From 914e0d4b4e918df823ce838e690aa6bcb36bd001 Mon Sep 17 00:00:00 2001 From: Jared Baur Date: Tue, 16 Jan 2024 22:39:59 -0800 Subject: [PATCH] Provide patches for new networking vulnerabilities in EDK2 See CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235 and CVE-2022-36764. Rundown on CVEs: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html Patches found from https://bugzilla.tianocore.org/show_bug.cgi?id=4518 and https://bugzilla.tianocore.org/show_bug.cgi?id=4118. --- pkgs/uefi-firmware/default.nix | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/pkgs/uefi-firmware/default.nix b/pkgs/uefi-firmware/default.nix index e13ebc1..14142d2 100644 --- a/pkgs/uefi-firmware/default.nix +++ b/pkgs/uefi-firmware/default.nix @@ -2,6 +2,7 @@ , stdenv , buildPackages , fetchFromGitHub +, fetchurl , fetchpatch , fetchpatch2 , runCommand @@ -216,7 +217,22 @@ let chmod -R u+w BaseTools ''; - patches = opensslPatches ++ edk2UefiPatches; + patches = opensslPatches ++ edk2UefiPatches ++ [ + (fetchurl { + # Patch format does not play well with fetchpatch, it should be fine this is a static attachment in a ticket + name = "CVE-2023-45229_CVE-2023-45230_CVE-2023-45231_CVE-2023-45232_CVE-2023-45233_CVE-2023-45234_CVE-2023-45235.patch"; + url = "https://bugzilla.tianocore.org/attachment.cgi?id=1457"; + hash = "sha256-CF41lbjnXbq/6DxMW6q1qcLJ8WAs+U0Rjci+jRwJYYY="; + }) + (fetchpatch { + name = "CVE-2022-36764.patch"; + url = "https://bugzilla.tianocore.org/attachment.cgi?id=1436"; + hash = "sha256-czku8DgElisDv6minI67nNt6BS+vH6txslZdqiGaQR4="; + excludes = [ + "SecurityPkg/Test/SecurityPkgHostTest.dsc" + ]; + }) + ]; postPatch = '' # This has been taken from: