Hello community,
here is the log from the commit of package shim for openSUSE:Factory checked in
at 2020-11-05 21:54:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
and /work/SRC/openSUSE:Factory/.shim.new.11331 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim"
Thu Nov 5 21:54:40 2020 rev:89 rq:845886 version:15+git47
Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes 2020-10-24
15:14:56.924063819 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.11331/shim.changes 2020-11-05
21:55:22.516122752 +0100
@@ -1,0 +2,19 @@
+Wed Nov 4 05:53:35 UTC 2020 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Disable the signature attachment for AArch64 temporarily until
+ we get a real one.
+
+-------------------------------------------------------------------
+Mon Nov 2 06:52:13 UTC 2020 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Add shim-bsc1177315-verify-eku-codesign.patch to check CodeSign
+ in the signer's EKU (bsc#1177315)
+- Add shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
+ to fix NULL pointer dereference in AuthenticodeVerify()
+ (bsc#1177789, CVE-2019-14584)
+- shim-install: Support changing default shim efi binary in
+ /usr/etc/default/shim and /etc/default/shim (bsc#1177315)
+- Add shim-bsc1177315-fix-buffer-use-after-free.patch to fix buffer
+ use-after-free at the end of the EKU verification (bsc#1177315)
+
+-------------------------------------------------------------------
New:
----
shim-bsc1177315-fix-buffer-use-after-free.patch
shim-bsc1177315-verify-eku-codesign.patch
shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.xUi9NJ/_old 2020-11-05 21:55:23.600120315 +0100
+++ /var/tmp/diff_new_pack.xUi9NJ/_new 2020-11-05 21:55:23.600120315 +0100
@@ -91,6 +91,12 @@
Patch13: shim-bsc1177404-fix-a-use-of-strlen.patch
# PATCH-FIX-UPSTREAM shim-bsc1175509-more-tpm-fixes.patch bsc#1175509
g...@suse.com -- Fix the file path in tpm event log
Patch14: shim-bsc1175509-more-tpm-fixes.patch
+# PATCH-FIX-SUSE shim-bsc1177315-verify-eku-codesign.patch bsc#1177315
g...@suse.com -- Verify CodeSign in the signer's EKU
+Patch15: shim-bsc1177315-verify-eku-codesign.patch
+# PATCH-FIX-UPSTREAM
shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch bsc#1177789
g...@suse.com -- Fix the NULL pointer dereference in AuthenticodeVerify()
+Patch16: shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
+# PATCH-FIX-SUSE shim-bsc1177315-fix-buffer-use-after-free.patch bsc#1177315
g...@suse.com -- Fix buffer use-after-free at the end of the EKU verification
+Patch17: shim-bsc1177315-fix-buffer-use-after-free.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the
prompt to ask whether the user trusts openSUSE certificate or not
Patch100: shim-opensuse-cert-prompt.patch
BuildRequires: gnu-efi >= 3.0.3
@@ -146,6 +152,9 @@
%patch12 -p1
%patch13 -p1
%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
%if 0%{?is_opensuse} == 1
%patch100 -p1
%endif
@@ -186,7 +195,9 @@
signature=%{SOURCE1}
%else
# AArch64 signature
- signature=%{SOURCE12}
+ # Disable AArch64 signature attachment temporarily
+ # until we get a real one.
+ #signature=%{SOURCE12}
%endif
elif test "$suffix" = "sles"; then
cert=%{SOURCE4}
@@ -195,7 +206,9 @@
signature=%{SOURCE11}
%else
# AArch64 signature
- signature=%{SOURCE13}
+ # Disable AArch64 signature attachment temporarily
+ # until we get a real one.
+ #signature=%{SOURCE13}
%endif
elif test "$suffix" = "devel"; then
cert=%{_sourcedir}/_projectcert.crt
++++++ shim-bsc1177315-fix-buffer-use-after-free.patch ++++++
>From 049bf5c1bd83643b9a6e8b7e67ea51ef7076cbc6 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Thu, 22 Oct 2020 14:00:04 +0800
Subject: [PATCH] Cryptlib/CryptPkcs7VerifyEku: fix buffer use-after-free
Merge the patch from edk2 upstream:
https://bugzilla.tianocore.org/show_bug.cgi?id=2459
Since SignerCert is actually a part of Pkcs7, PKCS7_free() also fress
SignerCert, so there is no need to free SignerCert.
