Debian Bug report logs -
#1063726
edk2: CVE-2023-45236
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#1061256; Package src:edk2.
(Sun, 21 Jan 2024 15:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Sun, 21 Jan 2024 15:57:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: edk2
Version: 2023.11-5
Severity: important
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for edk2.
CVE-2023-45229[0]:
| EDK2's Network Package is susceptible to an out-of-bounds read
| vulnerability when processing the IA_NA or IA_TA option in a DHCPv6
| Advertise message. This vulnerability can be exploited by an
| attacker to gain unauthorized access and potentially lead to a loss
| of Confidentiality.
CVE-2023-45230[1]:
| EDK2's Network Package is susceptible to a buffer overflow
| vulnerability via a long server ID option in DHCPv6 client. This
| vulnerability can be exploited by an attacker to gain unauthorized
| access and potentially lead to a loss of Confidentiality, Integrity
| and/or Availability.
CVE-2023-45231[2]:
| EDK2's Network Package is susceptible to an out-of-bounds read
| vulnerability when processing Neighbor Discovery Redirect message.
| This vulnerability can be exploited by an attacker to gain
| unauthorized access and potentially lead to a loss of
| Confidentiality.
CVE-2023-45232[3]:
| EDK2's Network Package is susceptible to an infinite loop
| vulnerability when parsing unknown options in the Destination
| Options header of IPv6. This vulnerability can be exploited by an
| attacker to gain unauthorized access and potentially lead to a loss
| of Availability.
CVE-2023-45233[4]:
| EDK2's Network Package is susceptible to an infinite lop
| vulnerability when parsing a PadN option in the Destination Options
| header of IPv6. This vulnerability can be exploited by an attacker
| to gain unauthorized access and potentially lead to a loss of
| Availability.
CVE-2023-45234[5]:
| EDK2's Network Package is susceptible to a buffer overflow
| vulnerability when processing DNS Servers option from a DHCPv6
| Advertise message. This vulnerability can be exploited by an
| attacker to gain unauthorized access and potentially lead to a loss
| of Confidentiality, Integrity and/or Availability.
CVE-2023-45235[6]:
| EDK2's Network Package is susceptible to a buffer overflow
| vulnerability when handling Server ID option from a DHCPv6
| proxy Advertise message. This vulnerability can be exploited by an
| attacker to gain unauthorized access and potentially lead to a loss
| of Confidentiality, Integrity and/or Availability.
CVE-2023-45236[7]:
| EDK2's Network Package is susceptible to a predictable TCP Initial
| Sequence Number. This vulnerability can be exploited by an attacker
| to gain unauthorized access and potentially lead to a loss of
| Confidentiality.
CVE-2023-45237[8]:
| EDK2's Network Package is susceptible to a predictable TCP Initial
| Sequence Number. This vulnerability can be exploited by an attacker
| to gain unauthorized access and potentially lead to a loss of
| Confidentiality.
They are described in [9]. Dann, you know more on the fixes?
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-45229
https://www.cve.org/CVERecord?id=CVE-2023-45229
[1] https://security-tracker.debian.org/tracker/CVE-2023-45230
https://www.cve.org/CVERecord?id=CVE-2023-45230
[2] https://security-tracker.debian.org/tracker/CVE-2023-45231
https://www.cve.org/CVERecord?id=CVE-2023-45231
[3] https://security-tracker.debian.org/tracker/CVE-2023-45232
https://www.cve.org/CVERecord?id=CVE-2023-45232
[4] https://security-tracker.debian.org/tracker/CVE-2023-45233
https://www.cve.org/CVERecord?id=CVE-2023-45233
[5] https://security-tracker.debian.org/tracker/CVE-2023-45234
https://www.cve.org/CVERecord?id=CVE-2023-45234
[6] https://security-tracker.debian.org/tracker/CVE-2023-45235
https://www.cve.org/CVERecord?id=CVE-2023-45235
[7] https://security-tracker.debian.org/tracker/CVE-2023-45236
https://www.cve.org/CVERecord?id=CVE-2023-45236
[8] https://security-tracker.debian.org/tracker/CVE-2023-45237
https://www.cve.org/CVERecord?id=CVE-2023-45237
[9] https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#1061256; Package src:edk2.
(Sat, 10 Feb 2024 20:15:02 GMT) (full text, mbox, link).
Acknowledgement sent
to dann frazier <dannf@dannf.org>:
Extra info received and forwarded to list. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Sat, 10 Feb 2024 20:15:02 GMT) (full text, mbox, link).
Message #12 received at 1061256@bugs.debian.org (full text, mbox, reply):
Thanks Salvatore.
The first 7 are now fixed upstream, so I'm preparing an upload for
those. Fixes for CVE-2023-45236 and CVE-2023-45237 are still in the
works. Should we split those into separate bugs?
-dann
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#1061256; Package src:edk2.
(Sun, 11 Feb 2024 19:51:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Sun, 11 Feb 2024 19:51:01 GMT) (full text, mbox, link).
Message #17 received at 1061256@bugs.debian.org (full text, mbox, reply):
Control: clone 1061256 -1 -2
Control: retitle 1061256 edk2: CVE-2023-45229 CVE-2023-45230 CVE-2023-45231 CVE-2023-45232 CVE-2023-45233 CVE-2023-45234 CVE-2023-45235
Conytol: retitle -1 edk2: CVE-2023-45236
Control: retitle -2 edk2: CVE-2023-45237
Control: fixed 1061256 2023.11-6
Hi Dann,
On Sat, Feb 10, 2024 at 01:11:47PM -0700, dann frazier wrote:
> Thanks Salvatore.
>
> The first 7 are now fixed upstream, so I'm preparing an upload for
> those. Fixes for CVE-2023-45236 and CVE-2023-45237 are still in the
> works. Should we split those into separate bugs?
Yes, let's do this so we have proper tracking (doing two for each CVE
in case we run in same situation for those and they are not fixed with
same upload).
Does this split look good to you?
Regards,
Salvatore
Bug 1061256 cloned as bugs 1063726, 1063727
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 1061256-submit@bugs.debian.org.
(Sun, 11 Feb 2024 19:51:01 GMT) (full text, mbox, link).
Changed Bug title to 'edk2: CVE-2023-45236' from 'edk2: CVE-2023-45229 CVE-2023-45230 CVE-2023-45231 CVE-2023-45232 CVE-2023-45233 CVE-2023-45234 CVE-2023-45235 CVE-2023-45236 CVE-2023-45237'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 11 Feb 2024 19:57:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Feb 12 14:45:56 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon