Debian Bug report logs -
#924615
CVE-2018-12178 CVE-2018-12180 CVE-2018-12181
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 14 Mar 2019 22:09:02 UTC
Severity: grave
Tags: security, upstream
Found in version edk2/0~20181115.85588389-2
Fixed in versions edk2/0~20181115.85588389-3, edk2/0~20190309.89910a39-1, edk2/0~20161202.7bbe0b3e-1+deb9u1
Done: dann frazier <dannf@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#924615; Package src:edk2.
(Thu, 14 Mar 2019 22:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Thu, 14 Mar 2019 22:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: edk2
Severity: grave
Tags: security
Please see
https://security-tracker.debian.org/tracker/CVE-2018-12178
https://security-tracker.debian.org/tracker/CVE-2018-12180
https://security-tracker.debian.org/tracker/CVE-2018-12181
Cheers,
Moritz
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 14 Mar 2019 22:51:04 GMT) (full text, mbox, link).
Marked as found in versions edk2/0~20181115.85588389-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 14 Mar 2019 22:51:05 GMT) (full text, mbox, link).
Reply sent
to dann frazier <dannf@debian.org>:
You have taken responsibility.
(Sat, 16 Mar 2019 01:54:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 16 Mar 2019 01:54:03 GMT) (full text, mbox, link).
Message #14 received at 924615-close@bugs.debian.org (full text, mbox, reply):
Source: edk2
Source-Version: 0~20181115.85588389-3
We believe that the bug you reported is fixed in the latest version of
edk2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 924615@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
dann frazier <dannf@debian.org> (supplier of updated edk2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 15 Mar 2019 18:37:44 -0600
Source: edk2
Architecture: source
Version: 0~20181115.85588389-3
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: dann frazier <dannf@debian.org>
Closes: 924615
Changes:
edk2 (0~20181115.85588389-3) unstable; urgency=medium
.
* Security fixes (Closes: #924615):
- Fix buffer overflow in BlockIo service (CVE-2018-12180)
- DNS: Check received packet size before using (CVE-2018-12178)
- Fix stack overflow with corrupted BMP (CVE-2018-12181)
Checksums-Sha1:
5aa5346129076a319b3939583855800fb3fb5334 2338 edk2_0~20181115.85588389-3.dsc
e11a8970f225c4e88f352c89fbba011e2f42274e 22400 edk2_0~20181115.85588389-3.debian.tar.xz
2e719abb031736715b0076000fad0362c475c694 7456 edk2_0~20181115.85588389-3_source.buildinfo
Checksums-Sha256:
a5166d342b06bd8c38816b4365be0d57b464875284acb31c3b3ca3588549c025 2338 edk2_0~20181115.85588389-3.dsc
655b141b3325d5d41af619fab83d60c6271de92c9c797edb8c98e77041f8a93a 22400 edk2_0~20181115.85588389-3.debian.tar.xz
d5edf27dc10fe8a2b870532964a1ae51760c76da3a1d2ea477848773570d53ea 7456 edk2_0~20181115.85588389-3_source.buildinfo
Files:
d4cc12080dfdff4299fbaa7a15a0251b 2338 misc optional edk2_0~20181115.85588389-3.dsc
3ca737bd49ae6a26d4f3472015d6c5f7 22400 misc optional edk2_0~20181115.85588389-3.debian.tar.xz
