Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

edk2: CVE-2019-11098

Related Vulnerabilities: CVE-2019-11098  

Source

Debian Bug report logs - #991495
edk2: CVE-2019-11098

version graph

Package: src:edk2; Maintainer for src:edk2 is Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Sun, 25 Jul 2021 19:12:02 UTC

Severity: important

Tags: security, upstream

Found in version edk2/2020.11-4

Fixed in versions 2021.02-1, edk2/2020.11-5

Done: dann frazier <dannf@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#991495; Package src:edk2. (Sun, 25 Jul 2021 19:12:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>. (Sun, 25 Jul 2021 19:12:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: edk2: CVE-2019-11098
Date: Sun, 25 Jul 2021 21:09:20 +0200
Source: edk2
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for edk2.

CVE-2019-11098[0]:
| Insufficient input validation in MdeModulePkg in EDKII may allow an
| unauthenticated user to potentially enable escalation of privilege,
| denial of service and/or information disclosure via physical access.

https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability
https://bugzilla.tianocore.org/show_bug.cgi?id=1614
https://bugzilla.tianocore.org/attachment.cgi?id=316


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11098
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11098

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 26 Jul 2021 05:30:03 GMT) (full text, mbox, link).

Reply sent to dann frazier <dannf@dannf.org>:
You have taken responsibility. (Mon, 26 Jul 2021 13:36:03 GMT) (full text, mbox, link).

Notification sent to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Mon, 26 Jul 2021 13:36:03 GMT) (full text, mbox, link).

Message #12 received at 991495-done@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@dannf.org>
To: 991495-done@bugs.debian.org
Subject: closing
Date: Mon, 26 Jul 2021 07:32:58 -0600
Version: 2021.02-1

Marked as found in versions edk2/2020.11-4. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 26 Jul 2021 13:45:03 GMT) (full text, mbox, link).

Reply sent to dann frazier <dannf@debian.org>:
You have taken responsibility. (Mon, 26 Jul 2021 16:06:03 GMT) (full text, mbox, link).

Notification sent to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Mon, 26 Jul 2021 16:06:03 GMT) (full text, mbox, link).

Message #19 received at 991495-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 991495-close@bugs.debian.org
Subject: Bug#991495: fixed in edk2 2020.11-5
Date: Mon, 26 Jul 2021 16:03:28 +0000
Source: edk2
Source-Version: 2020.11-5
Done: dann frazier <dannf@debian.org>

We believe that the bug you reported is fixed in the latest version of
edk2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 991495@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
dann frazier <dannf@debian.org> (supplier of updated edk2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 26 Jul 2021 08:57:13 -0600
Source: edk2
Architecture: source
Version: 2020.11-5
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: dann frazier <dannf@debian.org>
Closes: 991495
Changes:
 edk2 (2020.11-5) unstable; urgency=medium
 .
   * Address Boot Guard TOCTOU vulnerability (CVE-2019-11098) (Closes: #991495)
Checksums-Sha1:
 e96ede8295704f36c0cf97ccb9c90f8d3a91f095 2916 edk2_2020.11-5.dsc
 700e4efd1166b3f50cc7558eef0676f7ce010b74 35996 edk2_2020.11-5.debian.tar.xz
 5a93b8eed955f0c5fb5006ed44a87a2affad25a3 10721 edk2_2020.11-5_source.buildinfo
Checksums-Sha256:
 dd56d9df13a6c6be032022ee42e21336876fa8f3bc4920a48a2a3db189696cef 2916 edk2_2020.11-5.dsc
 0096629c769404f3b335b54a3e4c40d9e7dddd87ee52421bce5807322f000550 35996 edk2_2020.11-5.debian.tar.xz
 d2f14aa4630ce8923d78229b80f4aeefae7672a7e3cbbbb50700c03749b4497d 10721 edk2_2020.11-5_source.buildinfo
Files:
 9daf0476b3550267a3706e408a231e16 2916 misc optional edk2_2020.11-5.dsc
 18020b09cc67a43d390274f5f18e817a 35996 misc optional edk2_2020.11-5.debian.tar.xz
 a7b61fb7997d439e43536229a772f991 10721 misc optional edk2_2020.11-5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEECfR9vy0y7twkQ+vuG/g8XlT8hkAFAmD+zdYRHGRhbm5mQGRl
Ymlhbi5vcmcACgkQG/g8XlT8hkAAwA//Yq7B2u6aL9HXzk0hZL4aUsv2DtnNO7Gp
txIyXaYZhlZt2ZoVTj8R9k69PUyaVoGK53tsxs92M7Ttg0nkvxIEC5BJlPrAkrqC
fScsv3n5bl2DieVt0GuvqkhUWVG4rtthRYxN+wLdBuI9i5dL7bXfCGpNiBX8uc5D
MfqZ1UP1ouy8jNAizL5ZQOWgGIdjkaPKXwRYGOdcZyRriOCVGPeXr3p9wAc+HjPL
+7/II7DyAouBxrzL66l6O3mSc5ilPYMHESaaeJzwF86mBg5pqgMchhWLjdeP2QXj
TBPmaQ5apa144mHVjpeKpuSjzCVtYbPYRsZ9h+mTJEe6MxrVcaQdFPIWm+wV8fYr
VglJ+ktr7am5yzMtUGmhzSUu/bCIf3ls0c/bKuHTT5je98uRNr1fuoWmADBbrLzA
u4Aozp13BO2cgyVDaRcBCWousnTyfejH4HcE0HjZcRFlGAR3++BY9rFAgC0vXQ0t
ZHt8dpdrVBm7DqFwjtOoeFhGhXLTb6/czQvZPwMConlFKsNC3ewyedmbFerEVULO
TKHGTRV1yQzwGGHmXnT0n0E/+Xy2sHjRQy0wCqQhtURMA/N4VO0fY1LbuoHGaupB
5Lz/CNpE9KcYo5u3eEk3r5QF3tE8V041LaZq3dmRmvl2XJo0VT5AQxP0Gdh4J+D3
f0mgr939UBE=
=G74g
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Jul 26 16:17:18 2021; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started