From 95f451bef7a85c3007bd41e5deb65c89725df4e3 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sat, 2 Dec 2023 11:56:29 -0500 Subject: [PATCH] Update to shim-15.8 for CVE-2023-40547 Resolves: RHEL-56466 Signed-off-by: Peter Jones Signed-off-by: Nicolas Frayer --- redhatsecurebootca8.cer | Bin 0 -> 1400 bytes sbat.redhat.csv | 2 +- shim-unsigned-x64.spec | 14 ++++++++++---- sources | 2 +- vendordb.esl | Bin 0 -> 2408 bytes 5 files changed, 12 insertions(+), 6 deletions(-) create mode 100644 redhatsecurebootca8.cer create mode 100644 vendordb.esl diff --git a/redhatsecurebootca8.cer b/redhatsecurebootca8.cer new file mode 100644 index 0000000000000000000000000000000000000000..75bc46b077318bddb19752c3f1ea23c9e9b4add4 GIT binary patch literal 1400 zcmXqLVl6RfVvbqB%*4pV#L2Mtxs0t>V~MK)FB_*;n@8JsUPeZ4Rt5uiLq!95Hs(+k zW*&*4)D#7e#1e(z)a25lR0XH}{1OFcM+FN*B?ASxE>1=<;o{Wf#GKTk5{IJHl#Ij@ zz2y8{137VCBV$8DV*^7=V-sV`C~;n63j;$#3n-U*7Bw*`A$x+6m4Ug5iJ!rsiHVD; ziHVWnl+bRc3xcb~wko}sZ9hL{_EMJJD`Z4tcfN0WYn&*qBELsXID%zg zT;`b8dpq*t2bMnG_{s|rU-<59TO_o$y!z=S%g@SBrA*ZB|65mnZ%t≥xbVqpNd& z8ky!ildDYIvAz6WXm#3o*)-F6#jB%#Y1}zsC~TIy!0Y&QhN)qf*<&gjw>m#b4T!M# zw5$1)A>$$Gci+DLcKKD;Tzq=#+IONtv$9U`F~-hlV%%g<_Pu_V@}cGIQR^Cuz9lf; zZEF?W78j%zbgE|gNu4{pHD?Cj5o&gNT`rln%Dr>5Md<2;5C)%=M3(OwQ$9Sjj5uy- zZ+uTPdEcLtC8~Q%%kvqsZNKq+2{+ntVDG_jwzS3{(ej3^efN{otM>JjN0lmTI6C`& znw5Q`_?F^_SJ5B=8~DVuKO z_y4}6PV%PPr-tKtO=^bs`@g=6mnis}@#YZwx%teCeM6F0Y|g2*e#C6__MYbBT2*Zk zey-&&&V1(-ifDEdvf7%;$aweIsRzaT81i@9SF3Jcxzy18ul)m7_Sutj*1GtgT={$D z@jJV9m&S`0C7)kj&UpIX$Na^ob@w+0X3br_^)&y#{F4geI+MzFrB{fi|I2(7@b=5v zBAFdeC(19NfLjVm>C%u7bhDe8t?&3RKR?Jo7GSn&Lr#Xk zyaY^!j10@?PrAZ*c1`i+9|n^|>sD{QBRZ+rysGNlmiD7hGd7gPyZ0B(j_HeM-g0GG zCCi_UstNW?FES(ozd8O;Fnhi=aKQnW$zEntI+C^PmcC<{!D(;$r@lCA(GgZlo(Ic1 zj=5}~tlD$w4oAL`t61lD_Z_gX-Ojhp(fFvLLlCoP16#;~Q|FxuB)aEl zMe_IiUz#Ug`XGN%{GO^g>$wgHrA%7Tdvc@J;&R{V?7OC$%@+C8Xzv_zifyk*d9!nt zeTUjX?SmBo;any0a?fop6~uJwDk{3YeHAMH*#A!BY5!j_jz?1B&OQ7WvB5l{+>>`% zjL2b?o!TEIp7*kT{5{{QCdJ78#IIfPs;S3xKKpn-Ug3CsR?N??2E!L`Pukt$UH>6l zG3iqB0f))T5oP*!r+&9+f7rP(@6iqucCW}^8gGODkdCpPj;2v=@?