From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.groups.io with SMTP id smtpd.web11.1506.1599028520834405600 for ; Tue, 01 Sep 2020 23:35:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=HJj5Bhnk; spf=pass (domain: redhat.com, ip: 216.205.24.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1599028519; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JlRtY9fU55r10cC7t8KTZhi+vW+M88djCLoLPiD5VnA=; b=HJj5BhnkOd09fj29iKZ6/kIY82LSpaC3sb0ne9FRjH2fi6LHkiYKgxLVHcDH2aaRbEt2fj muMPGQmClglSZQUiN8gN0tBfOZlEtKwBzqTAVj2OA9555FMmgREBY14+i/XqG+vhDd+AN2 hLfYQoV3HAs9AOwE4c6L7nrTdGuIg8I= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-145-VAb1dhQvMui2NA1Qh6tFAQ-1; Wed, 02 Sep 2020 02:35:08 -0400 X-MC-Unique: VAb1dhQvMui2NA1Qh6tFAQ-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8F234425D8; Wed, 2 Sep 2020 06:35:07 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-113-14.ams2.redhat.com [10.36.113.14]) by smtp.corp.redhat.com (Postfix) with ESMTP id 759415C1C4; Wed, 2 Sep 2020 06:35:05 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH 0/3] SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562) To: devel@edk2.groups.io, jiewen.yao@intel.com Cc: "Wang, Jian J" , "Xu, Min M" , Wenyi Xie , =?UTF-8?Q?Philippe_Mathieu-Daud=c3=a9?= , "Liming Gao (Byosoft address)" References: <20200901091221.20948-1-lersek@redhat.com> From: "Laszlo Ersek" Message-ID: Date: Wed, 2 Sep 2020 08:35:04 +0200 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0.002 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US (+Liming, +Phil) On 09/02/20 06:02, Yao, Jiewen wrote: > The series (1~3) is reviewed-by: Jiewen Yao Thank you Everyone for the reviews and testing. Jiewen: do you think we should merge this series into the master branch before edk2-stable202008? I think it qualifies (it is a CVE fix), but I would like *you* to decide about it. Thanks Laszlo > > Thank you > Yao Jiewen > >> -----Original Message----- >> From: devel@edk2.groups.io On Behalf Of Laszlo Ersek >> Sent: Tuesday, September 1, 2020 5:12 PM >> To: edk2-devel-groups-io >> Cc: Wang, Jian J ; Yao, Jiewen ; >> Xu, Min M ; Wenyi Xie >> Subject: [edk2-devel] [PATCH 0/3] SecurityPkg/DxeImageVerificationLib: catch >> alignment overflow (CVE-2019-14562) >> >> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215 >> Repo: https://pagure.io/lersek/edk2.git >> Branch: tianocore_2215 >> >> I'm neutral on whether this becomes part of edk2-stable202008. >> >> Cc: Jian J Wang >> Cc: Jiewen Yao >> Cc: Min Xu >> Cc: Wenyi Xie >> >> Thanks, >> Laszlo >> >> Laszlo Ersek (3): >> SecurityPkg/DxeImageVerificationLib: extract SecDataDirEnd, >> SecDataDirLeft >> SecurityPkg/DxeImageVerificationLib: assign WinCertificate after size >> check >> SecurityPkg/DxeImageVerificationLib: catch alignment overflow >> (CVE-2019-14562) >> >> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 16 >> ++++++++++++---- >> 1 file changed, 12 insertions(+), 4 deletions(-) >> >> -- >> 2.19.1.3.g30247aa5d201 >> >> >> > > > >