Bug 1694077 (CVE-2018-12183) - CVE-2018-12183 edk2: stack overflow in DxeCore leads to privilege escalation
Summary: CVE-2018-12183 edk2: stack overflow in DxeCore leads to privilege escalation
Alias: CVE-2018-12183
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1694086 1694085
Blocks: 1694083
TreeView+ depends on / blocked
Reported: 2019-03-29 13:01 UTC by Dhananjay Arunesh
Modified: 2021-02-16 22:10 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-10 10:52:38 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
TianoCore 1137 0 None None None 2019-08-01 19:41:44 UTC

Description Dhananjay Arunesh 2019-03-29 13:01:51 UTC
Stack overflow in DxeCore for EDK II may allow an unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access.


Upstream commit:

Comment 1 Dhananjay Arunesh 2019-03-29 13:02:17 UTC
External References:


Comment 2 Dhananjay Arunesh 2019-03-29 13:35:17 UTC
Created edk2 tracking bugs for this issue:

Affects: fedora-all [bug 1694085]

Comment 3 Dhananjay Arunesh 2019-03-29 13:36:09 UTC
Created edk2 tracking bugs for this issue:

Affects: epel-all [bug 1694086]

Comment 4 Laszlo Ersek 2019-04-01 16:36:04 UTC
(In reply to Dhananjay Arunesh from comment #1)
> External References:
> https://edk2-docs.gitbooks.io/security-advisory/content/unlimited-fv-
> recursion.html

This advisory references upstream bugs #1126 and #1137.

- TianoCore#1126 is open to the public, and it identifies the commit hash (0a0d5296e4) at which the related series was completed. I don't see how that work is related to DxeCore stack overflow. The advisory names the same commit as well. IMO both of these may have been in error, in the advisory (i.e. both the commit hash and the BZ reference); although I could be proved wrong, obviously.

- In comparison, TianoCore#1137 has not been opened up to the public. I guess that BZ tracks the actual security bug. Can you please work with the TianoCore Bugzilla InfoSec group to open up TianoCore#1137? Thanks.

Note You need to log in before you can comment on or make changes to this bug.