Accepting request 1142576 from home:dtseng:branches:devel:openSUSE:Factory

bugowner: dtseng Submitting for upgrading shim to v15.8 (bsc#1215099, bsc#1215098,bsc#1215100,bsc#1215101,bsc#1215102,and bsc#1215103) OBS-URL: https://build.opensuse.org/request/show/1142576 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=205
2024-02-01 07:25:56 +00:00 · 2024-02-01 07:25:56 +00:00 · 6e9e2655ab
commit 6e9e2655ab
parent a86220a02f
6 changed files with 97 additions and 104 deletions
--- a/remove_build_id.patch
+++ b/remove_build_id.patch
@ -1,23 +1,22 @@
-Index: shim/shim-15.4/gnu-efi/Make.defaults
+Index: shim-15.8/gnu-efi/Make.defaults
 ===================================================================
--- shim-15.4.orgi/gnu-efi/Make.defaults
-+++ shim-15.4/gnu-efi/Make.defaults
-@@ -205,8 +205,7 @@ ARFLAGS := rDv
- endif
+--- shim-15.8.orig/gnu-efi/Make.defaults
+++ shim-15.8/gnu-efi/Make.defaults
+@@ -205,7 +205,7 @@ endif
 
 ASFLAGS += $(ARCH3264)
-LDFLAGS	+= -nostdlib --warn-common --no-undefined --fatal-warnings \
-	   --build-id=sha1
-+LDFLAGS	+= -nostdlib --warn-common --no-undefined --fatal-warnings
+ LDFLAGS	+= -nostdlib --warn-common --no-undefined --fatal-warnings \
+-	   --build-id=sha1 --no-warn-rwx-segments
+	   --no-warn-rwx-segments
 
 ifneq ($(ARCH),arm)
 export LIBGCC=$(shell $(CC) $(CFLAGS) $(ARCH3264) -print-libgcc-file-name)
-Index: shim/shim-15.4/Make.defaults
+Index: shim-15.8/Make.defaults
 ===================================================================
--- shim-15.4.orig/Make.defaults
-+++ shim-15.4/Make.defaults
-@@ -184,7 +184,7 @@ ifneq ($(origin VENDOR_DBX_FILE), undefi
- DEFINES		+= -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
+--- shim-15.8.orig/Make.defaults
+++ shim-15.8/Make.defaults
+@@ -192,7 +192,7 @@ ifneq ($(origin SBAT_AUTOMATIC_DATE), un
+ DEFINES		+= -DSBAT_AUTOMATIC_DATE=$(SBAT_AUTOMATIC_DATE)
 endif
 
 -LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 $(ARCH_LDFLAGS) --no-undefined
--- a/shim-15.7.tar.bz2
+++ b/shim-15.7.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:87cdeb190e5c7fe441769dde11a1b507ed7328e70a178cd9858c7ac7065cfade
-size 1334863
--- a/shim-15.8.tar.bz2
+++ b/shim-15.8.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9
+size 2315201
--- a/shim-Enable-the-NX-compatibility-flag-by-default.patch
+++ b/shim-Enable-the-NX-compatibility-flag-by-default.patch
@ -1,84 +0,0 @@
-From a53b9f7ceec1dfa1487f4d675573449c5b2a16fb Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Thu, 17 Nov 2022 12:31:31 -0500
-Subject: [PATCH] Enable the NX compatibility flag by default.
-
-Currently by default, when we build shim we do not set the PE
-NX-compatibility DLL Characteristic flag.  This signifies to the
-firmware that shim (including the components it loads) is not prepared
-for several related firmware changes:
-
- non-executable stack
- non-executable pages from AllocatePages()/AllocatePool()/etc.
- non-writable 0 page (not strictly related but some firmware will be
-  transitioning at the same time)
- the need to use the UEFI 2.10 Memory Attribute Protocol to set page
-  permissions.
-
-This patch changes that default to be enabled by default.  Distributors
-of shim will need to ensure that either their builds disable this bit
-(using "post-process-pe -N"), or that the bootloaders and kernels you
-support loading are all compliant with this change.  A new make
-variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
---
- BUILDING          | 3 +++
- Make.defaults     | 2 ++
- Makefile          | 2 +-
- post-process-pe.c | 2 +-
- 4 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/BUILDING b/BUILDING
-index 3b2e85d3..17cd98d3 100644
--- a/BUILDING
-+++ b/BUILDING
-@@ -78,6 +78,9 @@ Variables you could set to customize the build:
- - OSLABEL
-   This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
-   By default this is the same value as EFIDIR .
-+- POST_PROCESS_PE_FLAGS
-+  This allows you to add flags to the invocation of "post-process-pe", for
-+  example to disable the NX compatibility flag.
- 
- Vendor SBAT data:
- It will sometimes be requested by reviewers that a build includes extra
-diff --git a/Make.defaults b/Make.defaults
-index c46164a3..9af89f4e 100644
--- a/Make.defaults
-+++ b/Make.defaults
-@@ -139,6 +139,8 @@ CFLAGS		= $(FEATUREFLAGS) \
- 		  $(INCLUDES) \
- 		  $(DEFINES)
- 
-+POST_PROCESS_PE_FLAGS =
-+
- ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
- 	DEFINES	+= -DOVERRIDE_SECURITY_POLICY
- endif
-diff --git a/Makefile b/Makefile
-index a9202f46..f0f53f8f 100644
--- a/Makefile
-+++ b/Makefile
-@@ -255,7 +255,7 @@ endif
- 		-j .rela* -j .dyn -j .reloc -j .eh_frame \
- 		-j .vendor_cert -j .sbat -j .sbatlevel \
- 		$(FORMAT) $< $@
-	./post-process-pe -vv $@
-+	./post-process-pe -vv $(POST_PROCESS_PE_FLAGS) $@
- 
- ifneq ($(origin ENABLE_SHIM_HASH),undefined)
- %.hash : %.efi
-diff --git a/post-process-pe.c b/post-process-pe.c
-index de8f4a38..f39fdddf 100644
--- a/post-process-pe.c
-+++ b/post-process-pe.c
-@@ -42,7 +42,7 @@ static int verbosity;
- 		0;                                               \
- 	})
- 
-static bool set_nx_compat = false;
-+static bool set_nx_compat = true;
- 
- typedef uint8_t UINT8;
- typedef uint16_t UINT16;
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,84 @@
+-------------------------------------------------------------------
+Sun Jan 28 09:32:32 UTC 2024 - Dennis Tseng <dennis.tseng@suse.com>
+
+-- Update to version 15.8
+    - Various CVE fixes are already merged into this version
+        mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546)
+        avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547)
+        Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548)
+        Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549)
+        pe: Fix an out-of-bound read in verify_buffer_sbat() (bsc#1215102,CVE-2023-40550)
+        pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551)
+    - remove shim-Enable-the-NX-compatibility-flag-by-default.patch
+        The codes in this patch are already existing in shim-15.8
+        The NX flag is disable which is same as the default value of shim-15.8, 
+        hence, not need to enable it by this patch now.
+    - Patches (git log --oneline --reverse 15.7..15.8)
+        657b248 Make sbat_var.S parse right with buggy gcc/binutils
+        7c76425 Enable the NX compatibility flag by default.
+        89972ae CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper
+        c7b3051 pe: Align section size up to page size for mem attrs
+        e4f40ae pe: Add IS_PAGE_ALIGNED macro
+        f23883c Don't loop forever in load_certs() with buggy firmware