Signed-off-by: Gary Lin <g...@suse.com>
---
Cryptlib/Pk/CryptPkcs7VerifyEku.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/Cryptlib/Pk/CryptPkcs7VerifyEku.c
b/Cryptlib/Pk/CryptPkcs7VerifyEku.c
index d086886..2c172e2 100644
--- a/Cryptlib/Pk/CryptPkcs7VerifyEku.c
+++ b/Cryptlib/Pk/CryptPkcs7VerifyEku.c
@@ -507,10 +507,6 @@ Exit:
free (SignedData);
}
- if (SignerCert != NULL) {
- X509_free (SignerCert);
- }
-
if (Pkcs7 != NULL) {
PKCS7_free (Pkcs7);
}
--
2.28.0
++++++ shim-bsc1177315-verify-eku-codesign.patch ++++++
++++ 697 lines (skipped)
++++++ shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch ++++++
>From 928984f771e27d0a64def166bbc5137ce1859fe8 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Fri, 16 Oct 2020 15:24:44 +0800
Subject: [PATCH] Cryptlib/CryptAuthenticode: fix NULL pointer dereference in
AuthenticodeVerify()
Merge the fix from edk2 upstream:
https://bugzilla.tianocore.org/show_bug.cgi?id=1914
https://edk2.groups.io/g/devel/message/66309
Signed-off-by: Gary Lin <g...@suse.com>
---
Cryptlib/Pk/CryptAuthenticode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Cryptlib/Pk/CryptAuthenticode.c b/Cryptlib/Pk/CryptAuthenticode.c
index 74e50a2..faa1efd 100644
--- a/Cryptlib/Pk/CryptAuthenticode.c
+++ b/Cryptlib/Pk/CryptAuthenticode.c
@@ -106,7 +106,7 @@ AuthenticodeVerify (
//
// Check if it's PKCS#7 Signed Data (for Authenticode Scenario)
//
- if (!PKCS7_type_is_signed (Pkcs7)) {
+ if (!PKCS7_type_is_signed (Pkcs7) || PKCS7_get_detached (Pkcs7)) {
goto _Exit;
}
--
2.28.0
++++++ shim-install ++++++
--- /var/tmp/diff_new_pack.xUi9NJ/_old 2020-11-05 21:55:23.728120028 +0100
+++ /var/tmp/diff_new_pack.xUi9NJ/_new 2020-11-05 21:55:23.728120028 +0100
@@ -25,6 +25,15 @@
def_grub_efi="${source_dir}/grub.efi"
def_boot_efi=
+[ ! -r /usr/etc/default/shim ] || . /usr/etc/default/shim
+[ ! -r /etc/default/shim ] || . /etc/default/shim
+
+if [ -z "$def_shim_efi" ] ; then
+ def_shim_efi="shim.efi"
+fi
+
+source_shim_efi="${source_dir}/${def_shim_efi}"
+
if [ x${arch} = xx86_64 ] ; then
grub_install_target="x86_64-efi"
def_boot_efi="bootx64.efi"
@@ -288,14 +297,14 @@
cp "$source_grub_efi" "${efidir}/grub.efi"
if test "$efidir" != "$efibootdir" ; then
- cp "${source_dir}/shim.efi" "${efidir}"
+ cp "${source_shim_efi}" "${efidir}/shim.efi"
if test -n "$bootloader_id"; then
echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 >
"${efidir}/boot.csv"
fi
fi
if test "$update_boot" = "yes"; then
- cp "${source_dir}/shim.efi" "${efibootdir}/${def_boot_efi}"
+ cp "$source_shim_efi" "${efibootdir}/${def_boot_efi}"
if test "$removable" = "no"; then
cp "${source_dir}/fallback.efi" "${efibootdir}"
# bsc#1175626, bsc#1175656 Since shim 15, loading MokManager becomes
