ALAS2-2019-1273 --- edk2ID: oval:org.secpod.oval:def:1700511 | Date: (C)2020-11-27 (M)2024-01-29 |
Class: PATCH | Family: unix |
Logic error in FV parsing in MdeModulePkg\Core\Pei\FwVol\FwVol.c Logic issue in variable service module for EDK II/UDK2018/UDK2017/UDK2015 may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access. A missing check leads to an out-of-bounds read and write flaw in NetworkPkg/DnsDxe as shipped in edk2, when it parses DNS responses. A remote attacker who controls the DNS server used by the vulnerable firmware may use this flaw to make the system crash. improper DNS packet size check Privilege escalation via heap-based buffer overflow in Decode function Privilege escalation via heap-based buffer overflow in MakeTable function Privilege escalation via processing of malformed files in TianoCompress.c Privilege escalation via processing of malformed files in BaseUefiDecompressLib.c A stack-based buffer overflow was discovered in edk2 when the HII database contains a Bitmap that claims to be 4-bit or 8-bit per pixel, but the palette contains more than 16 or 256 colors. Buffer overflow in BlockIo service for EDK II may allow an unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via network access