`aMuh)!1KdYWBV2b=3?19};KzdVg=x8umtmm*oqe zDlE#m)?vQX>wEj0y&4B{qRN9$q+I@du7BS3=2qpc`=@s7D=Gb@_fp|%_`|k$ryJL^ zoiw>1u_#!{dA4KRubv5OGEQ1t2+#VE`>?0jUhjanC~06|G(Sx dZ_ms6sEcy`V(AecexlXuYp?Y%Z0AVJ1OS#ZUy}d; literal 0 HcmV?d00001 diff --git a/sbat.redhat.csv b/sbat.redhat.csv index 2135543..be9e036 100644 --- a/sbat.redhat.csv +++ b/sbat.redhat.csv @@ -1 +1 @@ -shim.redhat,1,Red Hat Inc,shim,15.5,secalert@redhat.com +shim.redhat,3,Red Hat Inc,shim,15.8,secalert@redhat.com diff --git a/shim-unsigned-x64.spec b/shim-unsigned-x64.spec index 6064d69..b8099ad 100644 --- a/shim-unsigned-x64.spec +++ b/shim-unsigned-x64.spec @@ -19,14 +19,14 @@ %global dbxfile %{nil} Name: shim-unsigned-%{efiarch} -Version: 15.6 +Version: 15.8 Release: 1.el9 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -Source1: redhatsecurebootca5.cer +Source1: vendordb.esl %if 0%{?dbxfile} Source2: %{dbxfile} %endif @@ -107,9 +107,10 @@ COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " MAKEFLAGS+="%{_smp_mflags}" if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" + MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=%{SOURCE1}" fi %if 0%{?dbxfile} if [ -f "%{SOURCE2}" ]; then @@ -128,8 +129,9 @@ COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" + MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=%{SOURCE1}" fi %if 0%{?dbxfile} if [ -f "%{SOURCE2}" ]; then @@ -158,6 +160,10 @@ cd .. %files debugsource -f build-%{efiarch}/debugsource.list %changelog +* Tue Jan 23 2024 Peter Jones - 15.8-1.el9 +- Update to shim-15.8 for CVE-2023-40547 + Resolves: RHEL-56466 + * Wed Jun 01 2022 Peter Jones - 15.6-1.el9 - Update to shim-15.6 Resolves: CVE-2022-28737 diff --git a/sources b/sources index bcb0302..5428b75 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (shim-15.6.tar.bz2) = ddc5d5234851d05ed7124ad748ad3fee2df8a335493948a045653322c873f3f055d34894aeb2ac7495086984ca62183907d341e46e6bdf108856e39c646455fc +SHA512 (shim-15.8.tar.bz2) = 