From 7b7c17dc74ba3f474269442ce55c175255f41408 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Fri, 17 Jun 2022 16:15:44 +0300 Subject: [PATCH] AlmaLinux chages --- ...001-Fix-a-broken-file-header-on-ia32.patch | 32 ------------------ SOURCES/clsecureboot001.cer | Bin 0 -> 1561 bytes SOURCES/redhatsecurebootca5.cer | Bin 920 -> 0 bytes SOURCES/sbat.cloudlinux.csv | 1 + SOURCES/sbat.redhat.csv | 1 - SPECS/shim-unsigned-x64.spec | 11 +++--- 6 files changed, 8 insertions(+), 37 deletions(-) delete mode 100644 SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch create mode 100644 SOURCES/clsecureboot001.cer delete mode 100644 SOURCES/redhatsecurebootca5.cer create mode 100644 SOURCES/sbat.cloudlinux.csv delete mode 100644 SOURCES/sbat.redhat.csv diff --git a/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch b/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch deleted file mode 100644 index 1fbcb33..0000000 --- a/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 1bea91ba72165d97c3b453cf769cb4bc5c07207a Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 31 Mar 2021 14:54:52 -0400 -Subject: [PATCH] Fix a broken file header on ia32 - -Commit c6281c6a195edee61185 needs to have included a ". = ALIGN(4096)" -directive before .reloc, but fails to do so. - -As a result, binutils, which does not care about the actual binary -format's constraints in any way, does not enforce the section alignment, -and it will not load. - -Signed-off-by: Peter Jones ---- - elf_ia32_efi.lds | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds -index 742e0a47a73..497a3a15265 100644 ---- a/elf_ia32_efi.lds -+++ b/elf_ia32_efi.lds -@@ -15,6 +15,7 @@ SECTIONS - *(.gnu.linkonce.t.*) - _etext = .; - } -+ . = ALIGN(4096); - .reloc : - { - *(.reloc) --- -2.30.2 - diff --git a/SOURCES/clsecureboot001.cer b/SOURCES/clsecureboot001.cer new file mode 100644 index 0000000000000000000000000000000000000000..ca9ce5d92a13320a2995ed90f173ea719a132d8f GIT binary patch literal 1561 zcmZ`(Yfuwc6wXbS1jzzo5X>OBh=_zHxtj+9!bnI+p+=zweAJF{O%_-i65K3=V6`P` zg!+Oiw$+NM3{cvRbwp7M9c2G4W9CPDY!P9nY%kz?r;WtSRH=h8 zU|e*l3WsV{DvoP4TGbnDs9{5GAcS5Z!6h(4C{7Uq1bAm>@_|6YFE-;+7(G78M}rNd zop2L0iATV2PECX)*l5Dk>U3O<$HA#wY63bL*TU2^EXQ6+VmX8d(^It7PU5jJhO385 zA`5A%ieN~rfG#CiV@9QqDqzb&l8`jD9Hy((P@^7aCo5+n4C4+6Mny(D>xqpR~zVhEx6umhZ5RVFal3r5M(h>Ej0sf_MTi2%d}hSB1Z;Kcx_Vo?>QeGcGz_P@TPE#k$jU}t{ z=C4WMHPazOp*1PT3fm+ruI6lS_~q`^8L{y-bu+Gf%@__g=3FU^|HN|Z8E=KQmHrw0 zI*CrQY%Us>cb>W=8$P+bYgw+q?~#eYnR*Y9;aJhXnxTwk!v=F7YKwQfz8bV zV01@f!?{5q0>0>7n9VhhK+@rCzjllgEbu48Bs8(uEH~tubc=NhbLDzdL9qcd0ymIeCpOTfNz>=FRp+_ZMjPwTEfKR;4GdG@D`O}rr^ zO(!d6#<-~YhKw(p3S9X|dM{X}bRc;161eWzPCUA!^tNx{O73;zPg)%xE6 literal 0 HcmV?d00001 diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer deleted file mode 100644 index dfb0284954861282d1a0ce16c8c5cdc71c27659f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 920 zcmXqLVxD5q#8k6@nTe5!iIbtZm{+@~;bN2lFB_*;n@8JsUPeZ4RtAH3LoovpHs(+k zE*{>X)D#7e#1b6^&%9(kLq!95kT^4s1XNrhI5oMnC{@8JKfgr5*-^pNP{}|6ZW6NxP$#b?ru1p1aqn$3D)YB{Qqo zjCvjz?|=HkE#3AN-xTZpws*U~)f@DZ{t~uwMZy8<;F%jD%$u6!n#qYzp^Sryh{C;x9qf@!N=T4ui@b#({ zSD&^p3kNZ=9lAQ9%xdfP9doNToV+k2^LHOFD{5oE&78StJa^8n7$i2k94PWc<&xr*# z`sciS&XK#@>h!OC8{=mczNLHbADCJ+pE=-CsaDOF#s}?5Q)1qq&%R~#cz>QmiAiVx zk5XXYstAL9d+iK-w@u$FESybMIPOFY~9lmn~9nUf%vMc88@((p0B(#qL+!COmt7`j5IhPVzo{cRPw} Pd!}BnFF!b8N6JS4>O*3Z diff --git a/SOURCES/sbat.cloudlinux.csv b/SOURCES/sbat.cloudlinux.csv new file mode 100644 index 0000000..606757e --- /dev/null +++ b/SOURCES/sbat.cloudlinux.csv @@ -0,0 +1 @@ +shim.cloudlinux,2,CloudLinux,shim,15.6,security@cloudlinux.com diff --git a/SOURCES/sbat.redhat.csv b/SOURCES/sbat.redhat.csv deleted file mode 100644 index 2135543..0000000 --- a/SOURCES/sbat.redhat.csv +++ /dev/null @@ -1 +0,0 @@ -shim.redhat,1,Red Hat Inc,shim,15.5,secalert@redhat.com diff --git a/SPECS/shim-unsigned-x64.spec b/SPECS/shim-unsigned-x64.spec index 6064d69..feb75a3 100644 --- a/SPECS/shim-unsigned-x64.spec +++ b/SPECS/shim-unsigned-x64.spec @@ -1,7 +1,7 @@ %global pesign_vre 0.106-1 %global openssl_vre 1.0.2j -%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) +%global efidir almalinux %global shimrootdir %{_datadir}/shim/ %global shimversiondir %{shimrootdir}/%{version}-%{release} %global efiarch x64 @@ -20,17 +20,17 @@ Name: shim-unsigned-%{efiarch} Version: 15.6 -Release: 1.el9 +Release: 1.el9.alma Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -Source1: redhatsecurebootca5.cer +Source1: clsecureboot001.cer %if 0%{?dbxfile} Source2: %{dbxfile} %endif -Source3: sbat.redhat.csv +Source3: sbat.cloudlinux.csv Source4: shim.patches Source100: shim-find-debuginfo.sh @@ -158,6 +158,9 @@ cd .. %files debugsource -f build-%{efiarch}/debugsource.list %changelog +* Fri Jun 17 2022 Eduard Abdullin - 15.6-1.el9.alma +- Use CloudLinux vendor cert and SBAT entry + * Wed Jun 01 2022 Peter Jones - 15.6-1.el9 - Update to shim-15.6 Resolves: CVE-2022-28737