mu_basecore icon indicating copy to clipboard operation
mu_basecore copied to clipboard
verified publisher icon microsoft

[CHERRY-PICK] Backports PxeFail Vulnerability Patches to Release/202208

Open Flickdm opened this issue 1 year ago • 0 comments

Description

This represents the first half of the security patches for PxeFail that are the easiest for a platform to consume without breaking changes.

Covers the following CVEs:

  • CVE-2023-45229
  • CVE-2023-45230
  • CVE-2023-45231
  • CVE-2023-45232
  • CVE-2023-45233
  • CVE-2023-45234
  • CVE-2023-45235

Links: https://github.com/quarkslab/pixiefail https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html

These patches were taken with one manual merge conflict in a google test.

To recreate cherry-pick from edk2 use

git cherry-pick f31453e8d6542461d92d835e0b79fec8b039174d^..1d0b95f6457d225c5108302a9da74b4ed7aa5a38
git cherry-pick 1c440a5eceedc64e892877eeac0f1a4938f5abbb^..5fd3078a2e08f607dc86a16c1b184b6e30a34a49
  • [ ] Impacts functionality?
  • [x] Impacts security?
  • Patches the PXE specific related vulnerabilities with breaking changes to patch the others following up in a subsequent PR
  • [ ] Breaking change?
  • [x] Includes tests?
  • Yes but without changes to backport Google Test they will not run
  • [ ] Includes documentation?

How This Was Tested

TODO

Integration Instructions

N/A

Flickdm avatar Jun 13 '24 21:06 Flickdm