30b3390ae935121ea6fe728d8f59d37ded7b918ad81bea06e213464298b4bdabbca881b30817965bd397facc596db1ad0b8462a84c87896ce6c1204b19371cd1 diff --git a/vendordb.esl b/vendordb.esl new file mode 100644 index 0000000000000000000000000000000000000000..8991b3eae876999d4e8eaefa3087bf84c23e68c0 GIT binary patch literal 2408 zcmcJQc|6qn8pr21o9s91)Ct2Ju88{^gDgp7jgtKs8l*AEHZ?O$D9lWDA~^A zVN^2Oj6$KK&GBeGtO|(!eKlb~PMSt0`2>@x^aE6~Z-5V7n?wl#73IZsKu{kv1P!oy zIDHR!ahw5&#TtBe|NjSI0V;pIG=PA>Sb!u1WC0>j763rH8{gvPcQK0-h1-e;Dh1Bk zR|=ZfjMei&ry|h>h@^f88^2V^leHoH4&DkcAhc^MzU|2}2(lh(%zU&0nP!x^ofyT} zJI)`hsDRA(O(wiq6l|8D+q;k=~e&^fC~KfYSv(2vQX*0!A! zhs|Z_mm-lmsbjddsTC`KleZGt#%(6UDN8Y6s-=tQ)e(%I$0Zu#$JlAI%uXS24=w(t zR%y9@xgFE5fN9MYF#2Xh@CkGBDVNz20X_nH@ zBd-lkor6g`L6P?dGs2BH&l|2p-sJV>o>)y22NvU?FaQFSI)jd&!sdG`NWkUbGEXUG z)9L|@Hb=7ZS^`8bScG3LO#ihV6fkfUC>Q(Z36fj$r2$|AjsRhs=8t9H?6u9Z0}zF2 zFS9_ur_}vjbd1 zWj|UIl<_HB;o>CuifPnhh+|#FrJ>NR|>L%FwTV_D3u zHTHR=yLLfn+rs__JL!I^*~y-5%6Fyn3jJ52`DRLoC597eXH#=}O&RSO4ZiP-zhL+( z;x~p9H|^I9Bj}qP6aUF@%k(Z2TPEG|i@Ji=|Cv>T|C&`C7K;P1hB#fE;qR<|cK>%9 zv7lcw3Eg56y2&IIfOJYVne}e3lH;hnQ%LB^&MSjAUE3w=dG8%-2InLHtx~g^Gy&e~ zKHFqXIknc@zwP_;Ke<1fgQtmmNAwaFB=~nrq^cQFQ+n5mt*YNP8ljFB7eZ2M@T znMYM2A9eJCe^!j}Yp7?8xJLQ)DER3W(5j9K)cGA)Y5kBQ+b0(xIp6gQ5hIu!^GUJ; z!Qew9yAuoC|7Lb+an(W)&8Bs6s%K@TE(dl<0G_!l;1(FZ9CI0Sze32PhDlvI1`Nl? zZNKZ~q~_Flrh>PJ-?aOZGhd2r_IJh(zw6dXw+&pYj=4Y%`})9_)wAcu4GB*SO>rZ; zNv&%uyJXlB>%|PRE9?wMjdZ%_u+C-2kqtd z?qm4UrtqjJ_YKQ{nlpm7?@uBR#snQotcr{6K7R5Wh6x^UO!zHmLjmN zq>MOZ02qGUIYw)RP?}7mRO>6tu-2bU#}Gn!S;5s7_Pol~$|w9Ltuk*}DygS}0d$SL zr<8VSwJ{w7uT*imB-bfCwEUjT@J9dBvi|EQUOCJxR8w~~OkGea(TFIM^2{B)q3;%+ znu+@Kn3?)r;1^n7N4SNmMbzlqeJCP-|Fl;oC3!8gCg z_%B$3ZFOHoVdenv!wp*h3YaMyUB%(cX43XXMt0vxcr+DoGu+!cotj5X^M>6SD35@z z)u|pcg}x3zIWFN>(E8IH$0DvpmaTqvB1tp4Y!;F$Y^t{wLklc zD^Bn0J4sB@QdYK_dFv`aVb5oF*$asHhrV9jj&+Bi(OZ@Lc+dRdLlf8V&o2`{CdXo5&+zuY6tA5NQa;{C;vUGt5W@d9oU?3@ zFrHKw`l>-!$ktt;KI6PbVc{Uhxf8FHh?d{Q>b7^E`eAj(rd341Q46 zPc1vDsp9MvbAm=_HBrSI_vPV>qb<}MLQL=tqj(Bk50tuxH|RmP@%Y&;W-XGZ+lwl3Rx!`RdkIoAZUpcQdY!jfm7?ZF z%B AFaQ7m literal 0 HcmV?d00001