From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id D8B89211D59BA for ; Fri, 8 Mar 2019 00:52:16 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 19FA67302A; Fri, 8 Mar 2019 08:52:16 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-151.rdu2.redhat.com [10.10.120.151]) by smtp.corp.redhat.com (Postfix) with ESMTP id 38E2460157; Fri, 8 Mar 2019 08:52:14 +0000 (UTC) To: "Gao, Liming" , "Wang, Jian J" , "Ni, Ray" , "edk2-devel@lists.01.org" , "Kinney, Michael D" , "afish@apple.com" , Leif Lindholm Cc: "Cetola, Stephano" References: <20190308023514.103228-1-ray.ni@intel.com> <4A89E2EF3DFEDB4C8BFDE51014F606A14E3FDDA6@SHSMSX104.ccr.corp.intel.com> From: Laszlo Ersek Message-ID: Date: Fri, 8 Mar 2019 09:52:13 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <4A89E2EF3DFEDB4C8BFDE51014F606A14E3FDDA6@SHSMSX104.ccr.corp.intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Fri, 08 Mar 2019 08:52:16 +0000 (UTC) Subject: Re: [PATCH v2 0/2] Fix bugs in HiiDatabase driver X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2019 08:52:17 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 03/08/19 07:41, Gao, Liming wrote: > This is to fix the security issue. I agree it is an import bug fix. I am OK to push it for edk2-stable201903 tag Me too. If we had stable *branches* (as opposed to just stable tags), then we wouldn't have to delay the stable tag (the release) -- we'd just apply the CVE fix to both the master branch (*after* the stable tag) and on the stable branch too. But our development workflow isn't there yet, so I guess we can delay the stable tag a bit more. I suggest updating the date in . Thanks! Laszlo >> -----Original Message----- >> From: Wang, Jian J >> Sent: Thursday, March 7, 2019 7:17 PM >> To: Ni, Ray ; edk2-devel@lists.01.org >> Cc: Cetola, Stephano ; Gao, Liming >> Subject: RE: [edk2] [PATCH v2 0/2] Fix bugs in HiiDatabase driver >> >> Hi all, >> >> This is a very important fix for this issue. If no objection, I'd like the patch be part of this stable tag. >> >> >> As to this patch series, >> >> Reviewed-by: Jian J Wang >> >> >>> -----Original Message----- >>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Ray Ni >>> Sent: Friday, March 08, 2019 10:35 AM >>> To: edk2-devel@lists.01.org >>> Subject: [edk2] [PATCH v2 0/2] Fix bugs in HiiDatabase driver >>> >>> v2: put the CVE number in patch title. >>> >>> Ray Ni (2): >>> MdeModulePkg/HiiDatabase: Fix potential integer overflow >>> (CVE-2018-12181) >>> MdeModulePkg/HiiImage: Fix stack overflow when corrupted BMP is parsed >>> (CVE-2018-12181) >>> >>> MdeModulePkg/Universal/HiiDatabaseDxe/Image.c | 130 ++++++++++++++---- >>> 1 file changed, 105 insertions(+), 25 deletions(-) >>> >>> -- >>> 2.20.1.windows.1 >>> >>> _______________________________________________ >>> edk2-devel mailing list >>> edk2-devel@lists.01.org >>> https://lists.01.org/mailman/listinfo/edk2-devel