From c4b36b74ddb117a6379079470e491f6a89fcbf16 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 10 May 2022 03:21:35 -0400 Subject: [PATCH] import shim-unsigned-x64-15.5-1.el8 --- .gitignore | 2 +- .shim-unsigned-x64.metadata | 2 +- ...001-Fix-a-broken-file-header-on-ia32.patch | 32 ----- SOURCES/sbat.redhat.csv | 2 +- SOURCES/shim-find-debuginfo.sh | 33 ++--- SPECS/shim-unsigned-x64.spec | 124 +++++++----------- 6 files changed, 67 insertions(+), 128 deletions(-) delete mode 100644 SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch diff --git a/.gitignore b/.gitignore index 9b85752..296cdd7 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/shim-15.4.tar.bz2 +SOURCES/shim-15.5.tar.bz2 diff --git a/.shim-unsigned-x64.metadata b/.shim-unsigned-x64.metadata index 1a84976..e0f79e9 100644 --- a/.shim-unsigned-x64.metadata +++ b/.shim-unsigned-x64.metadata @@ -1 +1 @@ -d70485792a300bfa66f551adf7ae766451dfe7c0 SOURCES/shim-15.4.tar.bz2 +b91f5eaced7ba1dcaef266af10763461889be5df SOURCES/shim-15.5.tar.bz2 diff --git a/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch b/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch deleted file mode 100644 index 1fbcb33..0000000 --- a/SOURCES/0001-Fix-a-broken-file-header-on-ia32.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 1bea91ba72165d97c3b453cf769cb4bc5c07207a Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 31 Mar 2021 14:54:52 -0400 -Subject: [PATCH] Fix a broken file header on ia32 - -Commit c6281c6a195edee61185 needs to have included a ". = ALIGN(4096)" -directive before .reloc, but fails to do so. - -As a result, binutils, which does not care about the actual binary -format's constraints in any way, does not enforce the section alignment, -and it will not load. - -Signed-off-by: Peter Jones ---- - elf_ia32_efi.lds | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds -index 742e0a47a73..497a3a15265 100644 ---- a/elf_ia32_efi.lds -+++ b/elf_ia32_efi.lds -@@ -15,6 +15,7 @@ SECTIONS - *(.gnu.linkonce.t.*) - _etext = .; - } -+ . = ALIGN(4096); - .reloc : - { - *(.reloc) --- -2.30.2 - diff --git a/SOURCES/sbat.redhat.csv b/SOURCES/sbat.redhat.csv index bc47dae..2135543 100644 --- a/SOURCES/sbat.redhat.csv +++ b/SOURCES/sbat.redhat.csv @@ -1 +1 @@ -shim.redhat,1,Red Hat,shim,15.4-4,secalert@redhat.com +shim.redhat,1,Red Hat Inc,shim,15.5,secalert@redhat.com diff --git a/SOURCES/shim-find-debuginfo.sh b/SOURCES/shim-find-debuginfo.sh index d656fc9..7e882ff 100755 --- a/SOURCES/shim-find-debuginfo.sh +++ b/SOURCES/shim-find-debuginfo.sh @@ -20,9 +20,9 @@ fi findsource() { ( - cd "${RPM_BUILD_ROOT}" - find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac - find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac + cd ${RPM_BUILD_ROOT} + find usr/src/debug/ -type d | sed "s,^,%dir /," + find usr/src/debug/ -type f | sed "s,^,/," ) } @@ -32,12 +32,9 @@ finddebug() declare -a dirs=() declare -a files=() declare -a excludes=() - declare -a tmp=() - pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1 - - mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug") - for x in "${tmp[@]}" ; do + pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1 + for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do if ! [ -e "${x}" ]; then break fi @@ -60,10 +57,8 @@ finddebug() excludes[${#excludes[@]}]=${x%%.debug} fi done - for x in "${files[@]}" ; do - declare name - - name=$(dirname "/${x}") + for x in ${files[@]} ; do + declare name=$(dirname /${x}) while [ "${name}" != "/" ]; do case "${name}" in "/usr/lib/debug"|"/usr/lib"|"/usr") @@ -72,24 +67,24 @@ finddebug() dirs[${#dirs[@]}]=${name} ;; esac - name=$(dirname "${name}") + name=$(dirname ${name}) done done popd >/dev/null 2>&1 - for x in "${dirs[@]}" ; do + for x in ${dirs[@]} ; do echo "%dir ${x}" done | sort | uniq - for x in "${files[@]}" ; do + for x in ${files[@]} ; do echo "/${x}" done | sort | uniq - for x in "${excludes[@]}" ; do + for x in ${excludes[@]} ; do echo "%exclude /${x}" done } -findsource > "build-${mainarch}/debugsource.list" -finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list" +findsource > build-${mainarch}/debugsource.list +finddebug ${mainarch} > build-${mainarch}/debugfiles.list if [ -v altarch ]; then - finddebug "${altarch}" > "build-${altarch}/debugfiles.list" + finddebug ${altarch} > build-${altarch}/debugfiles.list fi diff --git a/SPECS/shim-unsigned-x64.spec b/SPECS/shim-unsigned-x64.spec index 32435b7..f27c7b8 100644 --- a/SPECS/shim-unsigned-x64.spec +++ b/SPECS/shim-unsigned-x64.spec @@ -19,8 +19,8 @@ %global dbxfile %{nil} Name: shim-unsigned-%{efiarch} -Version: 15.4 -Release: 4%{?dist} +Version: 15.5 +Release: 1.el8 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD @@ -34,8 +34,6 @@ Source3: sbat.redhat.csv Source100: shim-find-debuginfo.sh -Patch0001: 