group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1820764] Re: CVE-2018-12178 CVE-2018-12180 CVE-2018-12181

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1820764@xxxxxxxxxxxxxxxxxx>
Date: Thu, 30 Apr 2020 19:43:25 -0000
Reply-to: Bug 1820764 <1820764@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package edk2 - 0~20160408.ffea0a2c-2ubuntu0.1

---------------
edk2 (0~20160408.ffea0a2c-2ubuntu0.1) xenial; urgency=medium

  * Security fixes (LP: #1820764):
    - Fix buffer overflow in BlockIo service (CVE-2018-12180)
    - DNS: Check received packet size before using (CVE-2018-12178)
    - Fix stack overflow with corrupted BMP (CVE-2018-12181)
  * Fix numeric truncation in S3BootScript[Save]*() API. (CVE-2019-14563)
  * Fix use-after-free in PcdHiiOsRuntimeSupport. (CVE-2019-14586)
  * Clear memory before free to avoid potential password leak.
    (CVE-2019-14558)
  * Fix double-unmap in SdMmcCreateTrb(). This did not impact any
    of the images built from this package. (CVE-2019-14587)
  * Fix memory leak in ArpOnFrameRcvdDpc(). (CVE-2019-14559)
  * Fix issue that could allow an efi image with a blacklisted hash in the
    dbx to be loaded. (CVE-2019-14575)
  * Fix a memory leak in the ARP handler. (CVE-2019-14559)

 -- dann frazier <dannf@xxxxxxxxxx>  Thu, 16 Apr 2020 09:05:29 -0600

** Changed in: edk2 (Ubuntu Xenial)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14558

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14559

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14563

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14575

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14586

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14587

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1820764

Title:
  CVE-2018-12178 CVE-2018-12180 CVE-2018-12181

Status in edk2 package in Ubuntu:
  Fix Released
Status in edk2 source package in Precise:
  Confirmed
Status in edk2 source package in Trusty:
  Confirmed
Status in edk2 source package in Xenial:
  Fix Released
Status in edk2 source package in Bionic:
  Fix Released
Status in edk2 source package in Cosmic:
  Fix Released
Status in edk2 source package in Disco:
  Fix Released
Status in edk2 package in Debian:
  Fix Released

Bug description:
  [Impact]
  Security vulnerabilities.

  [Test Case]
  Regression tested only (boot Ubuntu from disk, PXE boot)

  [Fix]
  https://github.com/tianocore/edk2/commit/84110bbe4bb3a346514b9bb12eadb7586bca7dfd
  https://github.com/tianocore/edk2/commit/ffe5f7a6b4e978dffbe1df228963adc914451106
  https://github.com/tianocore/edk2/commit/fccdb88022c1f6d85c773fce506b10c879063f1d
  https://github.com/tianocore/edk2/commit/89910a39dcfd788057caa5d88b7e76e112d187b5
  https://github.com/tianocore/edk2/commit/38c9fbdcaa0219eb86fe82d90e3f8cfb5a54be9f

  [Regression Risk]
  Risks include breaking DNS is some circumstances, possibly breaking image processing, partition detection, and RAM disk usage. This is mitigated by these patches having been upstream for some time, having already shipped in Ubuntu 19.04, and requiring minimal backporting to the Ubuntu versions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/1820764/+subscriptions