[opensuse] INSTALL FAILS: Upcoming update for shim requires confirmation on reboot

22 Jan 2015


      * Johannes Segitz <jsegitz@suse.com> [01-16-15 09:09]:
...
we will release a security update for shim next week that fixes three
security issues, tracked in bnc#889332:
...
- OOB read access when parsing DHCPv6 packets (remote DoS) (CVE-2014-3675).
- Heap overflow when parsing IPv6 addresses provided by tftp:// DHCPv6 boot
  option (RCE) (CVE-2014-3676).
- Memory corruption when processing user provided MOK lists (CVE-2014-3677).
Because of those issues we update shim to version 0.7.318.81ee561d. This
version includes a patch that requires the user to confirm a dialog once
on the first boot after the update is installed. You will need to be able
to confirm this dialog, which appears before the bootloader, or your system
will not boot. This only affects users that are still on openSUSE 13.1 and
use a secure boot setup. You can check with 'bootctl' if you're using a
secure boot configuration if you're not sure.
Installation fails on my 13.1 server. 
Hangs at:  + /sbin/update-bootloader --reinit


Logs:

08:29 wahoo: /var/cache/zypp/packages/repo-update/x86_64 # rpm -Uhvvv ./shim-0.7.318.81ee561d-7.2.x86_64.rpm
D: ============== ./shim-0.7.318.81ee561d-7.2.x86_64.rpm
D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key
D: loading keyring from rpmdb
D: opening  db environment /var/lib/rpm cdb:private:0x201
D: opening  db index       /var/lib/rpm/Packages 0x400 mode=0x0
D: locked   db index       /var/lib/rpm/Packages
D: opening  db index       /var/lib/rpm/Name nofsync:0x400 mode=0x0
D:  read h#       1 Header SHA1 digest: OK (b0d86230a3899ea0e94d19d76dfc7a9700fca8c5)
D: added key gpg-pubkey-307e3d54-4be01a65 to keyring
D:  read h#    1310 Header SHA1 digest: OK (1469533e8536aa7267f6567bbdc17415c8547785)
D: added key gpg-pubkey-392ffa88-51f00be3 to keyring
D:  read h#    1396 Header SHA1 digest: OK (0238a3db899f61935a55058a369d6763351a1386)
D: added key gpg-pubkey-9591c39b-51971adb to keyring
D:  read h#    1708 Header SHA1 digest: OK (cda5c10fb660a86cf544f1585c79dc83f951cae3)
D: added key gpg-pubkey-ddcd7f1a-51318b5b to keyring
D:  read h#    1953 Header SHA1 digest: OK (c26f82e18c835b10068e54dbfa94818941ecd435)
D: added key gpg-pubkey-9056621d-50f6ef88 to keyring
D:  read h#    1992 Header SHA1 digest: OK (195ca3394a33f95be4c5a9c5498c55a0f3424f57)
D: added key gpg-pubkey-0f2672c8-50f6b041 to keyring
D:  read h#    2722 Header SHA1 digest: OK (22c19fc0b82edc93ba43a149752cac323eb3284f)
D: added key gpg-pubkey-c0951497-53515432 to keyring
D:  read h#    2723 Header SHA1 digest: OK (3710dbdc7146d5f5e2879c64dfe4b8a1542b865d)
D: added key gpg-pubkey-ee454f98-53515440 to keyring
D:  read h#    2725 Header SHA1 digest: OK (66971eaf91d670b694659a33e42061c5b5467075)
D: added key gpg-pubkey-3dbdc284-53674dd4 to keyring
D:  read h#    2730 Header SHA1 digest: OK (4588eb4871596b18274e6ea8198fc72ba31b5011)
D: added key gpg-pubkey-0ae6233b-53ba5c52 to keyring
D:  read h#    2799 Header SHA1 digest: OK (f69ae5ae97d84ceb4d7845419921d071c276c66a)
D: added key gpg-pubkey-ce4c0d2f-53b4640d to keyring
D:  read h#    2966 Header SHA1 digest: OK (feaa68173c427f2e313f06558ff561275666ba7a)
D: added key gpg-pubkey-bd6d129a-510add01 to keyring
D: Using legacy gpg-pubkey(s) from rpmdb
D: Expected size:       472700 = lead(96)+sigs(772)+pad(4)+data(471828)
D:   Actual size:       472700
D: ./shim-0.7.318.81ee561d-7.2.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  read h#     424 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:      added binary package [0]
D: found 0 source and 1 binary packages
D: opening  db index       /var/lib/rpm/Conflictname nofsync:0x400 mode=0x0
D: ========== +++ shim-0.7.318.81ee561d-7.2 x86_64/linux 0x0
D: opening  db index       /var/lib/rpm/Basenames nofsync:0x400 mode=0x0
D:  read h#    2981 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: /bin/bash                                     YES (db files)
D:  Requires: /bin/sh                                       YES (db files)
D: opening  db index       /var/lib/rpm/Providename nofsync:0x400 mode=0x0
D:  read h#    1754 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: grub2-efi                                     YES (db provides)
D:  read h#     579 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: perl-Bootloader                               YES (db provides)
D:  Requires: /bin/sh                                       YES (cached)
D:  Requires: rpmlib(PayloadFilesHavePrefix) <= 4.0-1       YES (rpmlib provides)
D:  Requires: rpmlib(CompressedFileNames) <= 3.0.4-1        YES (rpmlib provides)
D:  Requires: rpmlib(PayloadIsLzma) <= 4.4.6-1              YES (rpmlib provides)
