| Summary: | edk2 new security issues CVE-2018-12179, CVE-2018-1218[23], CVE-2019-016[01], CVE-2019-1455[389], CVE-2019-14563, CVE-2019-14575, CVE-2019-1458[467], CVE-2019-14562, CVE-2021-28210, CVE-2021-28211 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | mageia, ouaurelien, sysadmin-bugs, tarazed25, thierry.vignaud |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | edk2-20190308stable-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-12-23 22:19:41 CET
Jani Välimaa
2019-12-24 19:25:31 CET
Component:
RPM Packages =>
Security That basically means syncing mga7's edk2 pkg with cauldron...
David Walser
2020-01-14 17:39:56 CET
Status comment:
(none) =>
Fixed upstream in 20190501stable RedHat has issued an advisory today (April 28): https://access.redhat.com/errata/RHSA-2020:1712 It fixes CVE-2019-14563, which was fixed in 20190830. Upstream also shows CVE-2019-14553 being fixed in 20191202: https://github.com/tianocore/edk2/releases/tag/edk2-stable201911 The second issue only exists if compile time options HTTP_BOOT_ENABLE or TLS_ENABLE are enabled. Status comment:
Fixed upstream in 20190501stable =>
Fixed upstream in 20191202stable Ubuntu has issued an advisory on April 30: https://usn.ubuntu.com/4349-1/ This adds 5 more CVEs. It looks like the issues have been fixed upstream, but I'm not sure if all the fixes are in 202002. Summary:
edk2 new security issues CVE-2018-12179, CVE-2018-1218[23], CVE-2019-016[01], CVE-2019-14553, CVE-2019-14563 =>
edk2 new security issues CVE-2018-12179, CVE-2018-1218[23], CVE-2019-016[01], CVE-2019-1455[389], CVE-2019-14563, CVE-2019-14575, CVE-2019-1458[67] Fedora has issued an advisory for this on October 1: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A23OH3MXQU7WURSP4PC66EXMG6INYFH6/ Status comment:
Fixed upstream in 20191202stable =>
Fixed upstream in 20200801stable Cauldron updated by Thierry. Version:
Cauldron =>
7 Ubuntu has issued an advisory on January 7: https://ubuntu.com/security/notices/USN-4684-1 The two new issues are fixed upstream in stable202011 (November 27): https://github.com/tianocore/edk2/releases/tag/edk2-stable202011 Summary:
edk2 new security issues CVE-2018-12179, CVE-2018-1218[23], CVE-2019-016[01], CVE-2019-1455[389], CVE-2019-14563, CVE-2019-14575, CVE-2019-1458[67] =>
edk2 new security issues CVE-2018-12179, CVE-2018-1218[23], CVE-2019-016[01], CVE-2019-1455[389], CVE-2019-14563, CVE-2019-14575, CVE-2019-1458[467], CVE-2019-14562 Freeze push asked for cauldron CC:
(none) =>
mageia new version pushed in mga7:
src:
edk2-20201101stable-1.mga7
Package list for Mageia 7 update: edk2-tools-20201101stable-1.mga7 edk2-tools-python-20201101stable-1.mga7 edk2-tools-doc-20201101stable-1.mga7 edk2-qosb-20201101stable-1.mga7 edk2-ovmf-20201101stable-1.mga7 edk2-ovmf-ia32-20201101stable-1.mga7 edk2-aarch64-20201101stable-1.mga7 edk2-arm-20201101stable-1.mga7 from edk2-20201101stable-1.mga7.src.rpm The version tag is incorrect though. The date part should be defined with the macro variables, and for this update should be 27, not 01. Also, why is it bundling openssl??? (SOURCE1) i have not touched to all this, only updated the version :-) i don't understand what you mean for the version, as the latest version is : https://github.com/tianocore/edk2/releases/tag/edk2-stable202011 This is wrong:
%global edk2_stable_date 202011
Version: %{edk2_stable_date}01stable
The 01 should be 27. edk-stable202011 was released on 20201127, not 20201101.
