CVE-2022-36763 (https://github.com/tianocore/edk2/security/advisories/GHSA-xvv8-66cq-prwr): EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability. CVE-2022-36764 (https://github.com/tianocore/edk2/security/advisories/GHSA-4hcq-p8q8-hj8j): EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability. CVE-2022-36765 (https://github.com/tianocore/edk2/security/advisories/GHSA-ch4w-v7m3-g8wx): EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability. The above are planned to be fixed in their February 2024 release with a patch available here: https://bugzilla.tianocore.org/show_bug.cgi?id=4117
Oops I forgot to specify patches and their relevant CVEs: CVE-2022-36763 patch: https://bugzilla.tianocore.org/show_bug.cgi?id=4117 CVE-2022-36764 patch: https://bugzilla.tianocore.org/show_bug.cgi?id=4118 CVE-2022-36765 patch: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
Packages have been renamed to sys-firmware/edk2 and sys-firmware/edk2-bin.
