From af029e918ccc7b6532d68600807e6c4de818543085a26219a888b3d444240387 Mon Sep 17 00:00:00 2001 From: Robert Frohl Date: Thu, 22 Jan 2026 13:13:25 +0100 Subject: [PATCH] Update submodules from pool/sbctl#1 and create patchinfo.20260122121240008027.93181000773252/_patchinfo --- .../_patchinfo | 72 +++++++++++++++++++ sbctl | 2 +- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 patchinfo.20260122121240008027.93181000773252/_patchinfo diff --git a/patchinfo.20260122121240008027.93181000773252/_patchinfo b/patchinfo.20260122121240008027.93181000773252/_patchinfo new file mode 100644 index 0000000..dfe7f73 --- /dev/null +++ b/patchinfo.20260122121240008027.93181000773252/_patchinfo @@ -0,0 +1,72 @@ + + + + + VUL-0: CVE-2025-47911: sbctl: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents + VUL-0: CVE-2025-58190: sbctl: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input + VUL-0: CVE-2025-58058: sbctl: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory + jubalh + moderate + security + Security update for sbctl + This update for sbctl fixes the following issues: + +Changes in sbctl: + +- Upgrade the embedded golang.org/x/net to 0.46.0 + * Fixes: bsc#1251399, CVE-2025-47911: various algorithms with + quadratic complexity when parsing HTML documents + * Fixes: bsc#1251609, CVE-2025-58190: excessive memory consumption + by 'html.ParseFragment' when processing specially crafted input + +- Update to version 0.18: + * logging: fixup new go vet warning + * workflows: add cc for cross compile + * workflow: add sudo to apt + * workflow: add pcsclite to ci + * workflow: try enable cgo + * go.mod: update golang.org/x/ dependencies + * fix: avoid adding bogus Country attribute to subject DNs + * sbctl: only store file if we did actually sign the file + * installkernel: add post install hook for Debian's traditional installkernel + * CI: missing libpcsclite pkg + * workflows: add missing depends and new pattern keyword + * Add yubikey example for create keys to the README + * Initial yubikey backend keytype support + * verify: ensure we pass args in correct order + +- bsc#1248949 (CVE-2025-58058): + Bump xz to 0.5.14 + +- Update to version 0.17: + * Ensure we don't wrongly compare input/output files when signing + * Added --json supprt to sbctl verify + * Ensure sbctl setup with no arguments returns a helpful output + * Import latest Microsoft keys for KEK and db databases + * Ensure we print the path of the file when encountering an invalid PE file + * Misc fixups in tests + * Misc typo fixes in prints + +- Update to version 0.16: + * Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is + present + * Fixed a bug where sbctl would abort if the TPM eventlog + contains the same byte multiple times + * Fixed a landlock bug where enroll-keys --export did not work + * Fixed a bug where an ESP mounted to multiple paths would not be + detected + * Exporting keys without efivars present work again + * sbctl sign will now use the saved output path if the signed + file is enrolled + * enroll-keys --append will now work without --force. +- Updates from version 0.15.4: + * Fixed an issue where sign-all did not report a non-zero exit + code when something failed + * Fixed and issue where we couldn't write to a file with landlock + * Fixed an issue where --json would print the human readable + output and the json + * Fixes landlock for UKI/bundles by disabling the sandbox feature + * Some doc fixups that mentioned /usr/share/ + + sbctl + diff --git a/sbctl b/sbctl index c8315ff..ff582da 160000 --- a/sbctl +++ b/sbctl @@ -1 +1 @@ -Subproject commit c8315ff856eb381cc2a72b052209eb0275ed9a35f22d26e6cc950578ddaad02e +Subproject commit ff582da4e20183500f564032bdc70e404ec4c0bdb488f91de019e6766c626684 -- 2.51.1