import shim-unsigned-x64-15.6-1.el8

2022-09-27 17:31:17 -04:00 · 2022-09-27 17:31:17 -04:00 · 470511cdb9
parent 26cc36cffc
commit 470511cdb9
8 changed files with 82 additions and 138 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/shim-15.4.tar.bz2
+SOURCES/shim-15.6.tar.bz2
--- a/.shim-unsigned-x64.metadata
+++ b/.shim-unsigned-x64.metadata
@ -1 +1 @@
-d70485792a300bfa66f551adf7ae766451dfe7c0 SOURCES/shim-15.4.tar.bz2
+3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2
--- a/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch
+++ b/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch
@ -1,32 +0,0 @@
-From 1bea91ba72165d97c3b453cf769cb4bc5c07207a Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Wed, 31 Mar 2021 14:54:52 -0400
-Subject: [PATCH] Fix a broken file header on ia32
-
-Commit c6281c6a195edee61185 needs to have included a ". = ALIGN(4096)"
-directive before .reloc, but fails to do so.
-
-As a result, binutils, which does not care about the actual binary
-format's constraints in any way, does not enforce the section alignment,
-and it will not load.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
---
- elf_ia32_efi.lds | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds
-index 742e0a47a73..497a3a15265 100644
--- a/elf_ia32_efi.lds
-+++ b/elf_ia32_efi.lds
-@@ -15,6 +15,7 @@ SECTIONS
-    *(.gnu.linkonce.t.*)
-    _etext = .;
-   }
-+  . = ALIGN(4096);
-   .reloc :
-   {
-    *(.reloc)
-- 
-2.30.2
-
--- a/SOURCES/dbx.esl
+++ b/SOURCES/dbx.esl
--- a/SOURCES/sbat.redhat.csv
+++ b/SOURCES/sbat.redhat.csv
@ -1 +1 @@
-shim.redhat,1,Red Hat,shim,15.4-4,secalert@redhat.com
+shim.redhat,1,Red Hat Inc,shim,15.5,secalert@redhat.com
--- a/SOURCES/shim-find-debuginfo.sh
+++ b/SOURCES/shim-find-debuginfo.sh
@ -20,9 +20,9 @@ fi
 findsource()
 {
    (
-        cd "${RPM_BUILD_ROOT}"
-        find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac
-        find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac
+        cd ${RPM_BUILD_ROOT}
+        find usr/src/debug/ -type d | sed "s,^,%dir /,"
+        find usr/src/debug/ -type f | sed "s,^,/,"
    )
 }

@ -32,12 +32,9 @@ finddebug()
    declare -a dirs=()
    declare -a files=()
    declare -a excludes=()
-    declare -a tmp=()

-    pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1
-
-    mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug")
-    for x in "${tmp[@]}" ; do
+    pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1
+    for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do
        if ! [ -e "${x}" ]; then
            break
        fi
@ -60,10 +57,8 @@ finddebug()
            excludes[${#excludes[@]}]=${x%%.debug}
        fi
    done
-    for x in "${files[@]}" ; do
-        declare name
-
-        name=$(dirname "/${x}")
+    for x in ${files[@]} ; do
+        declare name=$(dirname /${x})
        while [ "${name}" != "/" ]; do
            case "${name}" in
            "/usr/lib/debug"|"/usr/lib"|"/usr")
@ -72,24 +67,24 @@ finddebug()
                dirs[${#dirs[@]}]=${name}
                ;;
            esac
-            name=$(dirname "${name}")
+            name=$(dirname ${name})
        done
    done

    popd >/dev/null 2>&1
-    for x in "${dirs[@]}" ; do
+    for x in ${dirs[@]} ; do
        echo "%dir ${x}"
    done | sort | uniq
-    for x in "${files[@]}" ; do
+    for x in ${files[@]} ; do
        echo "/${x}"
    done | sort | uniq
-    for x in "${excludes[@]}" ; do
+    for x in ${excludes[@]} ; do
        echo "%exclude /${x}"
    done
 }