b04a9eb7ed2268aeb52df59601acbd8e 7456 misc optional edk2_0~20181115.85588389-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEECfR9vy0y7twkQ+vuG/g8XlT8hkAFAlyMUM8RHGRhbm5mQGRl
Ymlhbi5vcmcACgkQG/g8XlT8hkAyRg//Wclz1aqdJwSOYjajiMQD8Ca1KRdpOgjQ
HvikcBy72KziOrZzeL+45XdgHL8ewOqNlkgZt/A2YdeKqUAB1MoxTlt0N0MuuJHn
5eAH3/AgdT11rlyz4aYp63lP559EayebS7JVl3/MMBmfBVuHrxXfjyL/dwira02b
9MQxhvC27n1OVsN4FeiuCAj65cICudfjVx6H/YxEs320tHFEe0Drmkj8IVAJu0ku
FxA4rJPSjaAZicUeaOxF7DLgsoOr4wrkHCQAf0RbbaSRRqHoJTKaxAvClL95SGG0
FeeowPzD72/c9abSIcdZUvWMU40wh0nKuTFxfLR+vTupsmS7wV9cpmTCpK/03l7w
nO0ss9hjbitqRY21KReED8Hk3V2Py28I/qftJ4QxBUyFhME0iTfIX0DEiNQ/hAX/
CWy2cHocDi/XDfgBPZwDCE2EhnAGmcwBLfZvpEgC1JwWTW+LVlDM6yQhZNkBmaso
grTf5LZVYgmETQCkFbJtReMK9y22IxNEI5NxB9Ks/31csksHBwH6J6Gb8uU8k07P
U1ZnOXSC2TaxOEJmdTPTEPUull7965jjJzuXDmO1un6DeUJpPy8jwMB6lO3U9guF
Z0j56EenXkDlWn3gO1Lasx+rEgbMc7h4FxI99lYADxr4RypmoBjfm1hjOh0fdjLR
i4mvi2EXreY=
=02Ww
-----END PGP SIGNATURE-----
Reply sent
to dann frazier <dannf@debian.org>:
You have taken responsibility.
(Mon, 18 Mar 2019 22:21:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 18 Mar 2019 22:21:05 GMT) (full text, mbox, link).
Message #19 received at 924615-close@bugs.debian.org (full text, mbox, reply):
Source: edk2
Source-Version: 0~20190309.89910a39-1
We believe that the bug you reported is fixed in the latest version of
edk2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 924615@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
dann frazier <dannf@debian.org> (supplier of updated edk2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 18 Mar 2019 15:38:21 -0600
Source: edk2
Architecture: source
Version: 0~20190309.89910a39-1
Distribution: experimental
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: dann frazier <dannf@debian.org>
Closes: 924615 924620
Changes:
edk2 (0~20190309.89910a39-1) experimental; urgency=medium
.
* New upstream release, based on edk2-stable201903 tag.
- Fixes for CVE-2018-12178, CVE-2018-12180 and CVE-2018-12181
Closes: #924615.
- qemu-efi-*: Avoid silent corruption of firmware flash image
by buggy EFI apps. Closes: #924620, LP: #1812093.
- d/binary-check.blacklist: Drop binaries removed upstream.
- d/binary-check.whitelist: Add new files detected as binary
that were hand-verified to be source.
- Bump openssl up to 1.1.0j.
- qemu-efi-{arm,aarch64}: Drop -DINTEL_BDS from build flags.
It became the default some time ago and was removed.
- ovmf: Stop cargo-culting the inclusion and build of external
EdkShell source. This is now no longer supported by upstream,
and is a no-op because it was replaced by the internal UEFI
shell back 2013 (9bef3cdc "OvmfPkg: Build and use the UEFI shell
by default").
- qemu-efi-{arm,aarch64}: Don't explicitly build ShellPkg,
ArmVirtPkg has been doing it since 2015 (da1ce6f8
"ArmVirtualizationPkg: build UEFI shell from source").
- Don't explicitly build FatPkg, OvmfPkg & ArmVirtPkg have
included it since 2016 (aa47e529 "OvmfPkg: Convert to using
FatPkg in the EDK II tree"), (42e3d9eb "ArmVirtPkg: Convert to
build FatPkg from source").
- d/p/no-missing-braces.diff: Forward port.
- d/p/no-stack-protector-all-archs.diff: Forward port.
