Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block Debian grub binaries with SBAT < 4 #550

Merged
merged 1 commit into from
May 2, 2023
Merged

Block Debian grub binaries with SBAT < 4 #550

merged 1 commit into from
May 2, 2023

Conversation

steve-mcintyre
Copy link
Collaborator

(See https://bugs.debian.org/1024617)

One of the Debian builds of grub bumped the SBAT to 3, but didn't include the patches needed. Add "grub.debian,4" to block those binaries.

Signed-off-by: Steve McIntyre [email protected]

Block Debian grub binaries with SBAT < 4
acd9221 
(See https://bugs.debian.org/1024617)

One of the Debian builds of grub bumped the SBAT to 3, but didn't
include the patches needed. Add "grub.debian,4" to block those
binaries.

Signed-off-by: Steve McIntyre <[email protected]>
julian-klode
julian-klode approved these changes Jan 30, 2023
View reviewed changes
Copy link
Collaborator

@julian-klode julian-klode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@THS-on THS-on mentioned this pull request Feb 9, 2023
Closed
8 tasks
@Blarse
Copy link

Blarse commented Mar 14, 2023

Hi,

Wouldn't "grub.debian,2" be enough?

@Blarse
Copy link

Blarse commented Mar 14, 2023

I mean in both grub's .sbat section and shim's revocations

@aronowski aronowski mentioned this pull request Apr 5, 2023
Closed
8 tasks
@vathpela vathpela merged commit cca3933 into rhboot:main May 2, 2023
vathpela added a commit that referenced this pull request Jan 23, 2024
@vathpela
Bump version to 15.8
5914984 
What's changed
* Various CVE fixes:
  CVE-2023-40546 mok: fix LogError() invocation
  CVE-2023-40547 - avoid incorrectly trusting HTTP headers
  CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
  CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
  CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
  CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
* Add make infrastructure to set the NX_COMPAT flag by @vathpela in #530
* Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in #535
* Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in #537
* pe: Align section size up to page size for mem attrs by @nicholasbishop in #539
* test-sbat: Fix exit code by @vathpela in #540
* pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in #541
* CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in #546
* Don't loop forever in load_certs() with buggy firmware by @rmetrich in #547
* Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in #550
* Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in #551
* Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in #560
* pe: only process RelocDir->Size of reloc section by @mikebeaton in #562
* Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in #563
* Optionally allow to keep shim protocol installed by @bluca in #565
* SBAT-related documents formatting and spelling by @aronowski in #566
* Add SbatLevel_Variable.txt to document the various revocations by @jsetje in #569
* Add a security contact email address in README.md by @vathpela in #572
* Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in #576
* mok: fix LogError() invocation by @vathpela in #577
* Minor housekeeping by @vathpela in #578
* Test ImageAddress() by @vathpela in #579
* FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in #580
* Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in #581
* Verify signature before verifying sbat levels by @jsetje in #583
* Add libFuzzer support for csv.c and sbat.c by @vathpela in #584
* mok: Avoid underflow in maximum variable size calculation by @alpernebbi in #587
* Housekeeping by @vathpela in #605

Signed-off-by: Peter Jones <[email protected]>
brianredbeard pushed a commit to brianredbeard/redhat-efi-boot-shim that referenced this pull request Feb 22, 2024
@vathpela @brianredbeard
Bump version to 15.8
891edcf 
What's changed
* Various CVE fixes:
  CVE-2023-40546 mok: fix LogError() invocation
  CVE-2023-40547 - avoid incorrectly trusting HTTP headers
  CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
  CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
  CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
  CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
* Add make infrastructure to set the NX_COMPAT flag by @vathpela in rhboot#530
* Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in rhboot#535
* Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in rhboot#537
* pe: Align section size up to page size for mem attrs by @nicholasbishop in rhboot#539
* test-sbat: Fix exit code by @vathpela in rhboot#540
* pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in rhboot#541
* CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in rhboot#546
* Don't loop forever in load_certs() with buggy firmware by @rmetrich in rhboot#547
* Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in rhboot#550
* Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in rhboot#551
* Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in rhboot#560
* pe: only process RelocDir->Size of reloc section by @mikebeaton in rhboot#562
* Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in rhboot#563
* Optionally allow to keep shim protocol installed by @bluca in rhboot#565
* SBAT-related documents formatting and spelling by @aronowski in rhboot#566
* Add SbatLevel_Variable.txt to document the various revocations by @jsetje in rhboot#569
* Add a security contact email address in README.md by @vathpela in rhboot#572
* Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in rhboot#576
* mok: fix LogError() invocation by @vathpela in rhboot#577
* Minor housekeeping by @vathpela in rhboot#578
* Test ImageAddress() by @vathpela in rhboot#579
* FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in rhboot#580
* Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in rhboot#581
* Verify signature before verifying sbat levels by @jsetje in rhboot#583
* Add libFuzzer support for csv.c and sbat.c by @vathpela in rhboot#584
* mok: Avoid underflow in maximum variable size calculation by @alpernebbi in rhboot#587
* Housekeeping by @vathpela in rhboot#605

Signed-off-by: Peter Jones <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@julian-klode julian-klode julian-klode approved these changes

@frozencemetery frozencemetery frozencemetery approved these changes

@vathpela vathpela Awaiting requested review from vathpela

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@steve-mcintyre @Blarse @frozencemetery @julian-klode @vathpela