CVE-2018-12178 CVE-2018-12180 CVE-2018-12181

Status changed to 'Confirmed' because the bug affects multiple users.

Can the edk2/ovmf package for Bionic be updated to the latest version?

0~20190309.89910a39-1ubuntu1

-J

On Wed, Mar 27, 2019 at 9:35 AM Janåke Rönnblom <email address hidden> wrote:
>
> Can the edk2/ovmf package for Bionic be updated to the latest version?
>
> 0~20190309.89910a39-1ubuntu1

Sorry, no. Our policy is to backport the fixes instead.

  -dann

Hello dann, or anyone else affected,

Accepted edk2 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/edk2/0~20180205.c0d9813c-2ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello dann, or anyone else affected,

Accepted edk2 into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/edk2/0~20180803.dd4cae4d-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verified both cosmic & bionic builds by booting an existing guest up, and by PXE booting in a way requiring DNS resolution.

The verification of the Stable Release Update for edk2 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package edk2 - 0~20180205.c0d9813c-2ubuntu0.1

---------------
edk2 (0~20180205.c0d9813c-2ubuntu0.1) bionic; urgency=medium

  * Security fixes (LP: #1820764):
    - Fix buffer overflow in BlockIo service (CVE-2018-12180)
    - DNS: Check received packet size before using (CVE-2018-12178)
    - Fix stack overflow with corrupted BMP (CVE-2018-12181)

 -- dann frazier <email address hidden> Mon, 08 Jul 2019 10:07:19 -0600

This bug was fixed in the package edk2 - 0~20180803.dd4cae4d-1ubuntu1.1

---------------
edk2 (0~20180803.dd4cae4d-1ubuntu1.1) cosmic; urgency=medium

  * Security fixes (LP: #1820764):
    - Fix buffer overflow in BlockIo service (CVE-2018-12180)
    - DNS: Check received packet size before using (CVE-2018-12178)
    - Fix stack overflow with corrupted BMP (CVE-2018-12181)

 -- dann frazier <email address hidden> Mon, 08 Jul 2019 09:59:55 -0600

This bug was fixed in the package edk2 - 0~20160408.ffea0a2c-2ubuntu0.1

---------------
edk2 (0~20160408.ffea0a2c-2ubuntu0.1) xenial; urgency=medium

  * Security fixes (LP: #1820764):
    - Fix buffer overflow in BlockIo service (CVE-2018-12180)
    - DNS: Check received packet size before using (CVE-2018-12178)
    - Fix stack overflow with corrupted BMP (CVE-2018-12181)
  * Fix numeric truncation in S3BootScript[Save]*() API. (CVE-2019-14563)
  * Fix use-after-free in PcdHiiOsRuntimeSupport. (CVE-2019-14586)
  * Clear memory before free to avoid potential password leak.
    (CVE-2019-14558)
  * Fix double-unmap in SdMmcCreateTrb(). This did not impact any
    of the images built from this package. (CVE-2019-14587)
  * Fix memory leak in ArpOnFrameRcvdDpc(). (CVE-2019-14559)
  * Fix issue that could allow an efi image with a blacklisted hash in the
    dbx to be loaded. (CVE-2019-14575)
  * Fix a memory leak in the ARP handler. (CVE-2019-14559)

 -- dann frazier <email address hidden> Thu, 16 Apr 2020 09:05:29 -0600

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release