Checksums-Sha1:
388a7224c852916e1912763ec739fde6ebe9b4cd 2338 edk2_0~20190309.89910a39-1.dsc
e6d4ff6e0567a0bb81927c535e375a4a51a378bc 23339972 edk2_0~20190309.89910a39.orig.tar.xz
0701dc3c4f0cd50625fde26bb039a85cde58a355 15228 edk2_0~20190309.89910a39-1.debian.tar.xz
1ab531b384695054025cfce7a882a841b5429a42 7456 edk2_0~20190309.89910a39-1_source.buildinfo
Checksums-Sha256:
d99370ce9ee37146e81716658ef5e5a955d4e5fe8020c731972e6a12aff311e2 2338 edk2_0~20190309.89910a39-1.dsc
62e1a2062b595b559f66b52a71c99c0aa43f099a7ff81fe023d6f197eb7455e5 23339972 edk2_0~20190309.89910a39.orig.tar.xz
380e37cb6ade8feaec62f694e68ff53fac41a59fadcf98839e96c82f8f988522 15228 edk2_0~20190309.89910a39-1.debian.tar.xz
dde54a9526e0df785a3c62ca6265956408207967424e326f303f5c543c376b2f 7456 edk2_0~20190309.89910a39-1_source.buildinfo
Files:
e5c741088cba2ff031f4ebef8960831e 2338 misc optional edk2_0~20190309.89910a39-1.dsc
41ff12588d839a58b80283dedc866c4a 23339972 misc optional edk2_0~20190309.89910a39.orig.tar.xz
341a1fbb571a6d42d9d33c3751dadb26 15228 misc optional edk2_0~20190309.89910a39-1.debian.tar.xz
eca5e225c19e87f43347546e83c829a0 7456 misc optional edk2_0~20190309.89910a39-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEECfR9vy0y7twkQ+vuG/g8XlT8hkAFAlyQFMMRHGRhbm5mQGRl
Ymlhbi5vcmcACgkQG/g8XlT8hkD8Mw/+N2BfQfoVaw7zG60HWLsHDxaL4yhqSt8v
+v0DyZDt+pYY0uK5UBt/7uQsO4PRzVH3oiVkoYfghbm5Hwfeirn7bdxfwTcrNw0t
kO49rqjGruAI5h6Ug1K7kpNbmqwvJKtIqke4UEPM8aMHEC37lnKrJGV7T6BSjiaK
przr6pC+ZN78UU+Pj8eR3SYySqatZbnA9XZ0t/SgMYjWPrNJtN4n5L7L4MEfX57l
TPkqeS12QmRiOh08LBbcamyck31X8urDBWniqycQCZ2X/awyT/9IFWJ82aoiTXdJ
T2429urAHhHc7feeiayFc+RtJV9Sz02Kgt0Ov8F3ZMq7Ea62KsJenpf/B9m6pX2J
bE0jzU0REioMBAfEEsMHbwvFLnerqtCe8Qiehd08twlt5TddG1yWs50qeHRq5YXB
uIeJwoB+DI00kwhsuoQgfHZV7qnv9I1zexGSu6oEMJ3wY5OS4VEIl7GNBFyk/UHV
GFJ7d7chGZrF/QzOCkz6IKqzu4WEyYmgsM/fMs74giIMIVNOZoUAS3Y+HDI7CWQx
cZWHdw2vIlGhMCBLeL9cmqRN5b+mcm2/nPB0myU2f3YUBim5nsNNVKh0/iHL/YoJ
0wz9MSCZxx19/pGsHLIBtxXJMuemiRqyw/ESutIxa/4Sq8L2UgTld74KoN4kpGl9
E4lrnkpx0jQ=
=eU+o
-----END PGP SIGNATURE-----
Reply sent
to dann frazier <dannf@debian.org>:
You have taken responsibility.
(Fri, 05 Apr 2019 05:36:11 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Fri, 05 Apr 2019 05:36:11 GMT) (full text, mbox, link).
Message #24 received at 924615-close@bugs.debian.org (full text, mbox, reply):
Source: edk2
Source-Version: 0~20161202.7bbe0b3e-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
edk2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 924615@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
dann frazier <dannf@debian.org> (supplier of updated edk2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 18 Mar 2019 14:12:49 -0600
Source: edk2
Architecture: source
Version: 0~20161202.7bbe0b3e-1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: dann frazier <dannf@debian.org>
Closes: 924615
Changes:
edk2 (0~20161202.7bbe0b3e-1+deb9u1) stretch; urgency=medium
.
