==========================================================================
Ubuntu Security Notice USN-6920-1
July 29, 2024

edk2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in EDK II.

Software Description:
- edk2: UEFI firmware for virtual machines

Details:

It was discovered that EDK II was not properly performing bounds checks
in Tianocompress, which could lead to a buffer overflow. An authenticated
user could use this issue to potentially escalate their privileges via
local access. (CVE-2017-5731)

It was discovered that EDK II had an insufficient memory write check in
the SMM service, which could lead to a page fault occurring. An
authenticated user could use this issue to potentially escalate their
privileges, disclose information and/or create a denial of service via
local access. (CVE-2018-12182)

It was discovered that EDK II incorrectly handled memory in DxeCore, which
could lead to a stack overflow. An unauthenticated user could this
issue to potentially escalate their privileges, disclose information
and/or create a denial of service via local access. This issue only
affected Ubuntu 18.04 LTS. (CVE-2018-12183)

It was discovered that EDK II incorrectly handled memory in the
Variable service under certain circumstances. An authenticated user could
use this issue to potentially escalate their privileges, disclose
information and/or create a denial of service via local access.
(CVE-2018-3613)

It was discovered that EDK II incorrectly handled memory in its system
firmware, which could lead to a buffer overflow. An unauthenticated user
could use this issue to potentially escalate their privileges and/or
create a denial of service via network access. This issue only affected
Ubuntu 18.04 LTS. (CVE-2019-0160)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
   ovmf                            0~20180205.c0d9813c-2ubuntu0.3+esm1
                                   Available with Ubuntu Pro
   qemu-efi                        0~20180205.c0d9813c-2ubuntu0.3+esm1
                                   Available with Ubuntu Pro
   qemu-efi-aarch64                0~20180205.c0d9813c-2ubuntu0.3+esm1
                                   Available with Ubuntu Pro
   qemu-efi-arm                    0~20180205.c0d9813c-2ubuntu0.3+esm1
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS
   ovmf                            0~20160408.ffea0a2c-2ubuntu0.2+esm1
                                   Available with Ubuntu Pro
   qemu-efi                        0~20160408.ffea0a2c-2ubuntu0.2+esm1
                                   Available with Ubuntu Pro

After a standard system update you need to restart the virtual machines
that use the affected firmware to make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-6920-1
   CVE-2017-5731, CVE-2018-12182, CVE-2018-12183, CVE-2018-3613,
   CVE-2019-0160

Critical EDK II Security Advisory Updates for Ubuntu 16.04 and 18.04

July 29, 2024
Several security issues were fixed in EDK II.

Summary

A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in EDK II. Software Description: - edk2: UEFI firmware for virtual machines Details: It was discovered that EDK II was not properly performing bounds checks in Tianocompress, which could lead to a buffer overflow. An authenticated user could use this issue to potentially escalate their privileges via local access. (CVE-2017-5731) It was discovered that EDK II had an insufficient memory write check in the SMM service, which could lead to a page fault occurring. An authenticated user could use this issue to potentially escalate their privileges, disclose information and/or create a denial of service via local access. (CVE-2018-12182) It was discovered that EDK II incorrectly handled memory in DxeCore, which could lead to a stack overflow. An unauthenticated user could this issue to potentially esca...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS ovmf 0~20180205.c0d9813c-2ubuntu0.3+esm1 Available with Ubuntu Pro qemu-efi 0~20180205.c0d9813c-2ubuntu0.3+esm1 Available with Ubuntu Pro qemu-efi-aarch64 0~20180205.c0d9813c-2ubuntu0.3+esm1 Available with Ubuntu Pro qemu-efi-arm 0~20180205.c0d9813c-2ubuntu0.3+esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS ovmf 0~20160408.ffea0a2c-2ubuntu0.2+esm1 Available with Ubuntu Pro qemu-efi 0~20160408.ffea0a2c-2ubuntu0.2+esm1 Available with Ubuntu Pro After a standard system update you need to restart the virtual machines that use the affected firmware to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-6920-1

CVE-2017-5731, CVE-2018-12182, CVE-2018-12183, CVE-2018-3613,

CVE-2019-0160

Severity
Ubuntu Security Notice USN-6920-1

Package Information

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved