33086 – edk2 new security issues CVE-2022-3676[34], CVE-2023-45229 and CVE-2023-4523[0-7]

Bug 33086 - edk2 new security issues CVE-2022-3676[34], CVE-2023-45229 and CVE-2023-4523[0-7]

Summary: edk2 new security issues CVE-2022-3676[34], CVE-2023-45229 and CVE-2023-4523[...

Status:	NEW

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Thierry Vignaud
QA Contact:	Sec team

URL:
Whiteboard:	MGA9TOO
Keywords:

Depends on:
Blocks:

Reported:	2024-04-10 15:40 CEST by Nicolas Salguero
Modified:	2024-05-02 09:26 CEST (History)
CC List:	0 users

See Also:
Source RPM:	edk2-20221117gitfff6d81270b5-7.mga9.src.rpm
CVE:	CVE-2022-36763, CVE-2022-36764, CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237
Status comment:	Patches available from Debian, CVE-2023-4523[67] unfixed

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-04-10 15:40:29 CEST

Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2024/01/16/2

RedHat has issued an advisory for CVE-2023-45234 on April 9:
https://lwn.net/Articles/969277/

Debian (https://sources.debian.org/src/edk2/2022.11-6%2Bdeb12u1/debian/patches/) fixed CVE-2023-45229 and CVE-2023-4523[0-5] with these patches:
0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch
0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch
0003-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch
0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch
0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch
0003-SecurityPkg-Adding-CVE-2022-36764-to-SecurityFixes.y.patch
0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-3.patch
0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117-2.patch
0003-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch
0001-UefiPayloadPkg-Hob-Integer-Overflow-in-CreateHob.patch
0001-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch
0002-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch
0003-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch
0004-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch
0005-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch
0006-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch
0007-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch
0008-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch
0009-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch
0010-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
0011-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
0013-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
0014-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
0015-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch
Disable-the-Shell-when-SecureBoot-is-enabled.patch

Mageia 9 is also affected.

Nicolas Salguero 2024-04-10 15:42:29 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => edk2-20221117gitfff6d81270b5-7.mga9.src.rpm
Status comment: (none) => Patches available from Debian, CVE-2023-4523[67] unfixed
CVE: (none) => CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237

Comment 1 Lewis Smith 2024-04-10 21:15:08 CEST

Very helpful that you identified all those patches from an even longer list.
edk2 is normally Thierry's baby, so assigning thus. Re-assign it if you wish.

Assignee: bugsquad => thierry.vignaud

Comment 2 Nicolas Salguero 2024-05-02 09:26:59 CEST

RedHat has issued an advisory on April 30:
https://lwn.net/Articles/971687/

CVE: CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237 => CVE-2022-36763, CVE-2022-36764, CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237
Summary: edk2 new security issues CVE-2023-45229 and CVE-2023-4523[0-7] => edk2 new security issues CVE-2022-3676[34], CVE-2023-45229 and CVE-2023-4523[0-7]

Note You need to log in before you can comment on or make changes to this bug.