Debian Bug report logs -
#977300
CVE-2019-14584
Package:
src:edk2;
Maintainer for src:edk2 is Debian QEMU Team <pkg-qemu-devel@listsaliothdebianorg>;
Reported by: Moritz Muehlenhoff <jmm@debianorg>
Date: Sun, 13 Dec 2020 19:00:01 UTC
Severity: important
Tags: security
Forwarded to bugzillatianocoreo ...
A security issue was found in edk2 up to edk2-stable202011 AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded signed authenticode pkcs#7 data When this successfully returns, a type check is done by calling PKCS7_type_is_signed() and then Pkcs7->dsign->contents->type is used It is possible to construct an asn1 blob ...