Debian Bug report logs -
#1060408
edk2: CVE-2022-36763 CVE-2022-36764 CVE-2022-36765
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
:
Bug#1060408
; Package src:edk2
.
(Wed, 10 Jan 2024 19:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
.
(Wed, 10 Jan 2024 19:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: edk2
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for edk2.
CVE-2022-36763[0]:
| EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable()
| function, allowing a user to trigger a heap buffer overflow via a
| local network. Successful exploitation of this vulnerability may
| result in a compromise of confidentiality, integrity, and/or
| availability.
https://github.com/tianocore/edk2/security/advisories/GHSA-xvv8-66cq-prwr
https://bugzilla.tianocore.org/show_bug.cgi?id=4117
CVE-2022-36764[1]:
| EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage()
| function, allowing a user to trigger a heap buffer overflow via a
| local network. Successful exploitation of this vulnerability may
| result in a compromise of confidentiality, integrity, and/or
| availability.
https://github.com/tianocore/edk2/security/advisories/GHSA-4hcq-p8q8-hj8j
https://bugzilla.tianocore.org/show_bug.cgi?id=4118
CVE-2022-36765[2]:
| EDK2 is susceptible to a vulnerability in the CreateHob() function,
| allowing a user to trigger a integer overflow to buffer overflow via
| a local network. Successful exploitation of this vulnerability may
| result in a compromise of confidentiality, integrity, and/or
| availability.
https://github.com/tianocore/edk2/security/advisories/GHSA-ch4w-v7m3-g8wx
https://bugzilla.tianocore.org/show_bug.cgi?id=4166
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-36763
https://www.cve.org/CVERecord?id=CVE-2022-36763
[1] https://security-tracker.debian.org/tracker/CVE-2022-36764
https://www.cve.org/CVERecord?id=CVE-2022-36764
[2] https://security-tracker.debian.org/tracker/CVE-2022-36765
https://www.cve.org/CVERecord?id=CVE-2022-36765
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 10 Jan 2024 20:09:02 GMT) (full text, mbox, link).
Marked as found in versions edk2/2023.11-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 10 Jan 2024 20:09:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jan 11 08:20:07 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.