678906 – (CVE-2018-12179, CVE-2018-12182, CVE-2018-12183, CVE-2019-0161) <sys-firmware/edk2-ovmf-201905: multiple vulnerabilities

Bug 678906 (CVE-2018-12179, CVE-2018-12182, CVE-2018-12183, CVE-2019-0161) - <sys-firmware/edk2-ovmf-201905: multiple vulnerabilities

Summary: <sys-firmware/edk2-ovmf-201905: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2018-12179, CVE-2018-12182, CVE-2018-12183, CVE-2019-0161

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-02-27 08:52 UTC by Agostino Sarubbo
Modified:	2019-08-20 20:11 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	app-emulation/qemu-4.0.0-r50 sys-firmware/edk2-ovmf-201905 sys-firmware/ipxe-1.0.0_p20190728 sys-firmware/seabios-1.12.0
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2019-02-27 08:52:19 UTC

https://bugzilla.tianocore.org/show_bug.cgi?id=828
https://github.com/tianocore/edk2/commit/3b30351b75d70ea65701ac999875fbb81a89a5ca

https://bugzilla.tianocore.org/show_bug.cgi?id=828
https://github.com/tianocore/edk2/commit/89f75aa04a97293a8ed9db2a90851a5053730cf5

https://bugzilla.tianocore.org/show_bug.cgi?id=828
https://github.com/tianocore/edk2/commit/5c0748f43f4e1cc15fdd0be64a764eacd7df92f6

https://bugzilla.tianocore.org/show_bug.cgi?id=828
https://github.com/tianocore/edk2/commit/4df8f5bfa28b8b881e506437e8f08d92c1a00370


https://bugzilla.tianocore.org/show_bug.cgi?id=828
https://github.com/tianocore/edk2/commit/b9ae1705adfdd43668027a25a2b03c2e81960219

https://bugzilla.tianocore.org/show_bug.cgi?id=1134
https://lists.01.org/pipermail/edk2-devel/2019-February/037248.html
https://lists.01.org/pipermail/edk2-devel/2019-February/037249.html
https://lists.01.org/pipermail/edk2-devel/2019-February/037250.html

https://bugzilla.tianocore.org/show_bug.cgi?id=809
https://lists.01.org/pipermail/edk2-devel/2019-February/037251.html

Comment 1 Larry the Git Cow gentoo-dev

2019-07-28 23:17:53 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6137d4c59ea47d77517e925d8bfd46b8b3b1f669

commit 6137d4c59ea47d77517e925d8bfd46b8b3b1f669
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2019-07-28 21:00:39 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2019-07-28 23:17:16 +0000

    sys-firmware/edk2-ovmf: version bump to 201905
    
     * switch to new upstream version number
    
     * add secure boot support
    
     * versions contains security fixes for all vulnerabilities identified
       in #678906c1
    
    Closes: https://bugs.gentoo.org/680920
    Closes: https://bugs.gentoo.org/681936
    Closes: https://bugs.gentoo.org/665152
    Bug: https://bugs.gentoo.org/678906
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 sys-firmware/edk2-ovmf/Manifest                |   5 +-
 sys-firmware/edk2-ovmf/edk2-ovmf-201905.ebuild | 153 +++++++++++++++++++++++++
 2 files changed, 156 insertions(+), 2 deletions(-)

Comment 2 Matthias Maier gentoo-dev

2019-07-28 23:19:47 UTC

Let's give this a short round of testing before calling for stabilization.

Comment 3 Agostino Sarubbo gentoo-dev

2019-08-18 21:51:58 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2019-08-19 11:38:40 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 5 Larry the Git Cow gentoo-dev

2019-08-20 04:24:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c682b9fdcbf9977e0da01970c2d162461765b7d4

commit c682b9fdcbf9977e0da01970c2d162461765b7d4
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2019-08-20 04:24:06 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2019-08-20 04:24:06 +0000

    sys-firmware/edk2-ovmf: drop vulnerable
    
    Bug: https://bugs.gentoo.org/678906
    Package-Manager: Portage-2.3.72, Repoman-2.3.17
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 sys-firmware/edk2-ovmf/Manifest                    |   2 -
 .../edk2-ovmf/edk2-ovmf-2017_p20180211.ebuild      | 110 ---------------------
 ...k2-ovmf-2017_p20180211-build_system_fixes.patch |  91 -----------------
 3 files changed, 203 deletions(-)