On Mon, Apr 22, 2019 at 07:52:24PM -0600, dann frazier wrote: > On Sat, Apr 20, 2019 at 07:58:07PM +0200, Moritz Muehlenhoff wrote: > > Source: edk2 > > Severity: important > > Tags: security > > Thanks Moritz! Upon review, I believe Debian is not impacted by > either... > > > CVE-2018-12179: > > https://bugzilla.tianocore.org/show_bug.cgi?id=1133 > > The OpalPassword code isn't compiled for the Debian images. I > mechanically verified this by enabling atime and doing a build, and > generated lists of files touched by the build and not. Of the files > modified in the proposed patchset, these were not accessed: > SecurityPkg/Include/Guid/OpalPasswordExtraInfoVariable.h > SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c > SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalPasswordDxe.inf > SecurityPkg/Tcg/Opal/OpalPasswordSmm/OpalPasswordSmm.c > SecurityPkg/Tcg/Opal/OpalPasswordSmm/OpalPasswordSmm.h > SecurityPkg/Tcg/Opal/OpalPasswordSmm/OpalPasswordSmm.inf > > This one was: > SecurityPkg/SecurityPkg.dec > but the only proposed change to it is to remove a Guid definition. > > > CVE-2018-12182: > > https://bugzilla.tianocore.org/show_bug.cgi?id=1136 > > Upstream explains why OVMF is not impacted here: > https://bugzilla.tianocore.org/show_bug.cgi?id=1136#c13
Thanks, I've updated the security tracker, setting CVE-2018-12179 to unimportant (as this could theoretically affect custom builds) and marked CVE-2018-12182 as not-affected. Cheers, Moritz