797232 – (CVE-2019-14584) <sys-firmware/edk2-202105: privilege escalation with local access (CVE-2019-14584)

Bug 797232 (CVE-2019-14584) - <sys-firmware/edk2-202105: privilege escalation with local access (CVE-2019-14584)

Summary: <sys-firmware/edk2-202105: privilege escalation with local access (CVE-2019-1...

Status:	IN_PROGRESS

Alias:	CVE-2019-14584

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	?? [glsa?]
Keywords:

Depends on:	801925 814122
Blocks:	CVE-2021-28211
	Show dependency tree

Reported:	2021-06-20 23:20 UTC by John Helmert III
Modified:	2024-10-10 16:36 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-06-20 23:20:35 UTC

CVE-2019-14584 (https://bugzilla.redhat.com/show_bug.cgi?id=1889486):

Null pointer dereference in Tianocore EDK2 may allow an authenticated user to potentially enable escalation of privilege via local access.


Patch (in 202105): https://github.com/tianocore/edk2/commit/26442d11e620a9e81c019a24a4ff38441c64ba10

Comment 1 Larry the Git Cow gentoo-dev

2021-06-26 22:23:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=944a1bda9e2a0614e3a176588bb57477813e43dd

commit 944a1bda9e2a0614e3a176588bb57477813e43dd
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2021-06-26 22:16:40 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2021-06-26 22:23:52 +0000

    sys-firmware/edk2-ovmf: version bump to 202105
    
    Bug: https://bugs.gentoo.org/797703
    Bug: https://bugs.gentoo.org/797232
    Bug: https://bugs.gentoo.org/798777
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 sys-firmware/edk2-ovmf/Manifest                |   3 +
 sys-firmware/edk2-ovmf/edk2-ovmf-202105.ebuild | 173 +++++++++++++++++++++++++
 2 files changed, 176 insertions(+)

Comment 2 Matthias Maier gentoo-dev

2021-06-26 22:27:06 UTC

202105 is now in tree. Let's postpone stabiliziation and cleanup for a bit to get some testing in.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:21:38 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:29:47 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:37:45 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 17:45:51 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 17:53:54 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 NATTkA bot gentoo-dev

2021-07-29 18:01:49 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 9 NATTkA bot gentoo-dev

2021-07-29 18:10:09 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 10 Sam James archtester

2021-08-10 04:45:18 UTC

Throwing in QEMU because it needs the same firmware.

Comment 11 NATTkA bot gentoo-dev

2021-09-07 17:40:41 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: app-emulation/qemu-6.0.0-r52

Comment 12 NATTkA bot gentoo-dev

2021-09-08 19:44:39 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 13 NATTkA bot gentoo-dev

2021-09-20 20:36:39 UTC

Resetting sanity check; package list is empty or all packages are done.

Comment 14 John Helmert III archtester

2021-10-09 19:51:14 UTC

Please cleanup.

Comment 15 Larry the Git Cow gentoo-dev

2022-01-04 00:02:15 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dee51fb9e273c98d521b6d7083030f89d8c13ad5

commit dee51fb9e273c98d521b6d7083030f89d8c13ad5
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2022-01-03 23:51:34 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2022-01-04 00:02:11 +0000

    sys-firmware/edk2-ovmf: clean up vulnerable
    
    Bug: https://bugs.gentoo.org/797232
    Bug: https://bugs.gentoo.org/797703
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 sys-firmware/edk2-ovmf/Manifest                |   3 -
 sys-firmware/edk2-ovmf/edk2-ovmf-202008.ebuild | 186 -------------------------
 2 files changed, 189 deletions(-)

Comment 16 James Le Cuirot gentoo-dev

2024-10-10 16:36:36 UTC

Package has been renamed to sys-firmware/edk2.