Security update for ovmf SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:4254-1 Final 1 1 2018-12-22T12:35:15Z current 2018-12-22T12:35:15Z 2018-12-22T12:35:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ovmf This update for ovmf fixes the following issues: Security issues fixed: - CVE-2018-3613: Fixed AuthVariable Timestamp zeroing issue on APPEND_WRITE (bsc#1115916). - CVE-2017-5731: Fixed privilege escalation via processing of malformed files in TianoCompress.c (bsc#1115917). - CVE-2017-5732: Fixed privilege escalation via processing of malformed files in BaseUefiDecompressLib.c (bsc#1115917). - CVE-2017-5733: Fixed privilege escalation via heap-based buffer overflow in MakeTable() function (bsc#1115917). - CVE-2017-5734: Fixed privilege escalation via stack-based buffer overflow in MakeTable() function (bsc#1115917). - CVE-2017-5735: Fixed privilege escalation via heap-based buffer overflow in Decode() function (bsc#1115917). This update was imported from the SUSE:SLE-12-SP3:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2018-12/msg00059.html E-Mail link for openSUSE-SU-2018:4254-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 ovmf-2017+git1492060560.b6d11d7c46-13.1 ovmf-tools-2017+git1492060560.b6d11d7c46-13.1 qemu-ovmf-ia32-2017+git1492060560.b6d11d7c46-13.1 qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-13.1 qemu-ovmf-x86_64-debug-2017+git1492060560.b6d11d7c46-13.1 ovmf-2017+git1492060560.b6d11d7c46-13.1 as a component of openSUSE Leap 42.3 ovmf-tools-2017+git1492060560.b6d11d7c46-13.1 as a component of openSUSE Leap 42.3 qemu-ovmf-ia32-2017+git1492060560.b6d11d7c46-13.1 as a component of openSUSE Leap 42.3 qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-13.1 as a component of openSUSE Leap 42.3 qemu-ovmf-x86_64-debug-2017+git1492060560.b6d11d7c46-13.1 as a component of openSUSE Leap 42.3 Bounds checking in Tianocompress before November 7, 2017 may allow an authenticated user to potentially enable an escalation of privilege via local access. CVE-2017-5731 openSUSE Leap 42.3:ovmf-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:ovmf-tools-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-ia32-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-x86_64-debug-2017+git1492060560.b6d11d7c46-13.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-12/msg00059.html https://www.suse.com/security/cve/CVE-2017-5731.html CVE-2017-5731 https://bugzilla.suse.com/1115917 SUSE Bug 1115917 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none. CVE-2017-5732 openSUSE Leap 42.3:ovmf-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:ovmf-tools-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-ia32-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-x86_64-debug-2017+git1492060560.b6d11d7c46-13.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-12/msg00059.html https://www.suse.com/security/cve/CVE-2017-5732.html CVE-2017-5732 https://bugzilla.suse.com/1115917 SUSE Bug 1115917 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none. CVE-2017-5733 openSUSE Leap 42.3:ovmf-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:ovmf-tools-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-ia32-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-x86_64-debug-2017+git1492060560.b6d11d7c46-13.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-12/msg00059.html https://www.suse.com/security/cve/CVE-2017-5733.html CVE-2017-5733 https://bugzilla.suse.com/1115917 SUSE Bug 1115917 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. CVE-2017-5734 openSUSE Leap 42.3:ovmf-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:ovmf-tools-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-ia32-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-x86_64-debug-2017+git1492060560.b6d11d7c46-13.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-12/msg00059.html https://www.suse.com/security/cve/CVE-2017-5734.html CVE-2017-5734 https://bugzilla.suse.com/1115917 SUSE Bug 1115917 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none. CVE-2017-5735 openSUSE Leap 42.3:ovmf-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:ovmf-tools-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-ia32-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-x86_64-debug-2017+git1492060560.b6d11d7c46-13.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-12/msg00059.html https://www.suse.com/security/cve/CVE-2017-5735.html CVE-2017-5735 https://bugzilla.suse.com/1115917 SUSE Bug 1115917 Logic issue in variable service module for EDK II/UDK2018/UDK2017/UDK2015 may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access. CVE-2018-3613 openSUSE Leap 42.3:ovmf-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:ovmf-tools-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-ia32-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-13.1 openSUSE Leap 42.3:qemu-ovmf-x86_64-debug-2017+git1492060560.b6d11d7c46-13.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-12/msg00059.html https://www.suse.com/security/cve/CVE-2018-3613.html CVE-2018-3613 https://bugzilla.suse.com/1115916 SUSE Bug 1115916