subject:"Bug#924945\: stretch\-pu\: package edk2\/0\~20161202.7bbe0b3e\-1\+deb9u1"

Bug#924945: stretch-pu: package edk2/0~20161202.7bbe0b3e-1+deb9u1

2019-03-31 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Mon, 2019-03-18 at 14:17 -0600, dann frazier wrote:
> Fixes 3 CVEs.
> 

Please go ahead.

Regards,

Adam

Bug#924945: stretch-pu: package edk2/0~20161202.7bbe0b3e-1+deb9u1

2019-03-18 Thread dann frazier

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Fixes 3 CVEs.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.20.0-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru edk2-0~20161202.7bbe0b3e/debian/changelog 
edk2-0~20161202.7bbe0b3e/debian/changelog
--- edk2-0~20161202.7bbe0b3e/debian/changelog   2016-12-09 01:09:39.0 
-0700
+++ edk2-0~20161202.7bbe0b3e/debian/changelog   2019-03-18 14:12:49.0 
-0600
@@ -1,3 +1,12 @@
+edk2 (0~20161202.7bbe0b3e-1+deb9u1) stretch; urgency=medium
+
+  * Security fixes (Closes: #924615):
+- Fix buffer overflow in BlockIo service (CVE-2018-12180)
+- DNS: Check received packet size before using (CVE-2018-12178)
+- Fix stack overflow with corrupted BMP (CVE-2018-12181)
+
+ -- dann frazier   Mon, 18 Mar 2019 14:12:49 -0600
+
 edk2 (0~20161202.7bbe0b3e-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru 
edk2-0~20161202.7bbe0b3e/debian/patches/-MdeModulePkg-HiiDB-Avoid-incorrect-results-of-multip.patch
 
edk2-0~20161202.7bbe0b3e/debian/patches/-MdeModulePkg-HiiDB-Avoid-incorrect-results-of-multip.patch
--- 
edk2-0~20161202.7bbe0b3e/debian/patches/-MdeModulePkg-HiiDB-Avoid-incorrect-results-of-multip.patch
 1969-12-31 17:00:00.0 -0700
+++ 
edk2-0~20161202.7bbe0b3e/debian/patches/-MdeModulePkg-HiiDB-Avoid-incorrect-results-of-multip.patch
 2019-03-18 14:12:49.0 -0600
@@ -0,0 +1,144 @@
+From: Dandan Bi 
+Date: Wed, 12 Apr 2017 11:21:52 +0800
+Subject: [PATCH] MdeModulePkg/HiiDB: Avoid incorrect results of multiplication
+
+An example:
+The codes in function Output8bitPixel in Image.c:
+OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
+
+Both Image->Width and Ypos are of type UINT16. They will be promoted to
+int (signed) first, and then perform the multiplication defined by macro
+BITMAP_LEN_8_BIT. If the result of multiplication between Image->Width and
+Ypos exceeds the range of type int, a potential incorrect results
+will be assigned to OffsetY.
+
+This commit adds explicit UINT32 type cast for 'Image->Width' to avoid
+possible overflow in the int range. And also fix similar issues in
+HiiDatabase.
+
+Cc: Eric Dong 
+Cc: Liming Gao 
+Cc: Hao Wu 
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Dandan Bi 
+Reviewed-by: Hao Wu 
+
+Origin: 
https://github.com/tianocore/edk2/commit/f76bc44362e5f0a2ea509c07b2f6846bd9833ee8
+Bug-Debian: https://bugs.debian.org/924615
+Last-Update: 2019-03-18
+
+diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c 
b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+index e2fa16e6e0..431a5b8454 100644
+--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
 b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+@@ -105,7 +105,7 @@ GetImageIdOrAddress (
+ case EFI_HII_IIBT_IMAGE_8BIT_TRANS:
+   Length = sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UINT8) +
+BITMAP_LEN_8_BIT (
+- ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) 
CurrentImageBlock)->Bitmap.Width),
++ (UINT32) ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK 
*) CurrentImageBlock)->Bitmap.Width),
+  ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *) 
CurrentImageBlock)->Bitmap.Height)
+  );
+   ImageIdCurrent++;
+@@ -115,7 +115,7 @@ GetImageIdOrAddress (
+ case EFI_HII_IIBT_IMAGE_24BIT_TRANS:
+   Length = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof 
(EFI_HII_RGB_PIXEL) +
+BITMAP_LEN_24_BIT (
+- ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK 
*) CurrentImageBlock)->Bitmap.Width),
++ (UINT32) ReadUnaligned16 ((VOID *) 
&((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
+  ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK 
*) CurrentImageBlock)->Bitmap.Height)
+  );
+   ImageIdCurrent++;
+@@ -453,7 +453,7 @@ Output8bitPixel (
+   // Convert the pixel from 8 bits to corresponding color.
+   //
+   for (Ypos = 0; Ypos < Image->Height; Ypos++) {
+-OffsetY = BITMAP_LEN_8_BIT (Image->Width, Ypos);
++OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
+ //
+ // All bits are meaningful since the bitmap is 8 bits per pixel.
+ //
+@@ -493,7 +493,7 @@ Output24bitPixel (
+   BitMapPtr = Image->Bitmap;
+ 
+   for (Ypos = 0; Ypos < Image->Height; Ypos++) {
+-OffsetY = BITMAP_LEN_8_BIT (Image->Width, Ypos);
++OffsetY = BITMAP_LEN_8_BIT ((UINT32)

Bug#924945: stretch-pu: package edk2/0~20161202.7bbe0b3e-1+deb9u1

Bug#924945: stretch-pu: package edk2/0~20161202.7bbe0b3e-1+deb9u1

2 matches

Site Navigation

Mail list logo

Footer information