edk2 2023.05-2ubuntu0.1 source package in Ubuntu
Changelog
edk2 (2023.05-2ubuntu0.1) mantic; urgency=medium
* Cherry-pick security fixes from upstream:
- Fix heap buffer overflow in Tcg2MeasureGptTable(), CVE-2022-36763
+ 0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch
+ 0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch
+ 0003-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch
- Fix heap buffer overflow in Tcg2MeasurePeImage(), CVE-2022-36764
+ 0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch
+ 0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch
+ 0003-SecurityPkg-Adding-CVE-2022-36764-to-SecurityFixes.y.patch
- Fix build failure due to symbol collision in above patches:
+ 0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-3.patch
+ 0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117-2.patch
+ 0003-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch
- Fix integer overflow in CreateHob(), CVE-2022-36765
+ 0001-UefiPayloadPkg-Hob-Integer-Overflow-in-CreateHob.patch
- Fix a buffer overflow via a long server ID option in DHCPv6
client, CVE-2023-45230:
+ 0001-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch
+ 0002-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch
+ 0003-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch
- Fix an out-of-bounds read vulnerability when processing the IA_NA
or IA_TA option in a DHCPv6 Advertise message, CVE-2023-45229:
+ 0004-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch
+ 0005-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch
- Fix an out-of-bounds read when processing Neighbor Discovery
Redirect messages, CVE-2023-45231:
+ 0006-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch
+ 0007-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch
- Avoid an infinite loop when parsing unknown options in the
Destination Options header of IPv6, CVE-2023-45232:
+ 0008-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch
+ 0009-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch
- Avoid an infinite loop when parsing a PadN option in the
Destination Options header of IPv6, CVE-2023-45233:
+ 0010-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
+ 0011-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
- Fix a potential buffer overflow when processing a DNS Servers
option from a DHCPv6 Advertise message, CVE-2023-45234:
+ 0013-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
- Fix a potential buffer overflow when handling a Server ID option
from a DHCPv6 proxy Advertise message, CVE-2023-45235:
+ 0012-MdePkg-Test-Add-gRT_GetTime-Google-Test-Mock.patch
+ 0014-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
- Record fixes in a SecurityFix.yaml file:
+ 0015-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch
* Disable the built-in Shell when SecureBoot is enabled, CVE-2023-48733.
Thanks to Mate Kukri. LP: #2040137.
- Disable the built-in Shell when SecureBoot is enabled:
+ Disable-the-Shell-when-SecureBoot-is-enabled.patch
- d/tests: Drop the boot-to-shell tests for images w/ Secure Boot active.
- d/tests: Update run_cmd_check_secure_boot() to not expect shell
interaction.
-- dann frazier <email address hidden> Mon, 12 Feb 2024 13:08:56 -0700
Upload details
- Uploaded by:
- dann frazier
- Uploaded to:
- Mantic
- Original maintainer:
- Ubuntu Developers
- Architectures:
- all
- Section:
- misc
- Urgency:
- Medium Urgency
See full publishing history Publishing
| Series | Published | Component | Section | |
|---|---|---|---|---|
| Mantic | updates | main | misc | |
| Mantic | security | main | misc |
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| edk2_2023.05.orig.tar.xz | 16.5 MiB | a8eb9266d5993f71e2dbd1d09bf649f49388ad7ca5aa26c787f7dabd0dd37f46 |
| edk2_2023.05-2ubuntu0.1.debian.tar.xz | 74.8 KiB | fddfa129dcb719fdd0175484b0c308830812a5d3fe3c16e86b236df043815d65 |
| edk2_2023.05-2ubuntu0.1.dsc | 2.9 KiB | 1e7692ce9443954f63fa9f08ab6ee10a6c5687f1fb598e2ad7c065dabbd87be3 |
Available diffs
Binary packages built by this source
- efi-shell-aa64: UEFI Shell for 64-bit ARM architecture
The UEFI Shell provides a command line interface running on top of the EFI API.
It can be used to execute EFI binaries, to manage EFI variables and boot
options, or to display details of installed devices, drivers, and protocols.
This package contains the shellaa64.efi binary for the a 64-bit ARM
architecture.
- efi-shell-arm: UEFI Shell for 32-bit ARM architecture
The UEFI Shell provides a command line interface running on top of the EFI API.
It can be used to execute EFI binaries, to manage EFI variables and boot
options, or to display details of installed devices, drivers, and protocols.
This package contains the shellarm.efi binary for the a 32-bit ARM
architecture.
- efi-shell-ia32: UEFI Shell for 32-bit x86 architecture
The UEFI Shell provides a command line interface running on top of the EFI API.
It can be used to execute EFI binaries, to manage EFI variables and boot
options, or to display details of installed devices, drivers, and protocols.
This package contains the shellia32.efi binary for the a 32-bit x86
architecture.
- efi-shell-x64: UEFI Shell for 64-bit x86 architecture
The UEFI Shell provides a command line interface running on top of the EFI API.
It can be used to execute EFI binaries, to manage EFI variables and boot
options, or to display details of installed devices, drivers, and protocols.
This package contains the shellx64.efi binary for the a 64-bit x86
architecture.
- ovmf: UEFI firmware for 64-bit x86 virtual machines
Open Virtual Machine Firmware is a build of EDK II for 64-bit x86 virtual
machines. It includes full support for UEFI, including Secure Boot, allowing
use of UEFI in place of a traditional BIOS in your VM.
- ovmf-ia32: UEFI firmware for 32-bit x86 virtual machines
Open Virtual Machine Firmware is a build of EDK II for 32-bit x86 virtual
machines. It includes full support for UEFI, including Secure Boot, allowing
use of UEFI in place of a traditional BIOS in your VM.
- qemu-efi-aarch64: UEFI firmware for 64-bit ARM virtual machines
qemu-efi-aarch64 is a build of EDK II for 64-bit ARM virtual machines. It
includes full support for UEFI, including Secure Boot.
- qemu-efi-arm: UEFI firmware for 32-bit ARM virtual machines
qemu-efi-arm is a build of EDK II for 32-bit ARM virtual machines. It
includes full support for UEFI, including Secure Boot.
