[edk2-devel] [PATCH v2 00/10] Fix false negative issue in DxeImageVerificationHandler

Wang, Jian J posted 10 patches 3 days ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/edk2 tags/patchew/20200214072745.1570-1-jian.j.wang@intel.com
.../DxeImageVerificationLib.c                 | 291 ++++++++++++------
1 file changed, 198 insertions(+), 93 deletions(-)

[edk2-devel] [PATCH v2 00/10] Fix false negative issue in DxeImageVerificationHandler

Posted by Wang, Jian J 3 days ago
> v2 changes:
>    - Change IsCertHashFoundInDatabase to IsCertHashFoundInDbx (patch 10)
>    - Update result handling to all calling to IsCertHashFoundInDatabase
>      to be consistent (patch 6)
>    - Fix commit message and title length issue caught by PatchCheck tool

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
Patch branch: https://github.com/jwang36/edk2/tree/fix-bz1608-bypass-blacklist-check-via-signature-v2

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>

Jian J Wang (9):
  SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0
    per DBX(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in
    IsAllowedByDb(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching
    dbx(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: refactor db/dbx fetching
    code(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: Differentiate error/search result
    (1)(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: tighten default
    result(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: Differentiate error/search result
    (2)(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: change IsCertHashFoundInDatabase
    name(CVE-2019-14575)

Laszlo Ersek (1):
  SecurityPkg/DxeImageVerificationLib: plug Data leak in
    IsForbiddenByDbx()(CVE-2019-14575)

 .../DxeImageVerificationLib.c                 | 291 ++++++++++++------
 1 file changed, 198 insertions(+), 93 deletions(-)

-- 
2.24.0.windows.2


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#54416): https://edk2.groups.io/g/devel/message/54416
Mute This Topic: https://groups.io/mt/71264897/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v2 00/10] Fix false negative issue in DxeImageVerificationHandler

Posted by Laszlo Ersek 18 hours ago
On 02/14/20 08:27, Wang, Jian J wrote:
>> v2 changes:
>>    - Change IsCertHashFoundInDatabase to IsCertHashFoundInDbx (patch 10)
>>    - Update result handling to all calling to IsCertHashFoundInDatabase
>>      to be consistent (patch 6)
>>    - Fix commit message and title length issue caught by PatchCheck tool
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
> Patch branch: https://github.com/jwang36/edk2/tree/fix-bz1608-bypass-blacklist-check-via-signature-v2
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> 
> Jian J Wang (9):
>   SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575)
>   SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0
>     per DBX(CVE-2019-14575)
>   SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in
>     IsAllowedByDb(CVE-2019-14575)
>   SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching
>     dbx(CVE-2019-14575)
>   SecurityPkg/DxeImageVerificationLib: refactor db/dbx fetching
>     code(CVE-2019-14575)
>   SecurityPkg/DxeImageVerificationLib: Differentiate error/search result
>     (1)(CVE-2019-14575)
>   SecurityPkg/DxeImageVerificationLib: tighten default
>     result(CVE-2019-14575)
>   SecurityPkg/DxeImageVerificationLib: Differentiate error/search result
>     (2)(CVE-2019-14575)
>   SecurityPkg/DxeImageVerificationLib: change IsCertHashFoundInDatabase
>     name(CVE-2019-14575)
> 
> Laszlo Ersek (1):
>   SecurityPkg/DxeImageVerificationLib: plug Data leak in
>     IsForbiddenByDbx()(CVE-2019-14575)
> 
>  .../DxeImageVerificationLib.c                 | 291 ++++++++++++------
>  1 file changed, 198 insertions(+), 93 deletions(-)
> 

Please put a space character in all the subject lines before the
"(CVE-2019-14575)" part.

Thanks
Laszlo


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#54540): https://edk2.groups.io/g/devel/message/54540
Mute This Topic: https://groups.io/mt/71264897/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v2 00/10] Fix false negative issue in DxeImageVerificationHandler

Posted by Wang, Jian J 18 hours ago
Laszlo,

> -----Original Message-----
> From: Laszlo Ersek <lersek@redhat.com>
> Sent: Monday, February 17, 2020 3:49 PM
> To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B
> <chao.b.zhang@intel.com>
> Subject: Re: [edk2-devel] [PATCH v2 00/10] Fix false negative issue in
> DxeImageVerificationHandler
> 
> On 02/14/20 08:27, Wang, Jian J wrote:
> >> v2 changes:
> >>    - Change IsCertHashFoundInDatabase to IsCertHashFoundInDbx (patch 10)
> >>    - Update result handling to all calling to IsCertHashFoundInDatabase
> >>      to be consistent (patch 6)
> >>    - Fix commit message and title length issue caught by PatchCheck tool
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
> > Patch branch: https://github.com/jwang36/edk2/tree/fix-bz1608-bypass-
> blacklist-check-via-signature-v2
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Chao Zhang <chao.b.zhang@intel.com>
> >
> > Jian J Wang (9):
> >   SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0
> >     per DBX(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in
> >     IsAllowedByDb(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching
> >     dbx(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: refactor db/dbx fetching
> >     code(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: Differentiate error/search result
> >     (1)(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: tighten default
> >     result(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: Differentiate error/search result
> >     (2)(CVE-2019-14575)
> >   SecurityPkg/DxeImageVerificationLib: change IsCertHashFoundInDatabase
> >     name(CVE-2019-14575)
> >
> > Laszlo Ersek (1):
> >   SecurityPkg/DxeImageVerificationLib: plug Data leak in
> >     IsForbiddenByDbx()(CVE-2019-14575)
> >
> >  .../DxeImageVerificationLib.c                 | 291 ++++++++++++------
> >  1 file changed, 198 insertions(+), 93 deletions(-)
> >
> 
> Please put a space character in all the subject lines before the
> "(CVE-2019-14575)" part.
> 

Ok, it'll be added before pushing.

Regards,
Jian
> Thanks
> Laszlo


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#54542): https://edk2.groups.io/g/devel/message/54542
Mute This Topic: https://groups.io/mt/71264897/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-