Bug#1061519: marked as done (shim: CVE-2023-40546 CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551)

Mon, 06 May 2024 06:09:34 -0700 

Your message dated Mon, 06 May 2024 13:04:59 +0000
with message-id <e1s3y1b-008gaq...@fasolo.debian.org>
and subject line Bug#1061519: fixed in shim 15.8-1
has caused the Debian Bug report #1061519,
regarding shim: CVE-2023-40546 CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 
CVE-2023-40550 CVE-2023-40551
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1061519: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061519
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: shim
Version: 15.7-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 15.7-1~deb11u1

Hi,

The following vulnerabilities were published for shim.

According to [6]:

* Various CVE fixes:
  CVE-2023-40546 mok: fix LogError() invocation
  CVE-2023-40547 - avoid incorrectly trusting HTTP headers
  CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
  CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
  CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
  CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-40546
    https://www.cve.org/CVERecord?id=CVE-2023-40546
[1] https://security-tracker.debian.org/tracker/CVE-2023-40547
    https://www.cve.org/CVERecord?id=CVE-2023-40547
[2] https://security-tracker.debian.org/tracker/CVE-2023-40548
    https://www.cve.org/CVERecord?id=CVE-2023-40548
[3] https://security-tracker.debian.org/tracker/CVE-2023-40549
    https://www.cve.org/CVERecord?id=CVE-2023-40549
[4] https://security-tracker.debian.org/tracker/CVE-2023-40550
    https://www.cve.org/CVERecord?id=CVE-2023-40550
[5] https://security-tracker.debian.org/tracker/CVE-2023-40551
    https://www.cve.org/CVERecord?id=CVE-2023-40551
[6] https://github.com/rhboot/shim/releases/tag/15.8

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: shim
Source-Version: 15.8-1
Done: Steve McIntyre <93...@debian.org>

We believe that the bug you reported is fixed in the latest version of
shim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1061...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <93...@debian.org> (supplier of updated shim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 04 May 2024 23:29:52 +0100
Source: shim
Architecture: source
Version: 15.8-1
Distribution: unstable
Urgency: medium
Maintainer: Debian EFI team <debian-...@lists.debian.org>
Changed-By: Steve McIntyre <93...@debian.org>
Closes: 936009 1043485 1046268 1054210 1057606 1061519 1064220 1069054
Changes:
 shim (15.8-1) unstable; urgency=medium
 .
   [ Steve McIntyre ]
   * Cope with changes in pesign packaging. Closes: #1057606
   * New upstream release fixing more bugs. Closes: #1061519, #1064220
     + CVE-2023-40546 mok: fix LogError() invocation (Closes: #1054210)
     + CVE-2023-40547 - avoid incorrectly trusting HTTP headers
     + CVE-2023-40548 Fix integer overflow on SBAT section size on
       32-bit system
     + CVE-2023-40549 Authenticode: verify that the signature header is
       in bounds.
     + CVE-2023-40550 pe: Fix an out-of-bound read in
       verify_buffer_sbat()
     + CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
   * Remove all our previous patches, no longer needed:
     + Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch (now
       upstream)
     + Enable-NX.patch (we don't want NX just yet until the whole boot
       stack is NX-capable)
     + block-grub-sbat3-debian.patch (not needed now upstream grub SBAT
       is 4)
   * Cherry-pick 2 new patches from upstream for grub revocations:
     + 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
     + 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
   * NOTE: Stop building for i386
     + Debian kernels are no longer signed for i386, it's time to stop
       supporting i386 SB.
   * Log if the build is nx-compatible or not
   * Force shim to use the latest revocations by default to block some
     older grub / peimage issues. This is:
     "shim,4\ngrub,4\ngrub.peimage,2\n"
   * Install a copy of the Debian CA certificate into /usr/share/shim.
     Closes: #1069054
   * Clean up better after build. Closes: #1046268
 .
   [ Bastien Roucariès ]
   * Port autopkgtest from ubuntu
   * Import MR-12: "shim-unsigned:amd64 cannot be installed alongside
     shim-unsigned:i386", thanks to adrian15 adrian15 (Closes: #936009).
   * Fix debian/watch and check signature (Closes: #1043485)
Checksums-Sha1:
 8a2d725f65087e1a6c7f012c4c70666666fef4f3 2490 shim_15.8-1.dsc
 cdec924ca437a4509dcb178396996ddf92c11183 2315201 shim_15.8.orig.tar.bz2
 5b62d9edbaad7ece7546868dfd6e6e5be42de236 59308 shim_15.8-1.debian.tar.xz
 062041702d5cdb3828fb0e3bdecf6515fa1a7062 7121 shim_15.8-1_source.buildinfo
Checksums-Sha256:
 65ca82c131a66362a0bb222497eebbca5d64ba9efd44738d7889eb0500b5e4fa 2490 
shim_15.8-1.dsc
 a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9 2315201 
shim_15.8.orig.tar.bz2
 fad222c56f31a20b65753f16c66e270082295a2cccf2909686a980f19be665de 59308 
shim_15.8-1.debian.tar.xz
 647867dea6c5dc9d7d5d59fa70629f322379593675a7ccc3667d2dc2f1024b03 7121 
shim_15.8-1_source.buildinfo
Files:
 96fd60cb002486370c4176382044041e 2490 admin optional shim_15.8-1.dsc
 a9452c2e6fafe4e1b87ab2e1cac9ec00 2315201 admin optional shim_15.8.orig.tar.bz2
 4689fb8317f8a9a5ca53107743d67a27 59308 admin optional shim_15.8-1.debian.tar.xz
 66bbd0b3ac2a98555d32f3f47ca1fb7e 7121 admin optional 
shim_15.8-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmY40QURHDkzc2FtQGRl
Ymlhbi5vcmcACgkQWHl5VzRCaE6F5Q/9F2uB+m9hTJDk2PIn5LAn8b39vBzYkoju
lirfsA/FJzygJR+qJQG70nrPe+TutO8BFPdo+yhfc2G9RdLd3CXsslkl6QdNpTau
LUc4FRMzHsis3Wn/7BO8WZPzPBf+2N/NUucIe02h+6gabpiXqpwt5EZf6WTGUC8D
LOinr/l3iDDoymjogTBvp0PMEph0luqE95deOeXmJ6CbLQ2Ozzi40g47E4uUQ4ao
jGD6yPk3PulHdaW8oXbab14e94akfrXUe0P26Y8oUUji+6mRtfckNWjhY78udMwD
Cxy8gTULqPdDfjjGleVDppD+C2+pGTNs3tCPr1PdM9XOjlm0bGHzDNSkeOc39eA9
CZvOvXmQ/V9qG8puj5U1Bh+S5dPjP//gKpKnnowAc/fgMaWjP+Li/hW7TTvnilxi
vMhQ6XizySj3DDEkCvGK1uH2Z75ryTsAbT3WmL9KubxKrWDGImMJKYs7soePGwPL
VDFaPqEBKhAwlXO3nBDJWqSOP/QoQmAxZ6x0P7z4nLcnKK2KS9eWuFt9cBawuPYE
XwDIcAFoLXyFuZGlQFinBElvdIYbreS7LGm9zKkBQDWpmu01HcT0WAlhd6fNVMOk
CnT5Pg1KTUtSmyauYoc4CmcBmipH2fKCdJIFVtAaeU8qVcIV77RS46y2XnhGVst8
aJ4tOJYtaAk=
=+QSm
-----END PGP SIGNATURE-----

Attachment: pgp8UfaucTo5w.pgp
Description: PGP signature


--- End Message ---

Reply via email to