[edk2-devel] [PATCH 0/9] Fix false negative issue in DxeImageVerificationHandler

Wang, Jian J posted 9 patches 1 week ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/edk2 tags/patchew/20200206141933.356-1-jian.j.wang@intel.com
.../DxeImageVerificationLib.c                 | 283 ++++++++++++------
1 file changed, 191 insertions(+), 92 deletions(-)

[edk2-devel] [PATCH 0/9] Fix false negative issue in DxeImageVerificationHandler

Posted by Wang, Jian J 1 week ago
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
Patch branch: https://github.com/jwang36/edk2/tree/fix-bz1608-bypass-blacklist-check-via-signature

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>

Jian J Wang (8):
  SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0
    per DBX(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: fix wrong fetching dbx in
    IsAllowedByDb(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching dbx in
    IsAllowedByDb(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: refactor db/dbx fetching code in
    IsAllowedByDb(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: Differentiate error and search
    result in IsCertHashFoundInDatabase(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: tighten default result of
    IsForbiddenByDbx()(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: Differentiate error and search
    result in IsSignatureFoundInDatabase(CVE-2019-14575)

Laszlo Ersek (1):
  SecurityPkg/DxeImageVerificationLib: plug Data leak in
    IsForbiddenByDbx()(CVE-2019-14575)

 .../DxeImageVerificationLib.c                 | 283 ++++++++++++------
 1 file changed, 191 insertions(+), 92 deletions(-)

-- 
2.24.0.windows.2


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#53866): https://edk2.groups.io/g/devel/message/53866
Mute This Topic: https://groups.io/mt/71023416/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 0/9] Fix false negative issue in DxeImageVerificationHandler

Posted by Liming Gao 5 days ago
Jian, Jiewen and Chao:
  Does this patch catch to edk2 Q1 stable tag? If yes, can this patch be reviewed this week, because Q1 stable tag soft feature freeze is 2020-02-14.

Thanks
Liming
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wang, Jian J
> Sent: Thursday, February 6, 2020 10:19 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>
> Subject: [edk2-devel] [PATCH 0/9] Fix false negative issue in DxeImageVerificationHandler
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
> 
> Patch branch: https://github.com/jwang36/edk2/tree/fix-bz1608-bypass-blacklist-check-via-signature
> 
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> 
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> 
> 
> Jian J Wang (8):
>   SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575)
>   SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0
>     per DBX(CVE-2019-14575)
>   SecurityPkg/DxeImageVerificationLib: fix wrong fetching dbx in
>     IsAllowedByDb(CVE-2019-14575)
>   SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching dbx in
>     IsAllowedByDb(CVE-2019-14575)
>   SecurityPkg/DxeImageVerificationLib: refactor db/dbx fetching code in
>     IsAllowedByDb(CVE-2019-14575)
>   SecurityPkg/DxeImageVerificationLib: Differentiate error and search
>     result in IsCertHashFoundInDatabase(CVE-2019-14575)
>   SecurityPkg/DxeImageVerificationLib: tighten default result of
>     IsForbiddenByDbx()(CVE-2019-14575)
>   SecurityPkg/DxeImageVerificationLib: Differentiate error and search
>     result in IsSignatureFoundInDatabase(CVE-2019-14575)
> 
> Laszlo Ersek (1):
>   SecurityPkg/DxeImageVerificationLib: plug Data leak in
>     IsForbiddenByDbx()(CVE-2019-14575)
> 
>  .../DxeImageVerificationLib.c                 | 283 ++++++++++++------
>  1 file changed, 191 insertions(+), 92 deletions(-)
> 
> --
> 2.24.0.windows.2
> 
> 
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> 
> View/Reply Online (#53866): https://edk2.groups.io/g/devel/message/53866
> Mute This Topic: https://groups.io/mt/71023416/1759384
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub  [liming.gao@intel.com]
> -=-=-=-=-=-=


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#54325): https://edk2.groups.io/g/devel/message/54325
Mute This Topic: https://groups.io/mt/71023416/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-