Source: efibootguard Version: 0.13-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for efibootguard. CVE-2023-39950[0]: | efibootguard is a simple UEFI boot loader with support for safely | switching between current and updated partition sets. Insufficient | or missing validation and sanitization of input from untrustworthy | bootloader environment files can cause crashes and probably also | code injections into `bg_setenv`) or programs using `libebgenv`. | This is triggered when the affected components try to modify a | manipulated environment, in particular its user variables. | Furthermore, `bg_printenv` may crash over invalid read accesses or | report invalid results. Not affected by this issue is EFI Boot | Guard's bootloader EFI binary. EFI Boot Guard release v0.15 contains | required patches to sanitize and validate the bootloader environment | prior to processing it in userspace. Its library and tools should be | updated, so should programs statically linked against it. An update | of the bootloader EFI executable is not required. The only way to | prevent the issue with an unpatched EFI Boot Guard version is to | avoid accesses to user variables, specifically modifications to | them. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-39950 https://www.cve.org/CVERecord?id=CVE-2023-39950 Regards, Salvatore