-findsource > "build-${mainarch}/debugsource.list"
-finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list"
+findsource > build-${mainarch}/debugsource.list
+finddebug ${mainarch} > build-${mainarch}/debugfiles.list
 if [ -v altarch ]; then
-    finddebug "${altarch}" > "build-${altarch}/debugfiles.list"
+    finddebug ${altarch} > build-${altarch}/debugfiles.list
 fi
--- a/SOURCES/shim.patches
+++ b/SOURCES/shim.patches
--- a/SPECS/shim-unsigned-x64.spec
+++ b/SPECS/shim-unsigned-x64.spec
@ -1,6 +1,13 @@
 %global pesign_vre 0.106-1
+%global gnuefi_vre 1:3.0.5-6
 %global openssl_vre 1.0.2j

+%global debug_package %{nil}
+%global __debug_package 1
+%global _binaries_in_noarch_packages_terminate_build 0
+%global __debug_install_post %{SOURCE100} x64 ia32
+%undefine _debuginfo_subpackages
+
 %global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
 %global shimrootdir %{_datadir}/shim/
 %global shimversiondir %{shimrootdir}/%{version}-%{release}
@ -9,32 +16,24 @@
 %global efialtarch ia32
 %global shimaltdir %{shimversiondir}/%{efialtarch}

-%global debug_package %{nil}
-%global __debug_package 1
-%global _binaries_in_noarch_packages_terminate_build 0
-%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
-%undefine _debuginfo_subpackages
-
-# currently here's what's in our dbx: nothing
-%global dbxfile %{nil}
-
 Name:		shim-unsigned-%{efiarch}
-Version:	15.4
-Release:	4%{?dist}
+Version:	15.6
+Release:	1.el8
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	x86_64
 License:	BSD
 URL:		https://github.com/rhboot/shim
 Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
 Source1:	redhatsecurebootca5.cer
-%if 0%{?dbxfile}
-Source2:	%{dbxfile}
-%endif
+# currently here's what's in our dbx:
+# nothing.
+Source2:	dbx.esl
 Source3:	sbat.redhat.csv
+Source4:	shim.patches

 Source100:	shim-find-debuginfo.sh

-Patch0001:	0001-Fix-a-broken-file-header-on-ia32.patch
+%include %{SOURCE4}

 BuildRequires:	gcc make
 BuildRequires:	elfutils-libelf-devel
@ -68,6 +67,7 @@ Provides:	bundled(openssl) = %{openssl_vre}

 %package debuginfo
 Summary:	Debug information for shim-unsigned-%{efiarch}
+Requires:	%{name}-debugsource = %{version}-%{release}
 Group:		Development/Debug
 AutoReqProv:	0
 BuildArch:	noarch
@ -78,6 +78,7 @@ BuildArch:	noarch
 %package -n shim-unsigned-%{efialtarch}-debuginfo
 Summary:	Debug information for shim-unsigned-%{efialtarch}
 Group:		Development/Debug
+Requires:	%{name}-debugsource = %{version}-%{release}
 AutoReqProv:	0
 BuildArch:	noarch

@ -94,7 +95,7 @@ BuildArch:	noarch
 %debug_desc

 %prep
-%autosetup -S git -n shim-%{version}
+%autosetup -S git_am -n shim-%{version}
 git config --unset user.email
 git config --unset user.name
 mkdir build-%{efiarch}
@ -107,14 +108,12 @@ MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 MAKEFLAGS+="%{_smp_mflags}"
-if [ -f "%{SOURCE1}" ]; then
+if [ -s "%{SOURCE1}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
 fi
-%if 0%{?dbxfile}
-if [ -f "%{SOURCE2}" ]; then
+if [ -s "%{SOURCE2}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
-%endif

 cd build-%{efiarch}
 make ${MAKEFLAGS} \
@ -123,8 +122,7 @@ make ${MAKEFLAGS} \
 cd ..