0001-Fix-a-broken-file-header-on-ia32.patch - BuildRequires: gcc make BuildRequires: elfutils-libelf-devel BuildRequires: git openssl-devel openssl @@ -68,6 +66,7 @@ Provides: bundled(openssl) = %{openssl_vre} %package debuginfo Summary: Debug information for shim-unsigned-%{efiarch} +Requires: %{name}-debugsource = %{version}-%{release} Group: Development/Debug AutoReqProv: 0 BuildArch: noarch @@ -78,6 +77,7 @@ BuildArch: noarch %package -n shim-unsigned-%{efialtarch}-debuginfo Summary: Debug information for shim-unsigned-%{efialtarch} Group: Development/Debug +Requires: %{name}-debugsource = %{version}-%{release} AutoReqProv: 0 BuildArch: noarch @@ -107,26 +107,19 @@ MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " MAKEFLAGS+="%{_smp_mflags}" -if [ -f "%{SOURCE1}" ]; then +if [ -s "%{SOURCE1}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" fi -%if 0%{?dbxfile} -if [ -f "%{SOURCE2}" ]; then +if [ -s "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi -%endif cd build-%{efiarch} -make ${MAKEFLAGS} \ - DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ - all +make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all cd .. cd build-%{efialtarch} -setarch linux32 -B make ${MAKEFLAGS} \ - ARCH=%{efialtarch} \ - DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \ - all +setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' all cd .. %install @@ -134,14 +127,12 @@ COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " -if [ -f "%{SOURCE1}" ]; then +if [ -s "%{SOURCE1}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" fi -%if 0%{?dbxfile} -if [ -f "%{SOURCE2}" ]; then +if [ -s "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi -%endif cd build-%{efiarch} make ${MAKEFLAGS} \ @@ -151,8 +142,7 @@ make ${MAKEFLAGS} \ cd .. cd build-%{efialtarch} -setarch linux32 make ${MAKEFLAGS} \ - ARCH=%{efialtarch} \ +setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \ DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \ DESTDIR=${RPM_BUILD_ROOT} \ install-as-data install-debuginfo install-debugsource @@ -183,63 +173,49 @@ cd .. %files debugsource -f build-%{efiarch}/debugsource.list %changelog -* Thu Apr 01 2021 Peter Jones - 15.4-4 -- Fix the sbat data to actually match /this/ product. - Resolves: CVE-2020-14372 - Resolves: CVE-2020-25632 - Resolves: CVE-2020-25647 - Resolves: CVE-2020-27749 - Resolves: CVE-2020-27779 - Resolves: CVE-2021-20225 - Resolves: CVE-2021-20233 +* Wed Mar 09 2022 Peter Jones - 15.5-1.el8 +- Update to shim-15.5 + Related: rhbz#1982071 -* Wed Mar 31 2021 Peter Jones - 15.4-3 -- Build with the correct certificate trust list for this OS. - Resolves: CVE-2020-14372 - Resolves: CVE-2020-25632 - Resolves: CVE-2020-25647 - Resolves: CVE-2020-27749 - Resolves: CVE-2020-27779 - Resolves: CVE-2021-20225 - Resolves: CVE-2021-20233 +* Thu Sep 17 2020 Peter Jones - 15-9.el8 +- Fix an incorrect allocation size. + Related: rhbz#1877253 -* Wed Mar 31 2021 Peter Jones - 15.4-2 -- Fix the ia32 build. - Resolves: CVE-2020-14372 - Resolves: CVE-2020-25632 - Resolves: CVE-2020-25647 - Resolves: CVE-2020-27749 - Resolves: CVE-2020-27779 - Resolves: CVE-2021-20225 - Resolves: CVE-2021-20233 +* Thu Jul 30 2020 Peter Jones - 15-8 +- Fix a load-address-dependent forever loop. + Resolves: rhbz#1861977 + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 + Related: CVE-2020-15705 + Related: CVE-2020-15706 + Related: CVE-2020-15707 -* Tue Mar 30 2021 Peter Jones - 15.4-1 -- Update to shim 15.4 - - Support for revocations via the ".sbat" section and SBAT EFI variable - - A new unit test framework and a bunch of unit tests - - No external gnu-efi dependency - - Better CI - Resolves: CVE-2020-14372 - Resolves: CVE-2020-25632 - Resolves: CVE-2020-25647 - Resolves: CVE-2020-27749 - Resolves: CVE-2020-27779 - Resolves: CVE-2021-20225 - Resolves: CVE-2021-20233 +* Sat Jul 25 2020 Peter Jones - 15-7 +- Implement Lenny's workaround + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 -* Wed Mar 24 2021 Peter Jones - 15.3-0~1 -- Update to shim 15.3 - - Support for revocations via the ".sbat" section and SBAT EFI variable - - A new unit test framework and a bunch of unit tests - - No external gnu-efi dependency - - Better CI - Resolves: CVE-2020-14372 - Resolves: CVE-2020-25632 - Resolves: CVE-2020-25647 - Resolves: CVE-2020-27749 - Resolves: CVE-2020-27779 - Resolves: CVE-2021-20225 - Resolves: CVE-2021-20233 +* Fri Jul 24 2020 Peter Jones - 15-5 +- Once more with the MokListRT config table patch added. + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 + +* Thu Jul 23 2020 Peter Jones - 15-4 +- Rebuild for bug fixes and new signing keys + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 * Wed Jun 05 2019 Javier Martinez Canillas - 15-3 - Make EFI variable copying fatal only on secureboot enabled systems