A flaw was found in swtpm. This flaw allows an attacker to create a symbolic link with the name of the temporary file (TMP2-00.permall for TPM 2) and have this point to a valuable file. swtpm will end up overwriting the file. The success of the attack depends on the attacker having access to the TPM's state directory (--tpmstate dir=...). Upstream commits [v0.4.2]: https://github.com/stefanberger/swtpm/commit/cae5991423826f21b11f7a5bc7f7b2b538bde2a2 https://github.com/stefanberger/swtpm/commit/252d62fc4abb220353576c26434b6e40166f3b58 https://github.com/stefanberger/swtpm/commit/2212f25466089937a0ef3f5d44507a2b157c12aa https://github.com/stefanberger/swtpm/commit/bd870a7dcc61cff4306739312eb0ab47cd050460 Upstream commits [v0.5.1]: https://github.com/stefanberger/swtpm/commit/4cc42c0ba3632a98ef381bda68d0a4eaec4578db https://github.com/stefanberger/swtpm/commit/634b6294000fb785b9f12e13b852c18a0888b01e https://github.com/stefanberger/swtpm/commit/a03cbadd087b2602412823f254ac75a9a12d97e3 https://github.com/stefanberger/swtpm/commit/526300236dc8a7664acdc265b6fc5d767289ac39 https://github.com/stefanberger/swtpm/commit/e621b21d4c31029ebe794350fcff2bcd4b0f13a0
This bug has been fixed a while ago. I think this bugzilla can be closed.