 cd build-%{efialtarch}
-setarch linux32 -B make ${MAKEFLAGS} \
-	ARCH=%{efialtarch} \
+setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} \
 	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
 	all
 cd ..
@ -133,15 +131,13 @@ cd ..
 COMMITID=$(cat commit)
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
-MAKEFLAGS+="ENABLE_SHIM_HASH=true "
-if [ -f "%{SOURCE1}" ]; then
+MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
+if [ -s "%{SOURCE1}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
 fi
-%if 0%{?dbxfile}
-if [ -f "%{SOURCE2}" ]; then
+if [ -s "%{SOURCE2}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
-%endif

 cd build-%{efiarch}
 make ${MAKEFLAGS} \
@ -151,8 +147,7 @@ make ${MAKEFLAGS} \
 cd ..

 cd build-%{efialtarch}
-setarch linux32 make ${MAKEFLAGS} \
-	ARCH=%{efialtarch} \
+setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \
 	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
 	DESTDIR=${RPM_BUILD_ROOT} \
 	install-as-data install-debuginfo install-debugsource
@ -163,18 +158,18 @@ cd ..
 %dir %{shimrootdir}
 %dir %{shimversiondir}
 %dir %{shimdir}
+%{shimdir}/*.CSV
 %{shimdir}/*.efi
 %{shimdir}/*.hash
-%{shimdir}/*.CSV

 %files -n shim-unsigned-%{efialtarch}
 %license COPYRIGHT
 %dir %{shimrootdir}
 %dir %{shimversiondir}
 %dir %{shimaltdir}
+%{shimaltdir}/*.CSV
 %{shimaltdir}/*.efi
 %{shimaltdir}/*.hash
-%{shimaltdir}/*.CSV

 %files debuginfo -f build-%{efiarch}/debugfiles.list

@ -183,63 +178,49 @@ cd ..
 %files debugsource -f build-%{efiarch}/debugsource.list

 %changelog
-* Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4
- Fix the sbat data to actually match /this/ product.
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
+* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el8
+- Update to shim-15.6
+  Resolves: CVE-2022-28737

-* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-3
- Build with the correct certificate trust list for this OS.
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
+* Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el8
+- Fix an incorrect allocation size.
+  Related: rhbz#1877253

-* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-2
- Fix the ia32 build.
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
+* Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8
+- Fix a load-address-dependent forever loop.
+  Resolves: rhbz#1861977
+  Related: CVE-2020-10713
+  Related: CVE-2020-14308
+  Related: CVE-2020-14309
+  Related: CVE-2020-14310
+  Related: CVE-2020-14311
+  Related: CVE-2020-15705
+  Related: CVE-2020-15706
+  Related: CVE-2020-15707

-* Tue Mar 30 2021 Peter Jones <pjones@redhat.com> - 15.4-1
- Update to shim 15.4
-  - Support for revocations via the ".sbat" section and SBAT EFI variable
-  - A new unit test framework and a bunch of unit tests
-  - No external gnu-efi dependency
-  - Better CI
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
+* Sat Jul 25 2020 Peter Jones <pjones@redhat.com> - 15-7
+- Implement Lenny's workaround
+  Related: CVE-2020-10713
+  Related: CVE-2020-14308
+  Related: CVE-2020-14309
+  Related: CVE-2020-14310
+  Related: CVE-2020-14311

-* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1
- Update to shim 15.3
-  - Support for revocations via the ".sbat" section and SBAT EFI variable
-  - A new unit test framework and a bunch of unit tests
-  - No external gnu-efi dependency
-  - Better CI
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
+* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 15-5
+- Once more with the MokListRT config table patch added.
+  Related: CVE-2020-10713
+  Related: CVE-2020-14308
+  Related: CVE-2020-14309
+  Related: CVE-2020-14310
+  Related: CVE-2020-14311
+
+* Thu Jul 23 2020 Peter Jones <pjones@redhat.com> - 15-4
+- Rebuild for bug fixes and new signing keys
+  Related: CVE-2020-10713
+  Related: CVE-2020-14308
+  Related: CVE-2020-14309
+  Related: CVE-2020-14310
+  Related: CVE-2020-14311

 * Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
 - Make EFI variable copying fatal only on secureboot enabled systems