Vulnerabilities in the TPM 2.0 reference implementation code(blog.quarkslab.com) |
Vulnerabilities in the TPM 2.0 reference implementation code(blog.quarkslab.com) |
2022-12-16 Quarkslab asked Google for an update and answers to the questions sent previously on Dec. 5th and 12th. Also notified Google that it found out that a fix for the vulns we reported was committed to the Chromium OS TPM2 code on December 1st, and that since the repository is publicly visible, Quarkslab considered knowledge about the existence of the bugs to be public now. Asked Google for their plan to roll out these fixes to supported devices.
I don't know if I'm missing some detail here (like perhaps there are two embargo timelines, one for code shortly before another for full release), but at a first read this seems like it's exactly what the Chromium developers should do.
2023-01-05 Google followed up indicating that while they consider the code changes to be public, they do not consider them to break embargo per discussion with CERT and TCG. Also that they cannot provide an answer to the question about their plan to roll out fixes to their devices.
Of course, "fix bound checks" screams VULNERABILITY to every security researcher mindlessly scrolling through the commit logs.