On Mon, Apr 22, 2019 at 07:52:24PM -0600, dann frazier wrote:
> On Sat, Apr 20, 2019 at 07:58:07PM +0200, Moritz Muehlenhoff wrote:
> > Source: edk2
> > Severity: important
> > Tags: security
>
> Thanks Moritz! Upon review, I believe Debian is not impacted by
> either...
>
> > CVE-2018-12179:
> > https://bugzilla.tianocore.org/show_bug.cgi?id=1133
>
> The OpalPassword code isn't compiled for the Debian images. I
> mechanically verified this by enabling atime and doing a build, and
> generated lists of files touched by the build and not. Of the files
> modified in the proposed patchset, these were not accessed:
> SecurityPkg/Include/Guid/OpalPasswordExtraInfoVariable.h
> SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c
> SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalPasswordDxe.inf
> SecurityPkg/Tcg/Opal/OpalPasswordSmm/OpalPasswordSmm.c
> SecurityPkg/Tcg/Opal/OpalPasswordSmm/OpalPasswordSmm.h
> SecurityPkg/Tcg/Opal/OpalPasswordSmm/OpalPasswordSmm.inf
>
> This one was:
> SecurityPkg/SecurityPkg.dec
> but the only proposed change to it is to remove a Guid definition.
>
> > CVE-2018-12182:
> > https://bugzilla.tianocore.org/show_bug.cgi?id=1136
>
> Upstream explains why OVMF is not impacted here:
> https://bugzilla.tianocore.org/show_bug.cgi?id=1136#c13
Thanks, I've updated the security tracker, setting CVE-2018-12179
to unimportant (as this could theoretically affect custom builds)
and marked CVE-2018-12182 as not-affected.
Cheers,
Moritz
