From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.groups.io with SMTP id smtpd.web10.4347.1599042810430027077 for ; Wed, 02 Sep 2020 03:33:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=gD23eYa0; spf=pass (domain: redhat.com, ip: 63.128.21.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1599042809; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XJcmIguOTIu4hQK2+Ygf00lEXFqwOMtMSU95KXoKjIU=; b=gD23eYa0OVSvXJ+rRlEhBiYORnXWC1tYQ7XVNdys0TmUarwE0hmI7UsgmgqaMvM/mHotJZ W1JrCq7K4n4Z7gfJo9EDWi0BJ/uGagaO/vjuaF66EW/p956vGoMDPvr2BF+OMXDtiUHnVQ aKfB0pDdOG9dymiOCQavQ8bCbNwKxPc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-68-XsbdEE3zOlWn_mqzLYzkoA-1; Wed, 02 Sep 2020 06:33:21 -0400 X-MC-Unique: XsbdEE3zOlWn_mqzLYzkoA-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2100810066FF; Wed, 2 Sep 2020 10:33:19 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-113-14.ams2.redhat.com [10.36.113.14]) by smtp.corp.redhat.com (Postfix) with ESMTP id 59D9419C59; Wed, 2 Sep 2020 10:33:15 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH 0/3] SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562) To: devel@edk2.groups.io, jiewen.yao@intel.com Cc: "Wang, Jian J" , "Xu, Min M" , Wenyi Xie , =?UTF-8?Q?Philippe_Mathieu-Daud=c3=a9?= , "Liming Gao (Byosoft address)" References: <20200901091221.20948-1-lersek@redhat.com> From: "Laszlo Ersek" Message-ID: Date: Wed, 2 Sep 2020 12:33:14 +0200 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0.002 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US On 09/02/20 08:41, Yao, Jiewen wrote: > Yes. I recommend to merge to stable202008. Merged in commit range 751355992635..0b143fa43e92, via . Thanks! Laszlo > >> -----Original Message----- >> From: devel@edk2.groups.io On Behalf Of Laszlo Ersek >> Sent: Wednesday, September 2, 2020 2:35 PM >> To: devel@edk2.groups.io; Yao, Jiewen >> Cc: Wang, Jian J ; Xu, Min M ; >> Wenyi Xie ; Philippe Mathieu-Daudé >> ; Liming Gao (Byosoft address) >> >> Subject: Re: [edk2-devel] [PATCH 0/3] SecurityPkg/DxeImageVerificationLib: >> catch alignment overflow (CVE-2019-14562) >> >> (+Liming, +Phil) >> >> On 09/02/20 06:02, Yao, Jiewen wrote: >>> The series (1~3) is reviewed-by: Jiewen Yao >> >> Thank you Everyone for the reviews and testing. >> >> Jiewen: do you think we should merge this series into the master branch >> before edk2-stable202008? I think it qualifies (it is a CVE fix), but I >> would like *you* to decide about it. >> >> Thanks >> Laszlo >> >>> >>> Thank you >>> Yao Jiewen >>> >>>> -----Original Message----- >>>> From: devel@edk2.groups.io On Behalf Of Laszlo >> Ersek >>>> Sent: Tuesday, September 1, 2020 5:12 PM >>>> To: edk2-devel-groups-io >>>> Cc: Wang, Jian J ; Yao, Jiewen >> ; >>>> Xu, Min M ; Wenyi Xie >>>> Subject: [edk2-devel] [PATCH 0/3] SecurityPkg/DxeImageVerificationLib: >> catch >>>> alignment overflow (CVE-2019-14562) >>>> >>>> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215 >>>> Repo: https://pagure.io/lersek/edk2.git >>>> Branch: tianocore_2215 >>>> >>>> I'm neutral on whether this becomes part of edk2-stable202008. >>>> >>>> Cc: Jian J Wang >>>> Cc: Jiewen Yao >>>> Cc: Min Xu >>>> Cc: Wenyi Xie >>>> >>>> Thanks, >>>> Laszlo >>>> >>>> Laszlo Ersek (3): >>>> SecurityPkg/DxeImageVerificationLib: extract SecDataDirEnd, >>>> SecDataDirLeft >>>> SecurityPkg/DxeImageVerificationLib: assign WinCertificate after size >>>> check >>>> SecurityPkg/DxeImageVerificationLib: catch alignment overflow >>>> (CVE-2019-14562) >>>> >>>> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 16 >>>> ++++++++++++---- >>>> 1 file changed, 12 insertions(+), 4 deletions(-) >>>> >>>> -- >>>> 2.19.1.3.g30247aa5d201 >>>> >>>> >>>> >>> >>> >>> >>> >> >> >> > > > >