+        1f38cb3 Optionally allow to keep shim protocol installed
+        102a658 Drop invalid calls to `CRYPTO_set_mem_functions`
+        aae3df0 test-sbat: Fix exit code
+        cca3933 Block Debian grub binaries with SBAT < 4
+        cf59f34 Further improve load_certs() for non-compliant drivers/firmwares
+        0601f44 SBAT-related documents formatting and spelling
+        0640e13 Add a security contact email address in README.md
+        0bfc397 Work around malformed path delimiters in file paths from DHCP
+        a8b0b60 pe: only process RelocDir->Size of reloc section
+        f7a4338 Skip testing msleep()
+        549d346 Rename 'msecs' to 'usecs' to avoid potential confusion
+        908c388 Change type of fallback_verbose_wait from int to unsigned long
+        05eae92 Add SbatLevel_Variable.txt to document the various revocations
+        243f125 Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL
+        89d25a1 Add a make rule for compile_commands.json
+        118ff87 Add gnu-stack notes
+        f132655 test: Make our fake dprintf be a statement.
+        be00279 Remove CentOS 7 test builds.
+        9964960 Split pe.c up even more.
+        569270d Test (and fix) ImageAddress()
+        61e9894 Verify signature before verifying sbat levels
+        1578b55 Add libFuzzer support for csv.c
+        a0673e3 Fix a 1-byte memory leak in .sbat parsing.
+        e246812 Add libFuzzer support to the .sbat parser.
+        fd43eda Work around ImageAddress() usage mistake
+        1e985a3 Correctly free memory allocated in handle_image()
+        dbbe3c8 mok: Avoid underflow in maximum variable size calculation
+        04111d4 Make some of the static analysis tools a little easier to run
+        7ba7440 compile_commands.json: remove stuff clang doesn't like
+        66e6579 CVE-2023-40546 mok: fix LogError() invocation
+        f271826 Add primitives for overflow-checked arithmetic operations.
+        8372147 pe-relocate: Add a fuzzer for read_header()
+        5a5147d CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
+        e912071 pe-relocate: make read_header() use checked arithmetic operations.
+        93ce255 CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
+        e7f5fdf pe-relocate: Ensure nothing else implements CVE-2023-40550
+        afdc503 CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
+        96dccc2 CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
+        dae82f6 Further mitigations against CVE-2023-40546 as a class
+        ea0f9df Allow SbatLevel data from external binary
+        b078ef2 Always clear SbatLevel when Secure Boot is disabled
+        7dfb687 BS Variables for bootmgr revocations
+        a967c0e shim should not self revoke
+        577cedd Print message when refusing to apply SbatLevel
+        e801b0d sbat revocations: check the full section name
+        0226b56 CVE-2023-40547 - avoid incorrectly trusting HTTP headers
+        6f0c8d2 Print errors when setting/clearing memory attrs
+        57c0eed Updated Revocations for January 2024 CVEs
+        49c6d95 Fix some minor ia32 build issues.
+        be8ff7c post-process-pe: Don't set the NX_COMPAT flag by default after all.
+        13abd9f pe-relocate: Avoid __builtin_add_overflow() on GCC < 5
+        c46c975 Suppress "Failed to open <..>\revocations.efi" when file does not exist
+        30a4f37 Rename "previous" revocations to "automatic"
+        6f395c2 Build time selectable automatic SBATLevel revocations
+        a23e2f0 netboot read_image() should not hardcode DEFAULT_LOADER
+        993a345 Try to load revocations.efi even if directory read fails
+        1770a03 gitmodules: use shim-15.8 for gnu-efi branch
+        5914984 (HEAD -> main, tag: latest-release, tag: 15.8, origin/main, origin/HEAD) Bump version to 15.8 
+
 -------------------------------------------------------------------
 Thu Oct  5 13:19:48 UTC 2023 - Ludwig Nussel <lnussel@suse.com>

--- a/shim.spec
+++ b/shim.spec
@ -36,7 +36,7 @@
 %endif

 Name:           shim
-Version:        15.7
+Version:        15.8
 Release:        0
 Summary:        UEFI shim loader
 License:        BSD-2-Clause
@ -75,8 +75,6 @@ Patch3:         shim-bsc1177315-verify-eku-codesign.patch
 Patch4:         remove_build_id.patch
 # PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT
 Patch5:         shim-disable-export-vendor-dbx.patch
-# PATCH-FIX-UPSTREAM shim-Enable-the-NX-compatibility-flag-by-default.patch jlee@suse.com -- Enable the NX compatibility flag by default
-Patch6:         shim-Enable-the-NX-compatibility-flag-by-default.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@ -126,7 +124,6 @@ The source code of UEFI shim loader
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
-%patch6 -p1

 %build
 # generate the vendor SBAT metadata