Debian Patches
Status for optee-os/4.10.0-2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| CVE-2026-33662.patch | core: crypto_api: fix underflow in emsa_pkcs1_v1_5_encode() Guard against an integer underflow in emsa_pkcs1_v1_5_encode() that can occur when calculating the padding field in the EMA-PKCS1-v1_5 encoding. |
Jens Wiklander <jens.wiklander@linaro.org> | yes | debian upstream | upstream, https://github.com/OP-TEE/optee_os/commit/caeaa2a | 2026-01-22 |
| CVE-2026-33317-A.patch | ta: pkcs11: check output buffer size on get attribute value Check client output buffer input size and update its output size on PKCS11_CMD_GET_ATTRIBUTE_VALUE command. |
Etienne Carriere <etienne.carriere@st.com> | yes | debian upstream | upstream, https://github.com/OP-TEE/optee_os/commit/e031c4e | 2026-01-21 |
| CVE-2026-33317-B.patch | ta: pkcs11: check template consistency on get attribute value Check client template holds consistent attribute area sizes value on PKCS11_CMD_GET_ATTRIBUTE_SIZE. |
Etienne Carriere <etienne.carriere@st.com> | yes | debian upstream | upstream, https://github.com/OP-TEE/optee_os/commit/16926d5 | 2026-01-21 |
| CVE-2026-33317-C.patch | ta: pkcs11: fix attribute output size if too small on get attribute value Correct the size field output value for attributes fetched with PKCS11_CMD_GET_ATTRIBUTE_VALUE where a too short buffer was provided. As per the PKCS#11 specification, in such case, the related attributes size field should be filled with CK_UNAVAILABLE_INFORMATION and the function to return an non-true-error code like CKR_BUFFER_TOO_SMALL. The implementation complied for the return value but was loading the required attribute data value size instead in CK_UNAVAILABLE_INFORMATION in the attribute size field. |
Etienne Carriere <etienne.carriere@st.com> | yes | debian upstream | upstream, https://github.com/OP-TEE/optee_os/commit/149e8d7 | 2026-01-21 |
| CVE-2026-40290.patch | core: arm: sp_mem: fix remove order in sp_mem_remove() Prior to this patch was sp_mem_remove() first removing resources from the struct sp_mem to free, and then removing it from the global mem_shares list. The unlocked manipulation of the struct sp_mem can lead to data races. Fix this by first removing the struct sp_mem from mem_shares while holding the lock, and then free the struct sp_mem and its resources. Add a few comments clarifying what mem_ref_lock and protects and when struct sp_mem can be accessed unlocked. |
Jens Wiklander <jens.wiklander@linaro.org> | yes | debian upstream | upstream, https://github.com/OP-TEE/optee_os/commit/67fecef | 2026-03-06 |
| CVE-2026-45614.patch | core: validate ECC public keys are on the curve Adjusts the derive_key syscall to validate that the ECC public key that will be used for a ECDH shared secret operation is a valid point on the correct curve. This is required to avoid invalid curve attacks that allow an attacker to recover the private key with a few tens of derive key operations. mbedtls and STM32 already had checks for this and should be unaffected. To avoid situations where implementations of the derive key operation forget to do the check it is placed early in the shared path. To allow for hardware acceleration the operation is passed to the drvcrypt layer when it is enabled. If drvcrypt is disabled, or the driver in use doesn't implement the check, crypto_asym_get_ecc_public_ops is used to get a software fallback from either libtomcrypt or mbed tls. For this patch no changes have been made to the drivers. For STM32 this means the existing hardware validation now happens in addition to the software validation. For CAAM, a hardware implementation is possible. |
Martin Nyhus <martin@nyhus.dev> | yes | debian upstream | upstream, https://github.com/OP-TEE/optee_os/commit/c2d64e1 | 2026-04-26 |
| CVE-2026-45702.patch | core: ffa: deny dynamic memory sharing to S-EL0 SPs Deny sharing memory with S-EL0 SPs using a dynamically allocated buffer. This avoids a bug where a owner allocated buffer was passed instead of struct ffa_rxtx pointer, possibly leading to crash in OP-TEE core at S-EL1. |
Jens Wiklander <jens.wiklander@linaro.org> | yes | debian upstream | upstream, https://github.com/OP-TEE/optee_os/commit/d0751c7 | 2026-03-09 |