From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.120]) by mx.groups.io with SMTP id smtpd.web12.5886.1581925743835026373 for ; Sun, 16 Feb 2020 23:49:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=GMFNdf55; spf=pass (domain: redhat.com, ip: 205.139.110.120, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1581925742; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=R8l/Qu+qGyhDiPOfGOUIYGjPdTwUO/pUultKJI/wJq4=; b=GMFNdf557F96JX+DvQNTyDysFhP2ps3aIQex+Qk4ponE7+8oSdBt4uzKjRBt4SDK5+UFwm 42+FtB0Ff6EOkBnZN8RKI4rfgzwglGiwQuwtSbB0rpWJWBgn4yTDmOg47DkCXfEHl3WTE1 iFPcc8Q8lkiw26zssr2sVat+hY7eVv0= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-154-rvA5MRP1N-iN3bYaA_VqGg-1; Mon, 17 Feb 2020 02:48:54 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 142D88018B7; Mon, 17 Feb 2020 07:48:53 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-195.ams2.redhat.com [10.36.116.195]) by smtp.corp.redhat.com (Postfix) with ESMTP id 14D7860BEC; Mon, 17 Feb 2020 07:48:51 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v2 00/10] Fix false negative issue in DxeImageVerificationHandler To: devel@edk2.groups.io, jian.j.wang@intel.com Cc: Jiewen Yao , Chao Zhang References: <20200214072745.1570-1-jian.j.wang@intel.com> From: "Laszlo Ersek" Message-ID: <9c8b47c7-765a-6064-49c3-a0a9578ccba6@redhat.com> Date: Mon, 17 Feb 2020 08:48:51 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20200214072745.1570-1-jian.j.wang@intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-MC-Unique: rvA5MRP1N-iN3bYaA_VqGg-1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit On 02/14/20 08:27, Wang, Jian J wrote: >> v2 changes: >> - Change IsCertHashFoundInDatabase to IsCertHashFoundInDbx (patch 10) >> - Update result handling to all calling to IsCertHashFoundInDatabase >> to be consistent (patch 6) >> - Fix commit message and title length issue caught by PatchCheck tool > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 > Patch branch: https://github.com/jwang36/edk2/tree/fix-bz1608-bypass-blacklist-check-via-signature-v2 > > Cc: Jiewen Yao > Cc: Chao Zhang > > Jian J Wang (9): > SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575) > SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0 > per DBX(CVE-2019-14575) > SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in > IsAllowedByDb(CVE-2019-14575) > SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching > dbx(CVE-2019-14575) > SecurityPkg/DxeImageVerificationLib: refactor db/dbx fetching > code(CVE-2019-14575) > SecurityPkg/DxeImageVerificationLib: Differentiate error/search result > (1)(CVE-2019-14575) > SecurityPkg/DxeImageVerificationLib: tighten default > result(CVE-2019-14575) > SecurityPkg/DxeImageVerificationLib: Differentiate error/search result > (2)(CVE-2019-14575) > SecurityPkg/DxeImageVerificationLib: change IsCertHashFoundInDatabase > name(CVE-2019-14575) > > Laszlo Ersek (1): > SecurityPkg/DxeImageVerificationLib: plug Data leak in > IsForbiddenByDbx()(CVE-2019-14575) > > .../DxeImageVerificationLib.c | 291 ++++++++++++------ > 1 file changed, 198 insertions(+), 93 deletions(-) > Please put a space character in all the subject lines before the "(CVE-2019-14575)" part. Thanks Laszlo