From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124])
 by mx.groups.io with SMTP id smtpd.web10.1640.1599029174637081869
 for <devel@edk2.groups.io>;
 Tue, 01 Sep 2020 23:46:14 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=VPdau1fz;
 spf=pass (domain: redhat.com, ip: 216.205.24.124, mailfrom: lersek@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1599029173;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=p+3PlGaIjDwmT3EPV6pTknkZ59IzdcbWKSJjJxkUPQY=;
	b=VPdau1fzMGon96vaJWNtzoDmodjl06johwuDx3wkDZvs18DK4CCDB2Vxq1rJIQtj24jQAQ
	YqCA3y/RAGHVpMPJBb8HCu2wetUdcKROGd7cimYEz/n9Vn7m2S8LmcvHISOFGV2if35Ulp
	CwIrzeijnE76+0cxHXmfKH6jRfZITCY=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-219-zKN4-LJxMzGaEP8kxiv6jQ-1; Wed, 02 Sep 2020 02:46:10 -0400
X-MC-Unique: zKN4-LJxMzGaEP8kxiv6jQ-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B97B718B9F41;
	Wed,  2 Sep 2020 06:46:08 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-113-14.ams2.redhat.com [10.36.113.14])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 2D2C67E30F;
	Wed,  2 Sep 2020 06:46:05 +0000 (UTC)
Subject: Re: [edk2-devel] [PATCH 0/3] SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562)
To: "Yao, Jiewen" <jiewen.yao@intel.com>,
 "devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Wang, Jian J" <jian.j.wang@intel.com>, "Xu, Min M" <min.m.xu@intel.com>,
 Wenyi Xie <xiewenyi2@huawei.com>, =?UTF-8?Q?Philippe_Mathieu-Daud=c3=a9?=
 <philmd@redhat.com>, "Liming Gao (Byosoft address)"
 <gaoliming@byosoft.com.cn>
References: <20200901091221.20948-1-lersek@redhat.com>
 <CY4PR11MB1288E4F95345EDC297C9A7FC8C2F0@CY4PR11MB1288.namprd11.prod.outlook.com>
 <b429c129-f87b-adcc-e75f-6d84e36d3f58@redhat.com>
 <CY4PR11MB1288383950BFD29EAED2BC588C2F0@CY4PR11MB1288.namprd11.prod.outlook.com>
From: "Laszlo Ersek" <lersek@redhat.com>
Message-ID: <0b673874-d7fd-15af-6e98-3790ed6742dc@redhat.com>
Date: Wed, 2 Sep 2020 08:46:05 +0200
MIME-Version: 1.0
In-Reply-To: <CY4PR11MB1288383950BFD29EAED2BC588C2F0@CY4PR11MB1288.namprd11.prod.outlook.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com
X-Mimecast-Spam-Score: 0.002
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US

On 09/02/20 08:41, Yao, Jiewen wrote:
> Yes. I recommend to merge to stable202008.

Thank you, I will do that soon.
Laszlo

> 
> 
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Laszlo Ersek
>> Sent: Wednesday, September 2, 2020 2:35 PM
>> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
>> Cc: Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
>> Wenyi Xie <xiewenyi2@huawei.com>; Philippe Mathieu-Daudé
>> <philmd@redhat.com>; Liming Gao (Byosoft address)
>> <gaoliming@byosoft.com.cn>
>> Subject: Re: [edk2-devel] [PATCH 0/3] SecurityPkg/DxeImageVerificationLib:
>> catch alignment overflow (CVE-2019-14562)
>>
>> (+Liming, +Phil)
>>
>> On 09/02/20 06:02, Yao, Jiewen wrote:
>>> The series (1~3) is reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
>>
>> Thank you Everyone for the reviews and testing.
>>
>> Jiewen: do you think we should merge this series into the master branch
>> before edk2-stable202008? I think it qualifies (it is a CVE fix), but I
>> would like *you* to decide about it.
>>
>> Thanks
>> Laszlo
>>
>>>
>>> Thank you
>>> Yao Jiewen
>>>
>>>> -----Original Message-----
>>>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Laszlo
>> Ersek
>>>> Sent: Tuesday, September 1, 2020 5:12 PM
>>>> To: edk2-devel-groups-io <devel@edk2.groups.io>
>>>> Cc: Wang, Jian J <jian.j.wang@intel.com>; Yao, Jiewen
>> <jiewen.yao@intel.com>;
>>>> Xu, Min M <min.m.xu@intel.com>; Wenyi Xie <xiewenyi2@huawei.com>
>>>> Subject: [edk2-devel] [PATCH 0/3] SecurityPkg/DxeImageVerificationLib:
>> catch
>>>> alignment overflow (CVE-2019-14562)
>>>>
>>>> Ref:    https://bugzilla.tianocore.org/show_bug.cgi?id=2215
>>>> Repo:   https://pagure.io/lersek/edk2.git
>>>> Branch: tianocore_2215
>>>>
>>>> I'm neutral on whether this becomes part of edk2-stable202008.
>>>>
>>>> Cc: Jian J Wang <jian.j.wang@intel.com>
>>>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>>>> Cc: Min Xu <min.m.xu@intel.com>
>>>> Cc: Wenyi Xie <xiewenyi2@huawei.com>
>>>>
>>>> Thanks,
>>>> Laszlo
>>>>
>>>> Laszlo Ersek (3):
>>>>   SecurityPkg/DxeImageVerificationLib: extract SecDataDirEnd,
>>>>     SecDataDirLeft
>>>>   SecurityPkg/DxeImageVerificationLib: assign WinCertificate after size
>>>>     check
>>>>   SecurityPkg/DxeImageVerificationLib: catch alignment overflow
>>>>     (CVE-2019-14562)
>>>>
>>>>  SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 16
>>>> ++++++++++++----
>>>>  1 file changed, 12 insertions(+), 4 deletions(-)
>>>>
>>>> --
>>>> 2.19.1.3.g30247aa5d201
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>>
>> 
>