oh yes thank you :-) should be better on next rpms fixed on cauldron Whiteboard:
MGA7TOO =>
(none) Date macros fixed in Cauldron SVN. New package list: edk2-tools-20201127stable-1.mga7 edk2-tools-python-20201127stable-1.mga7 edk2-tools-doc-20201127stable-1.mga7 edk2-qosb-20201127stable-1.mga7 edk2-ovmf-20201127stable-1.mga7 edk2-ovmf-ia32-20201127stable-1.mga7 edk2-aarch64-20201127stable-1.mga7 edk2-arm-20201127stable-1.mga7 from edk2-20201127stable-1.mga7.src.rpm References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12179 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12182 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12183 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0160 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0161 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14553 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14558 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14559 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14563 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14575 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14584 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14586 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14587 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14562 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQYVZRFEXSN3KS43AVH4D7QX553EZQYP/ https://access.redhat.com/errata/RHSA-2020:1712 https://usn.ubuntu.com/4349-1/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A23OH3MXQU7WURSP4PC66EXMG6INYFH6/ https://ubuntu.com/security/notices/USN-4684-1 https://github.com/tianocore/edk2/releases Status comment:
Fixed upstream in 202011 =>
(none) Mageia 7 Installed all the packages on a 64-bit system then attempted to find out what it is all about. The documentation is pretty opaque but information on the web indicates that it may be a development kit and build system for UEFI system firmware. There is early mention of QEMU so the "e" may stand for emulation and the package names show that it covers a range of architectures. Definitely something QA is not qualified to run. All the packages updated cleanly. $ rpm -qa | grep edk2 edk2-aarch64-20201127stable-1.mga7 edk2-ovmf-20201127stable-1.mga7 edk2-qosb-20201127stable-1.mga7 edk2-tools-doc-20201127stable-1.mga7 edk2-tools-python-20201127stable-1.mga7 edk2-arm-20201127stable-1.mga7 edk2-ovmf-ia32-20201127stable-1.mga7 edk2-tools-20201127stable-1.mga7 Looked at batches of a few sample files in /usr/share/doc. All had been updated to Nov 27. The License.txt files in /usr/share/licenses showed Nov 27. Giving this an OK. CC:
(none) =>
tarazed25 Validating. Suggested advisory: ======================== The updated packages fix multiples security vulnerabilities. Improper configuration in system firmware for EDK II may allow unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access. (CVE-2018-12179). Insufficient memory write check in SMM service for EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access. (CVE-2018-12182). Stack overflow in DxeCore for EDK II may allow an unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access. (CVE-2018-12183). Buffer overflow in system firmware for EDK II may allow unauthenticated user to potentially enable escalation of privilege and/or denial of service via network access. (CVE-2019-0160). Stack overflow in XHCI for EDK II may allow an unauthenticated user to potentially enable denial of service via local access. (CVE-2019-0161). Improper authentication in EDK II may allow a privileged user to potentially enable information disclosure via network access. (CVE-2019-14553). Insufficient control flow management in BIOS firmware for 8th, 9th, 10th Generation Intel(R) Core(TM), Intel(R) Celeron(R) Processor 4000 & 5000 Series Processors may allow an authenticated user to potentially enable denial of service via adjacent access. (CVE-2019-14558). Uncontrolled resource consumption in EDK II may allow an unauthenticated user to potentially enable denial of service via network access. (CVE-2019-14559). Integer truncation in EDK II may allow an authenticated user to potentially enable escalation of privilege via local access. (CVE-2019-14563). Logic issue in DxeImageVerificationHandler() for EDK II may allow an authenticated user to potentially enable escalation of privilege via local access. (CVE-2019-14575). EDK II incorrectly parsed signed PKCS #7 data. An attacker could use this issue to cause EDK II to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-14584). Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access. (CVE-2019-14586). Logic issue EDK II may allow an unauthenticated user to potentially enable denial of service via adjacent access. (CVE-2019-14587). Integer overflow in DxeImageVerificationHandler() EDK II may allow an authenticated user to potentially enable denial of service via local access. (CVE-2019-14562). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12179 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12182 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12183 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0160 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0161 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14553 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14558 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14559 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14563 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14575 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14584 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14586 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14587 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14562 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQYVZRFEXSN3KS43AVH4D7QX553EZQYP/ https://access.redhat.com/errata/RHSA-2020:1712 https://usn.ubuntu.com/4349-1/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A23OH3MXQU7WURSP4PC66EXMG6INYFH6/ https://ubuntu.com/security/notices/USN-4684-1 https://github.com/tianocore/edk2/releases ======================== Updated packages in core/updates_testing: ======================== edk2-tools-20201127stable-1.mga7 edk2-tools-python-20201127stable-1.mga7 edk2-tools-doc-20201127stable-1.mga7 edk2-qosb-20201127stable-1.mga7 edk2-ovmf-20201127stable-1.mga7 edk2-ovmf-ia32-20201127stable-1.mga7 edk2-aarch64-20201127stable-1.mga7 edk2-arm-20201127stable-1.mga7 from SRPM: edk2-20201127stable-1.mga7.src.rpm Advisory pushed to SVN. CC:
(none) =>
ouaurelien
Aurelien Oudelet
2021-01-17 16:15:10 CET
CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0035.html Resolution:
(none) =>
FIXED This update also fixed CVE-2021-28210, CVE-2021-28211: https://www.debian.org/lts/security/2021/dla-2645 https://ubuntu.com/security/notices/USN-4923-1 Summary:
edk2 new security issues CVE-2018-12179, CVE-2018-1218[23], CVE-2019-016[01], CVE-2019-1455[389], CVE-2019-14563, CVE-2019-14575, CVE-2019-1458[467], CVE-2019-14562 =>
edk2 new security issues CVE-2018-12179, CVE-2018-1218[23], CVE-2019-016[01], CVE-2019-1455[389], CVE-2019-14563, CVE-2019-14575, CVE-2019-1458[467], CVE-2019-14562, CVE-2021-28210, CVE-2021-28211 |