[edk2-devel] [PATCH v2 00/10] Fix false negative issue in DxeImageVerificationHandler

Wang, Jian J jian.j.wang at intel.com
Fri Feb 14 07:27:35 UTC 2020 

> v2 changes:
>    - Change IsCertHashFoundInDatabase to IsCertHashFoundInDbx (patch 10)
>    - Update result handling to all calling to IsCertHashFoundInDatabase
>      to be consistent (patch 6)
>    - Fix commit message and title length issue caught by PatchCheck tool

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
Patch branch: https://github.com/jwang36/edk2/tree/fix-bz1608-bypass-blacklist-check-via-signature-v2

Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Chao Zhang <chao.b.zhang at intel.com>

Jian J Wang (9):
  SecurityPkg/DxeImageVerificationLib: Fix memory leaks(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0
    per DBX(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in
    IsAllowedByDb(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching
    dbx(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: refactor db/dbx fetching
    code(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: Differentiate error/search result
    (1)(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: tighten default
    result(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: Differentiate error/search result
    (2)(CVE-2019-14575)
  SecurityPkg/DxeImageVerificationLib: change IsCertHashFoundInDatabase
    name(CVE-2019-14575)

Laszlo Ersek (1):
  SecurityPkg/DxeImageVerificationLib: plug Data leak in
    IsForbiddenByDbx()(CVE-2019-14575)

 .../DxeImageVerificationLib.c                 | 291 ++++++++++++------
 1 file changed, 198 insertions(+), 93 deletions(-)

-- 
2.24.0.windows.2


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#54416): https://edk2.groups.io/g/devel/message/54416
Mute This Topic: https://groups.io/mt/71264897/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list