* Security fixes (Closes: #924615):
- Fix buffer overflow in BlockIo service (CVE-2018-12180)
- DNS: Check received packet size before using (CVE-2018-12178)
- Fix stack overflow with corrupted BMP (CVE-2018-12181)
Checksums-Sha1:
050c109167f14753afc21c6ba1b0f4d82752d473 2236 edk2_0~20161202.7bbe0b3e-1+deb9u1.dsc
97c6a851ea2871ffe86941c96e94ca1b32fb6f8c 19416 edk2_0~20161202.7bbe0b3e-1+deb9u1.debian.tar.xz
2be4cffc732e5d4b2deb7f8464ca494999c7a9db 6893 edk2_0~20161202.7bbe0b3e-1+deb9u1_source.buildinfo
Checksums-Sha256:
1544ddd2458f18c4ec1ea10b1b14486e7fc63a7a1f68ee9a36e305740ffe8538 2236 edk2_0~20161202.7bbe0b3e-1+deb9u1.dsc
a22d96e51f623eb06ea9b3480d2771cafb46860d0affc4a8753b851480d285c3 19416 edk2_0~20161202.7bbe0b3e-1+deb9u1.debian.tar.xz
70152a5a517c7f72347efebea2fe11f5d741060dc6a77883c0e0018e06c17d66 6893 edk2_0~20161202.7bbe0b3e-1+deb9u1_source.buildinfo
Files:
9fe04f9aa7af1ab55e748791b0a29305 2236 misc extra edk2_0~20161202.7bbe0b3e-1+deb9u1.dsc
6da741b84b6dee99605e64b1f76d5356 19416 misc extra edk2_0~20161202.7bbe0b3e-1+deb9u1.debian.tar.xz
ecd89822da1bdaec149b3697f78ad55f 6893 misc extra edk2_0~20161202.7bbe0b3e-1+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEECfR9vy0y7twkQ+vuG/g8XlT8hkAFAlyP/dYRHGRhbm5mQGRl
Ymlhbi5vcmcACgkQG/g8XlT8hkDEuw/+LKqzcfXg3PHHKmaBq1/8qNuaX4x6qLhO
EOQP3l++8R89Iol8BW0wMzMg12rU27cI8+yIwcwRwpGj08HeJCQ7npTTbfq8ufSJ
J0+D5FITYFYM8Y1FqUiSf3ytY9tCloN/3bAd4w7RuqDe1VLc+pDXhpYMoSj/1deN
cK+H6pqfyCzSAqqdqQ+ORPSwl7UoL5d4gGr/eVFgvGgQMWqW3J3dlCFBUI9uH+jL
J3XW/1YwCqXBbyPsGlOzb6qwn0mdwTGLXgIH0K6+h6kEeJM9rMG97wgUVeWvnP78
UA6krf+mST5NpKW2pQcfbUUa5Ft4g59O3n1BNZ7vFFFKs5DfAA3W6KI27Rx3Q2wE
WD05yCZQHkHhR0ZbqkkBF/Bw3pS0/zLOq8ozxtfAni40l95VbH5Ul2jlvebB2cN4
akx4VjFgkXa05gfwEo7iQ4+rVQ2AvTMZyKfs6Tn+K/cAAgVyDnzdenTSgeRxCreE
uSiCiuEeomd5FKaIoOY0LHuNNa/VyJstP9diNTxdb11kV1ntwLop8t2+Z1OY3yIf
IZTcJKAbeloTvnmqG6muZ8d3BO7bPIy63f9i65I/9W82ucuxUW7xL5ilwta0klbE
lFTfEBuEdw6xwyDiESBGfxo1xXzXBc5/m97knjERgF4V+4xrRJKVoWqE0IW7CBkQ
B3+jpzCw6+E=
=4GnY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 03 May 2019 07:25:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:47:52 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon