After deserializing the quote info it was not checked whether the magic number in the attest is equal TPM2_GENERATED_VALUE. So a malicious attacker could generate arbitrary quote data which was not detected by Fapi_VerifyQuote. Now the number magic number is checked in verify quote and also in the deserialization of TPM2_GENERATED. The check is also added to the Unmarshal function for TPMS_ATTEST. Reference: https://github.com/tpm2-software/tpm2-tss/commit/710cd0b6adf3a063f34a8e92da46df7a107d9a99
Created tpm2-tss tracking bugs for this issue: Affects: fedora-all [bug 2292189]