Bug 33086

Summary: edk2 new security issues CVE-2022-3676[34], CVE-2023-45229 and CVE-2023-4523[0-7]
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: Thierry Vignaud <thierry.vignaud>
Status: NEW --- QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9TOO
Source RPM: edk2-20221117gitfff6d81270b5-7.mga9.src.rpm CVE: CVE-2022-36763, CVE-2022-36764, CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237
Status comment: Patches available from Debian, CVE-2023-4523[67] unfixed

Description Nicolas Salguero 2024-04-10 15:40:29 CEST 
Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2024/01/16/2

RedHat has issued an advisory for CVE-2023-45234 on April 9:
https://lwn.net/Articles/969277/

Debian (https://sources.debian.org/src/edk2/2022.11-6%2Bdeb12u1/debian/patches/) fixed CVE-2023-45229 and CVE-2023-4523[0-5] with these patches:
0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch
0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch
0003-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch
0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch
0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch
0003-SecurityPkg-Adding-CVE-2022-36764-to-SecurityFixes.y.patch
0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-3.patch
0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117-2.patch
0003-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch
0001-UefiPayloadPkg-Hob-Integer-Overflow-in-CreateHob.patch
0001-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch
0002-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch
0003-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch
0004-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch
0005-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch
0006-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch
0007-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch
0008-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch
0009-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch
0010-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
0011-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
0013-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
0014-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
0015-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch
Disable-the-Shell-when-SecureBoot-is-enabled.patch

Mageia 9 is also affected.
Nicolas Salguero 2024-04-10 15:42:29 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => edk2-20221117gitfff6d81270b5-7.mga9.src.rpm
Status comment: (none) => Patches available from Debian, CVE-2023-4523[67] unfixed
CVE: (none) => CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237

Comment 1 Lewis Smith 2024-04-10 21:15:08 CEST 
Very helpful that you identified all those patches from an even longer list.
edk2 is normally Thierry's baby, so assigning thus. Re-assign it if you wish.

Assignee: bugsquad => thierry.vignaud

Comment 2 Nicolas Salguero 2024-05-02 09:26:59 CEST 
RedHat has issued an advisory on April 30:
https://lwn.net/Articles/971687/

CVE: CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237 => CVE-2022-36763, CVE-2022-36764, CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237
Summary: edk2 new security issues CVE-2023-45229 and CVE-2023-4523[0-7] => edk2 new security issues CVE-2022-3676[34], CVE-2023-45229 and CVE-2023-4523[0-7]

Comment 3 Nicolas Salguero 2024-06-27 10:37:58 CEST 
For CVE-2022-3676[34], Debian also provides patches in version 2022.11-6+deb12u1