Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 797703 (CVE-2021-28211)

Summary: <sys-firmware/edk2-ovmf-202105: heap overflow vulnerability (CVE-2021-28211)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: tamiko, virtualization
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B? [stable?]
Package list:
Runtime testing required: ---
Bug Depends on: 797232    
Bug Blocks:    

Description John Helmert III gentoo-dev Security 2021-06-23 02:27:13 UTC

A heap overflow in LzmaUefiDecompressGetInfo function in EDK II.

Please bump to at least 202011 (first fixed release). I'm unsure about impact
here. Maintainers, can you offer input?
Comment 1 John Helmert III gentoo-dev Security 2021-06-24 04:07:09 UTC

An unlimited recursion in DxeCore in EDK II.

Same fixed release as CVE-2021-28211 (


Example EDK2 encrypted private key in the IpSecDxe.efi present potential security risks.


Upstream bug is restricted so I can't go digging for a patch there.
Comment 2 Larry the Git Cow gentoo-dev 2021-06-26 22:23:58 UTC
The bug has been referenced in the following commit(s):

commit 944a1bda9e2a0614e3a176588bb57477813e43dd
Author:     Matthias Maier <>
AuthorDate: 2021-06-26 22:16:40 +0000
Commit:     Matthias Maier <>
CommitDate: 2021-06-26 22:23:52 +0000

    sys-firmware/edk2-ovmf: version bump to 202105
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Matthias Maier <>

 sys-firmware/edk2-ovmf/Manifest                |   3 +
 sys-firmware/edk2-ovmf/edk2-ovmf-202105.ebuild | 173 +++++++++++++++++++++++++
 2 files changed, 176 insertions(+)
Comment 3 Matthias Maier gentoo-dev 2021-06-26 22:27:58 UTC
202105 is now in tree. Let's postpone stabiliziation and cleanup for a bit to get some testing in.
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:21:31 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:29:40 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:37:39 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:45:43 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:53:48 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:01:42 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 18:10:03 UTC
Package list is empty or all packages have requested keywords.