Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2020-11-05 21:54:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.11331 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim" Thu Nov 5 21:54:40 2020 rev:89 rq:845886 version:15+git47 Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2020-10-24 15:14:56.924063819 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.11331/shim.changes 2020-11-05 21:55:22.516122752 +0100 @@ -1,0 +2,19 @@ +Wed Nov 4 05:53:35 UTC 2020 - Gary Ching-Pang Lin <g...@suse.com> + +- Disable the signature attachment for AArch64 temporarily until + we get a real one. + +------------------------------------------------------------------- +Mon Nov 2 06:52:13 UTC 2020 - Gary Ching-Pang Lin <g...@suse.com> + +- Add shim-bsc1177315-verify-eku-codesign.patch to check CodeSign + in the signer's EKU (bsc#1177315) +- Add shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch + to fix NULL pointer dereference in AuthenticodeVerify() + (bsc#1177789, CVE-2019-14584) +- shim-install: Support changing default shim efi binary in + /usr/etc/default/shim and /etc/default/shim (bsc#1177315) +- Add shim-bsc1177315-fix-buffer-use-after-free.patch to fix buffer + use-after-free at the end of the EKU verification (bsc#1177315) + +------------------------------------------------------------------- New: ---- shim-bsc1177315-fix-buffer-use-after-free.patch shim-bsc1177315-verify-eku-codesign.patch shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.xUi9NJ/_old 2020-11-05 21:55:23.600120315 +0100 +++ /var/tmp/diff_new_pack.xUi9NJ/_new 2020-11-05 21:55:23.600120315 +0100 @@ -91,6 +91,12 @@ Patch13: shim-bsc1177404-fix-a-use-of-strlen.patch # PATCH-FIX-UPSTREAM shim-bsc1175509-more-tpm-fixes.patch bsc#1175509 g...@suse.com -- Fix the file path in tpm event log Patch14: shim-bsc1175509-more-tpm-fixes.patch +# PATCH-FIX-SUSE shim-bsc1177315-verify-eku-codesign.patch bsc#1177315 g...@suse.com -- Verify CodeSign in the signer's EKU +Patch15: shim-bsc1177315-verify-eku-codesign.patch +# PATCH-FIX-UPSTREAM shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch bsc#1177789 g...@suse.com -- Fix the NULL pointer dereference in AuthenticodeVerify() +Patch16: shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch +# PATCH-FIX-SUSE shim-bsc1177315-fix-buffer-use-after-free.patch bsc#1177315 g...@suse.com -- Fix buffer use-after-free at the end of the EKU verification +Patch17: shim-bsc1177315-fix-buffer-use-after-free.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0.3 @@ -146,6 +152,9 @@ %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 %endif @@ -186,7 +195,9 @@ signature=%{SOURCE1} %else # AArch64 signature - signature=%{SOURCE12} + # Disable AArch64 signature attachment temporarily + # until we get a real one. + #signature=%{SOURCE12} %endif elif test "$suffix" = "sles"; then cert=%{SOURCE4} @@ -195,7 +206,9 @@ signature=%{SOURCE11} %else # AArch64 signature - signature=%{SOURCE13} + # Disable AArch64 signature attachment temporarily + # until we get a real one. + #signature=%{SOURCE13} %endif elif test "$suffix" = "devel"; then cert=%{_sourcedir}/_projectcert.crt ++++++ shim-bsc1177315-fix-buffer-use-after-free.patch ++++++ >From 049bf5c1bd83643b9a6e8b7e67ea51ef7076cbc6 Mon Sep 17 00:00:00 2001 From: Gary Lin <g...