Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 797232 (CVE-2019-14584)

Summary: <sys-firmware/edk2-ovmf-202105: privilege escalation with local access (CVE-2019-14584)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: tamiko, virtualization
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ?? [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 801925, 814122    
Bug Blocks: 797703    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-20 23:20:35 UTC
CVE-2019-14584 (https://bugzilla.redhat.com/show_bug.cgi?id=1889486):

Null pointer dereference in Tianocore EDK2 may allow an authenticated user to potentially enable escalation of privilege via local access.


Patch (in 202105): https://github.com/tianocore/edk2/commit/26442d11e620a9e81c019a24a4ff38441c64ba10
Comment 1 Larry the Git Cow gentoo-dev 2021-06-26 22:23:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=944a1bda9e2a0614e3a176588bb57477813e43dd

commit 944a1bda9e2a0614e3a176588bb57477813e43dd
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2021-06-26 22:16:40 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2021-06-26 22:23:52 +0000

    sys-firmware/edk2-ovmf: version bump to 202105
    
    Bug: https://bugs.gentoo.org/797703
    Bug: https://bugs.gentoo.org/797232
    Bug: https://bugs.gentoo.org/798777
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 sys-firmware/edk2-ovmf/Manifest                |   3 +
 sys-firmware/edk2-ovmf/edk2-ovmf-202105.ebuild | 173 +++++++++++++++++++++++++
 2 files changed, 176 insertions(+)
Comment 2 Matthias Maier gentoo-dev 2021-06-26 22:27:06 UTC
202105 is now in tree. Let's postpone stabiliziation and cleanup for a bit to get some testing in.
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:21:38 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:29:47 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:37:45 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:45:51 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:53:54 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:01:49 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:10:09 UTC Comment hidden (obsolete)
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-10 04:45:18 UTC
Throwing in QEMU because it needs the same firmware.
Comment 11 NATTkA bot gentoo-dev 2021-09-07 17:40:41 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-09-08 19:44:39 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-09-20 20:36:39 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-09 19:51:14 UTC
Please cleanup.
Comment 15 Larry the Git Cow gentoo-dev 2022-01-04 00:02:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dee51fb9e273c98d521b6d7083030f89d8c13ad5

commit dee51fb9e273c98d521b6d7083030f89d8c13ad5
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2022-01-03 23:51:34 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2022-01-04 00:02:11 +0000

    sys-firmware/edk2-ovmf: clean up vulnerable
    
    Bug: https://bugs.gentoo.org/797232
    Bug: https://bugs.gentoo.org/797703
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 sys-firmware/edk2-ovmf/Manifest                |   3 -
 sys-firmware/edk2-ovmf/edk2-ovmf-202008.ebuild | 186 -------------------------
 2 files changed, 189 deletions(-)