-
Notifications
You must be signed in to change notification settings - Fork 522
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add edk2 patches for CVE-2022-36763, CVE-2022-36764, CVE-2022-36765, CVE-2023-45230, CVE-2023-45236, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45237 #10462
base: fasttrack/2.0
Are you sure you want to change the base?
Conversation
SPECS/edk2/edk2.spec
Outdated
Patch1005: CVE-2022-36763.patch | ||
Patch1006: CVE-2022-36764.patch | ||
Patch1007: CVE-2022-36765.patch | ||
Patch1008: CVE-2023-45230.patch | ||
Patch1009: CVE-2023-45236.patch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please also update the %prep
section to apply the patches. It looks like the patches starting from number 1000 and up are reserved for changes in the CryptoPkg/Library/OpensslLib/openssl
directory. You may need to change the patch number, if these fixes are to be applied directly to the main source folder or tweak the steps in the %prep
section.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to apply the new .patch files.
@@ -0,0 +1,2 @@ | |||
CVE already patch in CVE-2023-45230.patch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the nopatch files, it is now preferable to drop them and either mention all fixed CVEs in the actually applied patch file (CVE-2023-45230.patch
in this case) or file a dispute through Astrolabe saying the CVE was fixed in a different patch file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How would mentioning them work? The tooling wouldn't know we had patched the other CVEs right?
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-static
subpackages, etc.) have had theirRelease
tag incremented../cgmanifest.json
,./toolkit/scripts/toolchain/cgmanifest.json
,.github/workflows/cgmanifest.json
)./LICENSES-AND-NOTICES/SPECS/data/licenses.json
,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON
)*.signatures.json
filessudo make go-tidy-all
andsudo make go-test-coverage
passSummary
What does the PR accomplish, why was it needed?
Fix edk2 CVEs
Change Log
Does this affect the toolchain?
NO
Links to CVEs
Test Methodology