add edk2 patches for CVE-2022-36763, CVE-2022-36764, CVE-2022-36765, CVE-2023-45230, CVE-2023-45236, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45237

[rmhsawyer]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?
Fix edk2 CVEs

Change Log

• add upstream patches for CVE-2022-36763, CVE-2022-36764, CVE-2022-36765, CVE-2023-45230, CVE-2023-45236
• Add nopatch for CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45237
• Change

Does this affect the toolchain?

NO

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2022-36763
• https://nvd.nist.gov/vuln/detail/CVE-2022-36764
• https://nvd.nist.gov/vuln/detail/CVE-2022-36765
• https://nvd.nist.gov/vuln/detail/CVE-2023-45230
• https://nvd.nist.gov/vuln/detail/CVE-2023-45232
• https://nvd.nist.gov/vuln/detail/CVE-2023-45233
• https://nvd.nist.gov/vuln/detail/CVE-2023-45234
• https://nvd.nist.gov/vuln/detail/CVE-2023-45235
• https://nvd.nist.gov/vuln/detail/CVE-2023-45236
• https://nvd.nist.gov/vuln/detail/CVE-2023-45237

Test Methodology

• Pipeline build id: local package build with RUN_CHECK=y

[PawelWMS]

Please also update the %prep section to apply the patches. It looks like the patches starting from number 1000 and up are reserved for changes in the CryptoPkg/Library/OpensslLib/openssl directory. You may need to change the patch number, if these fixes are to be applied directly to the main source folder or tweak the steps in the %prep section.

[PawelWMS]

Need to apply the new .patch files.

[PawelWMS]

For the nopatch files, it is now preferable to drop them and either mention all fixed CVEs in the actually applied patch file (CVE-2023-45230.patch in this case) or file a dispute through Astrolabe saying the CVE was fixed in a different patch file.

[tobiasb-ms]

How would mentioning them work? The tooling wouldn't know we had patched the other CVEs right?