@suse.com> Date: Thu, 22 Oct 2020 14:00:04 +0800 Subject: [PATCH] Cryptlib/CryptPkcs7VerifyEku: fix buffer use-after-free Merge the patch from edk2 upstream: https://bugzilla.tianocore.org/show_bug.cgi?id=2459 Since SignerCert is actually a part of Pkcs7, PKCS7_free() also fress SignerCert, so there is no need to free SignerCert. Signed-off-by: Gary Lin <g...@suse.com> --- Cryptlib/Pk/CryptPkcs7VerifyEku.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/Cryptlib/Pk/CryptPkcs7VerifyEku.c b/Cryptlib/Pk/CryptPkcs7VerifyEku.c index d086886..2c172e2 100644 --- a/Cryptlib/Pk/CryptPkcs7VerifyEku.c +++ b/Cryptlib/Pk/CryptPkcs7VerifyEku.c @@ -507,10 +507,6 @@ Exit: free (SignedData); } - if (SignerCert != NULL) { - X509_free (SignerCert); - } - if (Pkcs7 != NULL) { PKCS7_free (Pkcs7); } -- 2.28.0 ++++++ shim-bsc1177315-verify-eku-codesign.patch ++++++ ++++ 697 lines (skipped) ++++++ shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch ++++++ >From 928984f771e27d0a64def166bbc5137ce1859fe8 Mon Sep 17 00:00:00 2001 From: Gary Lin <g...@suse.com> Date: Fri, 16 Oct 2020 15:24:44 +0800 Subject: [PATCH] Cryptlib/CryptAuthenticode: fix NULL pointer dereference in AuthenticodeVerify() Merge the fix from edk2 upstream: https://bugzilla.tianocore.org/show_bug.cgi?id=1914 https://edk2.groups.io/g/devel/message/66309 Signed-off-by: Gary Lin <g...@suse.com> --- Cryptlib/Pk/CryptAuthenticode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cryptlib/Pk/CryptAuthenticode.c b/Cryptlib/Pk/CryptAuthenticode.c index 74e50a2..faa1efd 100644 --- a/Cryptlib/Pk/CryptAuthenticode.c +++ b/Cryptlib/Pk/CryptAuthenticode.c @@ -106,7 +106,7 @@ AuthenticodeVerify ( // // Check if it's PKCS#7 Signed Data (for Authenticode Scenario) // - if (!PKCS7_type_is_signed (Pkcs7)) { + if (!PKCS7_type_is_signed (Pkcs7) || PKCS7_get_detached (Pkcs7)) { goto _Exit; } -- 2.28.0 ++++++ shim-install ++++++ --- /var/tmp/diff_new_pack.xUi9NJ/_old 2020-11-05 21:55:23.728120028 +0100 +++ /var/tmp/diff_new_pack.xUi9NJ/_new 2020-11-05 21:55:23.728120028 +0100 @@ -25,6 +25,15 @@ def_grub_efi="${source_dir}/grub.efi" def_boot_efi= +[ ! -r /usr/etc/default/shim ] || . /usr/etc/default/shim +[ ! -r /etc/default/shim ] || . /etc/default/shim + +if [ -z "$def_shim_efi" ] ; then + def_shim_efi="shim.efi" +fi + +source_shim_efi="${source_dir}/${def_shim_efi}" + if [ x${arch} = xx86_64 ] ; then grub_install_target="x86_64-efi" def_boot_efi="bootx64.efi" @@ -288,14 +297,14 @@ cp "$source_grub_efi" "${efidir}/grub.efi" if test "$efidir" != "$efibootdir" ; then - cp "${source_dir}/shim.efi" "${efidir}" + cp "${source_shim_efi}" "${efidir}/shim.efi" if test -n "$bootloader_id"; then echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv" fi fi if test "$update_boot" = "yes"; then - cp "${source_dir}/shim.efi" "${efibootdir}/${def_boot_efi}" + cp "$source_shim_efi" "${efibootdir}/${def_boot_efi}" if test "$removable" = "no"; then cp "${source_dir}/fallback.efi" "${efibootdir}" # bsc#1175626, bsc#1175656 Since shim 15, loading MokManager becomes