Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Fixes 3 CVEs.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1,
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.20.0-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru edk2-0~20161202.7bbe0b3e/debian/changelog
edk2-0~20161202.7bbe0b3e/debian/changelog
--- edk2-0~20161202.7bbe0b3e/debian/changelog 2016-12-09 01:09:39.0
-0700
+++ edk2-0~20161202.7bbe0b3e/debian/changelog 2019-03-18 14:12:49.0
-0600
@@ -1,3 +1,12 @@
+edk2 (0~20161202.7bbe0b3e-1+deb9u1) stretch; urgency=medium
+
+ * Security fixes (Closes: #924615):
+- Fix buffer overflow in BlockIo service (CVE-2018-12180)
+- DNS: Check received packet size before using (CVE-2018-12178)
+- Fix stack overflow with corrupted BMP (CVE-2018-12181)
+
+ -- dann frazier Mon, 18 Mar 2019 14:12:49 -0600
+
edk2 (0~20161202.7bbe0b3e-1) unstable; urgency=medium
* New upstream release.
diff -Nru
edk2-0~20161202.7bbe0b3e/debian/patches/-MdeModulePkg-HiiDB-Avoid-incorrect-results-of-multip.patch
edk2-0~20161202.7bbe0b3e/debian/patches/-MdeModulePkg-HiiDB-Avoid-incorrect-results-of-multip.patch
---
edk2-0~20161202.7bbe0b3e/debian/patches/-MdeModulePkg-HiiDB-Avoid-incorrect-results-of-multip.patch
1969-12-31 17:00:00.0 -0700
+++
edk2-0~20161202.7bbe0b3e/debian/patches/-MdeModulePkg-HiiDB-Avoid-incorrect-results-of-multip.patch
2019-03-18 14:12:49.0 -0600
@@ -0,0 +1,144 @@
+From: Dandan Bi
+Date: Wed, 12 Apr 2017 11:21:52 +0800
+Subject: [PATCH] MdeModulePkg/HiiDB: Avoid incorrect results of multiplication
+
+An example:
+The codes in function Output8bitPixel in Image.c:
+OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
+
+Both Image->Width and Ypos are of type UINT16. They will be promoted to
+int (signed) first, and then perform the multiplication defined by macro
+BITMAP_LEN_8_BIT. If the result of multiplication between Image->Width and
+Ypos exceeds the range of type int, a potential incorrect results
+will be assigned to OffsetY.
+
+This commit adds explicit UINT32 type cast for 'Image->Width' to avoid
+possible overflow in the int range. And also fix similar issues in
+HiiDatabase.
+
+Cc: Eric Dong
+Cc: Liming Gao
+Cc: Hao Wu
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Dandan Bi
+Reviewed-by: Hao Wu
+
+Origin:
https://github.com/tianocore/edk2/commit/f76bc44362e5f0a2ea509c07b2f6846bd9833ee8
+Bug-Debian: https://bugs.debian.org/924615
+Last-Update: 2019-03-18
+
+diff --git a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+index e2fa16e6e0..431a5b8454 100644
+--- a/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
b/MdeModulePkg/Universal/HiiDatabaseDxe/Image.c
+@@ -105,7 +105,7 @@ GetImageIdOrAddress (
+ case EFI_HII_IIBT_IMAGE_8BIT_TRANS:
+ Length = sizeof (EFI_HII_IIBT_IMAGE_8BIT_BLOCK) - sizeof (UINT8) +
+BITMAP_LEN_8_BIT (
+- ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
CurrentImageBlock)->Bitmap.Width),
++ (UINT32) ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK
*) CurrentImageBlock)->Bitmap.Width),
+ ReadUnaligned16 (&((EFI_HII_IIBT_IMAGE_8BIT_BLOCK *)
CurrentImageBlock)->Bitmap.Height)
+ );
+ ImageIdCurrent++;
+@@ -115,7 +115,7 @@ GetImageIdOrAddress (
+ case EFI_HII_IIBT_IMAGE_24BIT_TRANS:
+ Length = sizeof (EFI_HII_IIBT_IMAGE_24BIT_BLOCK) - sizeof
(EFI_HII_RGB_PIXEL) +
+BITMAP_LEN_24_BIT (
+- ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK
*) CurrentImageBlock)->Bitmap.Width),
++ (UINT32) ReadUnaligned16 ((VOID *)
&((EFI_HII_IIBT_IMAGE_24BIT_BLOCK *) CurrentImageBlock)->Bitmap.Width),
+ ReadUnaligned16 ((VOID *) &((EFI_HII_IIBT_IMAGE_24BIT_BLOCK
*) CurrentImageBlock)->Bitmap.Height)
+ );
+ ImageIdCurrent++;
+@@ -453,7 +453,7 @@ Output8bitPixel (
+ // Convert the pixel from 8 bits to corresponding color.
+ //
+ for (Ypos = 0; Ypos < Image->Height; Ypos++) {
+-OffsetY = BITMAP_LEN_8_BIT (Image->Width, Ypos);
++OffsetY = BITMAP_LEN_8_BIT ((UINT32) Image->Width, Ypos);
+ //
+ // All bits are meaningful since the bitmap is 8 bits per pixel.
+ //
+@@ -493,7 +493,7 @@ Output24bitPixel (
+ BitMapPtr = Image->Bitmap;
+
+ for (Ypos = 0; Ypos < Image->Height; Ypos++) {
+-OffsetY = BITMAP_LEN_8_BIT (Image->Width, Ypos);
++OffsetY = BITMAP_LEN_8_BIT ((UINT32)