PSA-2025-00010-1: libtpms0/swtpm out of bounds read vulnerability

[Bernd.]

Regarding PSA-2025-00010-1: libtpms0/swtpm out of bounds read vulnerability : https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/post-779794

I'm missing information about what steps are needed after updating libtpms0. Is a host and/or VM restart necessary?

 

[sterzy]

I'm missing information about what steps are needed after updating libtpms0. Is a host and/or VM restart necessary?

You probably need to restart at least the affected VMs for this change to be effective.

 

[Bernd.]

I'm not a big fan of 'probably'. I much more prefer 'definitely'.
So bad news for the Windows-Admins (currently the only VMs with a TPM state). But then they are already used to frequently reboot Windows, I've been told.

 

[sterzy]

As far as I understand it, it is a linked library of the process that runs the VMs. So it will be loaded at runtime. To my understanding this means, yes you will need to re-start the VM process.

Or in other words, restarting the VMs that use TPMs need to restart at least those VMs.

 

[fabian]

either a cold start (if you can live with downtime), or a live migration to another node (if you can't) - both should ensure a new instance of swtpm (which loads fixed version of the library) is started together with the new instance of the VM.