D: opening  db index       /var/lib/rpm/Obsoletename nofsync:0x400 mode=0x0
D: ========== --- shim-0.2-3.1 x86_64/linux 0x0
D: opening  db index       /var/lib/rpm/Requirename nofsync:0x400 mode=0x0
D: ========== recording tsort relations
D: ========== tsorting packages (order, #predecessors, #succesors, depth)
D:     0    0    0    1   +shim-0.7.318.81ee561d-7.2.x86_64
D:     1    0    0    1   -shim-0.2-3.1.x86_64
D: installing binary packages
D: Selinux disabled.
D: closed   db index       /var/lib/rpm/Obsoletename
D: closed   db index       /var/lib/rpm/Conflictname
D: closed   db index       /var/lib/rpm/Providename
D: closed   db index       /var/lib/rpm/Requirename
D: closed   db index       /var/lib/rpm/Basenames
D: closed   db index       /var/lib/rpm/Name
D: closed   db index       /var/lib/rpm/Packages
D: closed   db environment /var/lib/rpm
D: opening  db environment /var/lib/rpm cdb:private:0x201
D: opening  db index       /var/lib/rpm/Packages (none) mode=0x42
D: locked   db index       /var/lib/rpm/Packages
D: sanity checking 2 elements
D: opening  db index       /var/lib/rpm/Name nofsync mode=0x42
D:  read h#     424 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D: running pre-transaction scripts
D: computing 20 file fingerprints
D: opening  db index       /var/lib/rpm/Basenames nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Group nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Requirename nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Providename nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Conflictname nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Obsoletename nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Triggername nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Dirnames nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Installtid nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Sigmd5 nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Sha1header nofsync mode=0x42
Preparing...                          D: computing file dispositions
D: 0x0000fd01     4096     11598826      3150267 /
D: 0x0000fd02     4096      3817577      1301974 /var
################################# [100%]
D: ========== +++ shim-0.7.318.81ee561d-7.2 x86_64-linux 0x0
D: Expected size:       472700 = lead(96)+sigs(772)+pad(4)+data(471828)
D:   Actual size:       472700
D: shim-0.7.318.81ee561d-7.2.x86_64: Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:   install: shim-0.7.318.81ee561d-7.2 has 12 files
Updating / installing...
   1:shim-0.7.318.81ee561d-7.2        D: ========== Directories not explicitly included in package:
D:          0 /etc/
D:          3 /usr/lib64/
D:          5 /usr/sbin/
D:          6 /usr/share/doc/packages/
D: ==========
D: create     040755  3 (   0,   0)     0 /etc/uefi
D: create     040755  2 (   0,   0)     0 /etc/uefi/certs
D: create     100644  1 (   0,   0)  1144 /etc/uefi/certs/4659838C.crt;54c0fb6d
D: create     040755  2 (   0,   0)     0 /usr/lib64/efi
D: create     100644  1 (   0,   0)1283752 /usr/lib64/efi/MokManager.efi;54c0fb6d
D: create     100644  1 (   0,   0) 64512 /usr/lib64/efi/fallback.efi;54c0fb6d
D: create     100444  1 (   0,   0)  1144 /usr/lib64/efi/shim-opensuse.der;54c0fb6d
D: create     100755  1 (   0,   0)1294048 /usr/lib64/efi/shim-opensuse.efi;54c0fb6d
################################# [ 50%]
D: create     120777  1 (   0,   0)    17 /usr/lib64/efi/shim.efi;54c0fb6d
D: create     100755  1 (   0,   0)  7868 /usr/sbin/shim-install;54c0fb6d
D: create     040755  2 (   0,   0)     0 /usr/share/doc/packages/shim
D: create     100644  1 (   0,   0)  1411 /usr/share/doc/packages/shim/COPYRIGHT;54c0fb6d
XZDIO:      83 reads,  2655680 total bytes in 0.055314 secs
D: adding "shim" to Name index.
D: adding 12 entries to Basenames index.
D: adding "System/Boot" to Group index.
D: adding 8 entries to Requirename index.
D: adding 2 entries to Providename index.
D: adding 8 entries to Dirnames index.
D: adding 1 entries to Installtid index.
D: adding 1 entries to Sigmd5 index.
D: adding "b345736ed59e558e4179a4e84f1dfee17c4b737b" to Sha1header index.
D: %post(shim-0.7.318.81ee561d-7.2.x86_64): scriptlet start
D: %post(shim-0.7.318.81ee561d-7.2.x86_64): execv(/bin/sh) pid 30193
+ /sbin/update-bootloader --reinit


-- 
(paka)Patrick Shanahan       Plainfield, Indiana, USA          @ptilopteri
http://en.opensuse.org    openSUSE Community Member    facebook/ptilopteri
http://wahoo.no-ip.org        Photo Album: http://wahoo.no-ip.org/gallery2
Registered Linux User #207535                    @ http://linuxcounter.net
-- 
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse+owner@opensuse.org

Patrick Shanahan

tags

participants (1)