GHSA-2689-5p89-6j3j
UEFI Firmware Parser has a stack out-of-bounds write in tiano decompressor MakeTable
상세
`uefi-firmware` contains a stack out-of-bounds write vulnerability in the native tiano/EFI decompressor. in `uefi_firmware/compression/Tiano/Decompress.c`, `MakeTable()` does not validate that bit-length values read from the compressed bitstream are within the expected range (`0..16`). a crafted firmware blob can supply bit lengths greater than `16`, causing out-of-bounds writes to the stack-allocated `Count[17]` array and related decode tables.
reachability is through the normal parsing path: `CompressedSection.process()` -> `efi_compressor.TianoDecompress()` -> `TianoDecompress()` -> `ReadPTLen()` -> `MakeTable()`.
Minimum impact is a deterministic crash; depending on build/runtime details, the stack memory corruption may be exploitable for code execution in the context of the parsing process. this project shipped its own copy of the decompressor without the upstream EDK2 hardening for this bug class.
References:
- PR: <https://github.com/theopolis/uefi-firmware-parser/pull/145> - fix commit: <https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e> - upstream related fixes: CVE-2017-5731, CVE-2017-5732, CVE-2017-5733, CVE-2017-5734, CVE-2017-5735
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0 No fixed version published yet for uefi-firmware (pip). Pin to a known-safe version or switch to an alternative.
참고
- https://github.com/theopolis/uefi-firmware-parser/security/advisories/GHSA-2689-5p89-6j3j [WEB]
- https://github.com/theopolis/uefi-firmware-parser/pull/145 [WEB]
- https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e [WEB]
- https://github.com/theopolis/uefi-firmware-parser [PACKAGE]