From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 2D46A74003C for ; Wed, 24 Jan 2024 10:17:44 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=6yqUK3nZoyHd5xkNaHMBNoNWFmgJzbB2mSW0OZTSOzU=; c=relaxed/simple; d=groups.io; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Transfer-Encoding; s=20140610; t=1706091462; v=1; b=vvr0IAw2UZKsV9izGaCdHF5NcnTQc1Ev99Yl9Mjeq8V8jgi5tP9pFu6ypkxzgm5JVGacCsrL Px8WIkVmv6J0po0DHyra751oTbtiDnuKE830srIV/gw6aPtQDFrdxQxI3eOYU4HbOOuPAQYvdEL DhCqyKN4bQtUOPAMB2vxf+nE= X-Received: by 127.0.0.2 with SMTP id QQSyYY7687511xEDkgxOOJuj; Wed, 24 Jan 2024 02:17:42 -0800 X-Received: from mail-vk1-f170.google.com (mail-vk1-f170.google.com [209.85.221.170]) by mx.groups.io with SMTP id smtpd.web11.19429.1706091462171157498 for ; Wed, 24 Jan 2024 02:17:42 -0800 X-Received: by mail-vk1-f170.google.com with SMTP id 71dfb90a1353d-4b978e5e240so1232256e0c.0 for ; Wed, 24 Jan 2024 02:17:42 -0800 (PST) X-Gm-Message-State: nQwGf9accUl2MQnhpfu4FmKHx7686176AA= X-Google-Smtp-Source: AGHT+IHj0ZgMvCSsdFwV+q3gTbktqfqyQ/sy1BSNEn8Ft5H1AWuTZuYqSODeO5gnHk6+QFumAuH3Q8dr5iKVAU+bTXs= X-Received: by 2002:a05:6122:c99:b0:4bd:7bdf:31d3 with SMTP id ba25-20020a0561220c9900b004bd7bdf31d3mr85276vkb.23.1706091460978; Wed, 24 Jan 2024 02:17:40 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: "Pedro Falcato" Date: Wed, 24 Jan 2024 10:17:29 +0000 Message-ID: Subject: Re: [edk2-devel] [PATCH 00/14] Security Patches for EDK II Network Stack To: devel@edk2.groups.io, dougflick@microsoft.com Cc: "Douglas Flick [MSFT]" , Saloni Kasbekar , Zachary Clark-williams , Michael D Kinney , Liming Gao , Zhiguang Liu Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,pedro.falcato@gmail.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=vvr0IAw2; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io On Wed, Jan 24, 2024 at 5:20=E2=80=AFAM Doug Flick via groups.io wrote: > > The security patches contained in this series with the exception of > "MdePkg/Test: Add gRT_GetTime Google Test Mock" and > "NetworkPkg: : Adds a SecurityFix.yaml file" have been reviewed > during GHSA-hc6x-cw6p-gj7h infosec review. > > This patch series contains the following security patches for the > security vulnerabilities found by QuarksLab in the EDK II Network > Stack: > > CVE-2023-45229 > CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N > CWE-125 Out-of-bounds Read > > CVE-2023-45230 > CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H > CWE-119 Improper Restriction of Operations within the Bounds > of a Memory Buffer > > CVE-2023-45231 > CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N > CWE-125 Out-of-bounds Read > > CVE-2023-45232 > CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H > CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') > > CVE-2023-45233 > CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H > CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') > > CVE-2023-45234 > CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H > CWE-119 Improper Restriction of Operations within the Bounds > of a Memory Buffer > > CVE-2023-45235 > CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H > CWE-119 Improper Restriction of Operations within the Bounds > of a Memory Buffer > > NetworkPkg: > Cc: Saloni Kasbekar > Cc: Zachary Clark-williams > > MdePkg: > Cc: Michael D Kinney > Cc: Liming Gao > Cc: Zhiguang Liu > > Doug Flick (8): > NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 - Patch > NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 - Unit Tests > NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch > NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests > NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch > NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Unit Tests > NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch > NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Unit Tests > > Douglas Flick [MSFT] (6): > NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch > NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests > NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch > NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests > MdePkg: Test: Add gRT_GetTime Google Test Mock > NetworkPkg: : Adds a SecurityFix.yaml file Thanks for the patches. Please rewrite the commit messages for each specific patch to contain relevant details on the problem and fix. The commits as-is are somewhat useless unless one wants to track down the CVEs. Thanks! --=20 Pedro -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114271): https://edk2.groups.io/g/devel/message/114271 Mute This Topic: https://groups.io/mt/103926729/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-