ErtLqJ
nnXmZjBPT7T5fKxA2XE4ZoxlYNw+0MZTYnvTMqtc5HvrfcciThmViwkli3VKJEdS
FczyPZkUD4KPQFHjd88BGcvjddprhMy8vWChDCXtrEAthX84UkBqWzZtdl6lnUqt
L6R+eadl16ewr60r8rM=
=Xh6U
-----END PGP SIGNATURE-----