Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2016-08-17 11:59:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "shim" Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2016-05-13 09:22:00.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2016-08-17 11:59:48.000000000 +0200 @@ -1,0 +2,37 @@ +Fri Aug 5 02:53:54 UTC 2016 - glin@suse.com + +- Add shim-bsc991885-fix-sig-length.patch to fix the signature + length passed to Authenticode (bsc#991885) + +------------------------------------------------------------------- +Wed Aug 3 09:10:25 UTC 2016 - glin@suse.com + +- Update shim-bsc973496-mokmanager-no-append-write.patch to try + append write first + +------------------------------------------------------------------- +Tue Aug 2 02:59:46 UTC 2016 - glin@suse.com + +- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h +- Bump the requirement of gnu-efi due to the HTTPBoot support + +------------------------------------------------------------------- +Mon Aug 1 09:01:59 UTC 2016 - glin@suse.com + +- Add shim-httpboot-support.patch to support HTTPBoot +- Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g + and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6 +- Drop patches since they are merged into + shim-update-openssl-1.0.2g.patch + + shim-update-openssl-1.0.2d.patch + + shim-gcc5.patch + + shim-bsc950569-fix-cryptlib-va-functions.patch + + shim-fix-aarch64.patch +- Refresh shim-change-debug-file-path.patch +- Add shim-bsc973496-mokmanager-no-append-write.patch to work + around the firmware that doesn't support APPEND_WRITE (bsc973496) +- shim-install : remove '\n' from the help message (bsc#991188) +- shim-install : print a message if there is no valid EFI partition + (bsc#991187) + +------------------------------------------------------------------- Old: ---- shim-bsc950569-fix-cryptlib-va-functions.patch shim-fix-aarch64.patch shim-gcc5.patch shim-update-openssl-1.0.2d.patch New: ---- shim-bsc973496-mokmanager-no-append-write.patch shim-bsc991885-fix-sig-length.patch shim-httpboot-support.patch shim-update-openssl-1.0.2g.patch shim-update-openssl-1.0.2h.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.qZ1cTj/_old 2016-08-17 11:59:50.000000000 +0200 +++ /var/tmp/diff_new_pack.qZ1cTj/_new 2016-08-17 11:59:50.000000000 +0200 @@ -44,18 +44,21 @@ Source12: signature-sles.asc # PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c Patch1: shim-only-os-name.patch -# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2d.patch glin@suse.com -- Update openssl to 1.0.2d -Patch4: shim-update-openssl-1.0.2d.patch -# PATCH-FIX-UPSTREAM shim-gcc5.patch glin@suse.com -- Specify the gnu89 standard -Patch5: shim-gcc5.patch -# PATCH-FIX-UPSTREAM shim-bsc950569-fix-cryptlib-va-functions.patch bsc#950569 glin@suse.com -- Fix the definition of the va functions to avoid the potential crash -Patch6: shim-bsc950569-fix-cryptlib-va-functions.patch -Patch7: shim-fix-aarch64.patch +# PATCH-FIX-UPSTREAM FATE#320129 shim-httpboot-support.patch glin@suse.com -- Add HTTPBoot support +Patch2: shim-httpboot-support.patch +# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2g.patch glin@suse.com -- Update openssl to 1.0.2g +Patch3: shim-update-openssl-1.0.2g.patch +# PATCH-FIX-UPSTREAM bsc#973496 shim-bsc973496-mokmanager-no-append-write.patch glin@suse.com -- Work around the firmware that doesn't support APPEND_WRITE +Patch4: shim-bsc973496-mokmanager-no-append-write.patch +# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2h.patch glin@suse.com -- Update openssl to 1.0.2h +Patch5: shim-update-openssl-1.0.2h.patch +# PATCH-FIX-UPSTREAM bsc#991885 shim-bsc991885-fix-sig-length.patch glin@suse.com -- Fix the signature length passed to Authenticode +Patch6: shim-bsc991885-fix-sig-length.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path Patch50: shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch -BuildRequires: gnu-efi >= 3.0t +BuildRequires: gnu-efi >= 3.0.3 BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 BuildRequires: pesign @@ -91,10 +94,11 @@ %prep %setup -q %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 -%patch7 -p1 %patch50 -p1 %patch100 -p1 %build ++++++ shim-bsc973496-mokmanager-no-append-write.patch ++++++
From 3bd098ea88d36cdaa550cdd384f7a08d3586d7e5 Mon Sep 17 00:00:00 2001 From: Gary Lin
Date: Thu, 28 Jul 2016 15:11:14 +0800 Subject: [PATCH 1/2] MokManager: Remove the usage of APPEND_WRITE
We got the bug report about the usage of APPEND_WRITE that may cause the
failure when writing a variable in Lenovo machines. Although
EFI_VARIABLE_APPEND_WRITE already exists in the UEFI spec for years,
unfortunately, some vendors just ignore it and never implement the
attribute. This commit removes the usage of EFI_VARIABLE_APPEND_WRITE to
make MokManager work on those machines.
https://github.com/rhinstaller/shim/issues/55
Signed-off-by: Gary Lin
From 3c000e67cc9c5ddd84f5a34b77e6ee8df4fe3ae5 Mon Sep 17 00:00:00 2001 From: Gary Lin
Date: Wed, 3 Aug 2016 16:53:51 +0800 Subject: [PATCH 2/2] MokManager: Try APPEND_WRITE first
Try to append the MOK/MOKX list first and then fallback to the normal
SetVariable if the firmware doesn't support EFI_VARIABLE_APPEND_WRITE.
Signed-off-by: Gary Lin
From 6c12c7bf522d032922abb799cdf0d6f525de3c38 Mon Sep 17 00:00:00 2001 From: Sachin Agrawal
Date: Tue, 2 Aug 2016 16:46:31 -0700 Subject: [PATCH] Use authenticode signature length from WIN_CERTIFICATE structure.
Authenticode Certificate length is available in Certificate Table
(inside PE header) and also in signature header(WIN_CERTIFICATE) itself.
Code in 'check_backlist()' method uses length from signature header,
whereas, AuthenticodeVerify() call inside 'verify_buffer()' method uses
the length in signature header. This causes a security vulnerability issue :
Good Scenario : Assume shim1.crt is used for signing grub.efi and
shim1.crt is embedded inside shim.efi. Also, assume shim1.crt got
compromised and therefore it was added in 'dbx' database. Now, when
shim.efi will attempt to load grub.efi, it will fail loading with
log message "Binary is blacklisted" because 'check_blacklist' call
will detect the presence of 'shim1.crt' in 'dbx'.
Vulnerable Scenario : Similar as above. Add 'shim1.crt' in dbx database.
Also, tamper the earlier signed grub.efi file by placing 0x0000 in the
WIN_CERTIFICATE.dwLength.
(Open grub.efi/vmlinuz signed binary with hex editor.
Go to 0x128 address and read out the address from 0x128 until
0x12B in little Indian order from right to left.
Jump to the address from 0x128 address area.
First 8bytes are the signature header area which consist of
signature size(4bytes), revision(2bytes) and type(2bytes).
So tamper the first 4 bytes for signature size and save the binary.
)
With this tampered grub.efi, shim.efi loads it successfully because
'check_blacklist()' call fails to detect the presence of shim1.crt in 'dbx'
database.
Signed-off-by: Sachin Agrawal