Bug 1218679 (CVE-2022-36764) - VUL-0: CVE-2022-36764: ovmf,EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise
Summary: VUL-0: CVE-2022-36764: ovmf,EDK2 is susceptible to a vulnerability in the Tcg...
Status: IN_PROGRESS
Alias: CVE-2022-36764
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Joey Lee
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/390489/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-36764:7.0:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-10 05:27 UTC by SMASH SMASH
Modified: 2024-05-17 11:24 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-01-10 05:27:03 UTC 
EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36764
https://www.cve.org/CVERecord?id=CVE-2022-36764
https://github.com/tianocore/edk2/security/advisories/GHSA-4hcq-p8q8-hj8j
Comment 2 Joey Lee 2024-01-12 04:10:05 UTC 
(In reply to SMASH SMASH from comment #0)
> EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function,
> allowing a user to trigger a heap buffer overflow via a local network.
> Successful exploitation of this vulnerability may result in a compromise of
> confidentiality, integrity, and/or availability.
> 
> References:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36764
> https://www.cve.org/CVERecord?id=CVE-2022-36764
> https://github.com/tianocore/edk2/security/advisories/GHSA-4hcq-p8q8-hj8j

The patch in the above edk2 bug is still under reviewing. I will backport the patch after it be merged to edk2 mainline.
Comment 3 Joey Lee 2024-02-06 06:48:37 UTC 
(In reply to Joey Lee from comment #2)
> (In reply to SMASH SMASH from comment #0)
> > EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function,
> > allowing a user to trigger a heap buffer overflow via a local network.
> > Successful exploitation of this vulnerability may result in a compromise of
> > confidentiality, integrity, and/or availability.
> > 
> > References:
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36764
> > https://www.cve.org/CVERecord?id=CVE-2022-36764
> > https://github.com/tianocore/edk2/security/advisories/GHSA-4hcq-p8q8-hj8j
> 
> The patch in the above edk2 bug is still under reviewing. I will backport
> the patch after it be merged to edk2 mainline.

Those patches be merged to edk2 mainline. I will backport them.
Comment 5 Joey Lee 2024-05-08 08:49:27 UTC 
commit 8f6d343ae639fba8e4b80e45257275e23083431f                 [edk2-stable202402]
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Date:   Fri Jan 12 02:16:06 2024 +0800

    SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml

commit 0d341c01eeabe0ab5e76693b36e728b8f538a40e                 [edk2-stable202402]
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Date:   Fri Jan 12 02:16:05 2024 +0800

    SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764

commit c7b27944218130cca3bbb20314ba5b88b5de4aa4                 [edk2-stable202402]
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Date:   Fri Jan 12 02:16:04 2024 +0800

    SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764
Comment 6 Joey Lee 2024-05-08 15:40:45 UTC 
commit 264636d8e6983e0f6dc6be2fca9d84ec81315954
Author: Doug Flick <dougflick@microsoft.com>
Date:   Wed Jan 17 14:47:22 2024 -0800

    SecurityPkg: : Updating SecurityFixes.yaml after symbol rename

commit 326db0c9072004dea89427ea3a44393a84966f2b
Author: Doug Flick <dougflick@microsoft.com>
Date:   Wed Jan 17 14:47:21 2024 -0800

    SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename

commit 40adbb7f628dee79156c679fb0857968b61b7620
Author: Doug Flick <dougflick@microsoft.com>
Date:   Wed Jan 17 14:47:20 2024 -0800

    SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename
Comment 7 Joey Lee 2024-05-09 06:10:53 UTC 
Backported patches be submitted to 15-SP6 and wait to be merged:

https://build.suse.de/request/show/329676
Comment 10 Joey Lee 2024-05-13 05:03:32 UTC 
(In reply to Joey Lee from comment #7)
> Backported patches be submitted to 15-SP6 and wait to be merged:
> 
> https://build.suse.de/request/show/329676

Backported patch be merged to 15-SP6/ovmf