Alerts This Week
Warning Icon 1 1,375
Alerts This Week
Warning Icon 1 1,375

Ubuntu: 4349-1 Critical: edk2 Buffer Overflow and Other Risks

ubuntu
Calendar Grey April 30, 2020
Dist Ubuntu Esm H88
Ubuntu Security Notice USN-4349-1 reveals severe vulnerabilities in the edk2 package, part of UEFI, urging users to install essential updates for protection
Several security issues were fixed in edk2.

Summary

Several security issues were fixed in edk2.

Software Description:

- edk2: UEFI firmware for 64-bit x86 virtual machines

Details:

A buffer overflow was discovered in the network stack. An unprivileged user

could potentially enable escalation of privilege and/or denial of service.

This issue was already fixed in a previous release for 18.04 LTS and 19.10.

(CVE-2018-12178)

A buffer overflow was discovered in BlockIo service. An unauthenticated user

could potentially enable escalation of privilege, information disclosure and/or

denial of service. This issue was already fixed in a previous release for 18.04

LTS and 19.10. (CVE-2018-12180)

A stack overflow was discovered in bmp. An unprivileged user

could potentially enable denial of service or elevation of privilege via

local access. This issue was already fixed in a previous release for 18.04

LTS and 19.10. (CVE-2018-12181)

It was discovered that memory was not cleared before free that could lead

to potential password leak. (CVE-...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.10:
  ovmf                            0~20190606.20d2e5a1-2ubuntu1.1
  qemu-efi-aarch64                0~20190606.20d2e5a1-2ubuntu1.1
  qemu-efi-arm                    0~20190606.20d2e5a1-2ubuntu1.1

Ubuntu 18.04 LTS:
  ovmf                            0~20180205.c0d9813c-2ubuntu0.2
  qemu-efi-aarch64                0~20180205.c0d9813c-2ubuntu0.2
  qemu-efi-arm                    0~20180205.c0d9813c-2ubuntu0.2

Ubuntu 16.04 LTS:
  ovmf                            0~20160408.ffea0a2c-2ubuntu0.1
  qemu-efi                        0~20160408.ffea0a2c-2ubuntu0.1

After a standard system update you need to restart the virtual machines that
use the affected firmware to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-4349-1

CVE-2018-12178, CVE-2018-12180, CVE-2018-12181, CVE-2019-14558,

CVE-2019-14559, CVE-2019-14563, CVE-2019-14575, CVE-2019-14586,

CVE-2019-14587

Severity
critical
Lowest
Low
Medium
High
Critical

April 30, 2020

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here