File ovmf-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch of Package ovmf.37685
From 1d0b95f6457d225c5108302a9da74b4ed7aa5a38 Mon Sep 17 00:00:00 2001 From: "Doug Flick via groups.io" <dougflick=microsoft.com@groups.io> Date: Fri, 26 Jan 2024 05:54:57 +0800 Subject: [PATCH] NetworkPkg: : Adds a SecurityFix.yaml file This creates / adds a security file that tracks the security fixes found in this package and can be used to find the fixes that were applied. Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> --- NetworkPkg/SecurityFixes.yaml | 123 ++++++++++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) create mode 100644 NetworkPkg/SecurityFixes.yaml diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml new file mode 100644 index 0000000000..7e900483fe --- /dev/null +++ b/NetworkPkg/SecurityFixes.yaml @@ -0,0 +1,123 @@ +## @file +# Security Fixes for SecurityPkg +# +# Copyright (c) Microsoft Corporation +# SPDX-License-Identifier: BSD-2-Clause-Patent +## +CVE_2023_45229: + commit_titles: + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch" + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests" + cve: CVE-2023-45229 + date_reported: 2023-08-28 13:56 UTC + description: "Bug 01 - edk2/NetworkPkg: Out-of-bounds read when processing IA_NA/IA_TA options in a DHCPv6 Advertise message" + note: + files_impacted: + - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c + - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h + links: + - https://bugzilla.tianocore.org/show_bug.cgi?id=4534 + - https://nvd.nist.gov/vuln/detail/CVE-2023-45229 + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html +CVE_2023_45230: + commit_titles: + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch" + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests" + cve: CVE-2023-45230 + date_reported: 2023-08-28 13:56 UTC + description: "Bug 02 - edk2/NetworkPkg: Buffer overflow in the DHCPv6 client via a long Server ID option" + note: + files_impacted: + - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c + - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h + links: + - https://bugzilla.tianocore.org/show_bug.cgi?id=4535 + - https://nvd.nist.gov/vuln/detail/CVE-2023-45230 + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html +CVE_2023_45231: + commit_titles: + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Patch" + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests" + cve: CVE-2023-45231 + date_reported: 2023-08-28 13:56 UTC + description: "Bug 03 - edk2/NetworkPkg: Out-of-bounds read when handling a ND Redirect message with truncated options" + note: + files_impacted: + - NetworkPkg/Ip6Dxe/Ip6Option.c + links: + - https://bugzilla.tianocore.org/show_bug.cgi?id=4536 + - https://nvd.nist.gov/vuln/detail/CVE-2023-45231 + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html +CVE_2023_45232: + commit_titles: + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch" + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests" + cve: CVE-2023-45232 + date_reported: 2023-08-28 13:56 UTC + description: "Bug 04 - edk2/NetworkPkg: Infinite loop when parsing unknown options in the Destination Options header" + note: + files_impacted: + - NetworkPkg/Ip6Dxe/Ip6Option.c + - NetworkPkg/Ip6Dxe/Ip6Option.h + links: + - https://bugzilla.tianocore.org/show_bug.cgi?id=4537 + - https://nvd.nist.gov/vuln/detail/CVE-2023-45232 + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html +CVE_2023_45233: + commit_titles: + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch" + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests" + cve: CVE-2023-45233 + date_reported: 2023-08-28 13:56 UTC + description: "Bug 05 - edk2/NetworkPkg: Infinite loop when parsing a PadN option in the Destination Options header " + note: This was fixed along with CVE-2023-45233 + files_impacted: + - NetworkPkg/Ip6Dxe/Ip6Option.c + - NetworkPkg/Ip6Dxe/Ip6Option.h + links: + - https://bugzilla.tianocore.org/show_bug.cgi?id=4538 + - https://nvd.nist.gov/vuln/detail/CVE-2023-45233 + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html +CVE_2023_45234: + commit_titles: + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Patch" + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Unit Tests" + cve: CVE-2023-45234 + date_reported: 2023-08-28 13:56 UTC + description: "Bug 06 - edk2/NetworkPkg: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message" + note: + files_impacted: + - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c + links: + - https://bugzilla.tianocore.org/show_bug.cgi?id=4539 + - https://nvd.nist.gov/vuln/detail/CVE-2023-45234 + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html +CVE_2023_45235: + commit_titles: + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Patch" + - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Unit Tests" + cve: CVE-2023-45235 + date_reported: 2023-08-28 13:56 UTC + description: "Bug 07 - edk2/NetworkPkg: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message" + note: + files_impacted: + - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c + - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h + links: + - https://bugzilla.tianocore.org/show_bug.cgi?id=4540 + - https://nvd.nist.gov/vuln/detail/CVE-2023-45235 + - http://www.openwall.com/lists/oss-security/2024/01/16/2 + - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html + - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -- 2.35.3




