Overview

File _patchinfo of Package patchinfo.33579

<patchinfo incident="33579">
  <issue tracker="cve" id="2023-40546"/>
  <issue tracker="cve" id="2023-40548"/>
  <issue tracker="cve" id="2023-40547"/>
  <issue tracker="cve" id="2023-40549"/>
  <issue tracker="cve" id="2023-40551"/>
  <issue tracker="cve" id="2023-40550"/>
  <issue tracker="cve" id="2022-28737"/>
  <issue tracker="bnc" id="1215102">VUL-0: CVE-2023-40550: shim: pe: Fix an out-of-bound read in verify_buffer_sbat()</issue>
  <issue tracker="bnc" id="1215103">VUL-0: CVE-2023-40551: shim: pe-relocate: Fix bounds check for MZ binaries</issue>
  <issue tracker="bnc" id="1219460">shim is built failed due to fde-tpm-helper-rpm-macros</issue>
  <issue tracker="bnc" id="1205855">GRUB2 installation failed in fresh install</issue>
  <issue tracker="bnc" id="1215100">VUL-0: CVE-2023-40548: shim: Fix integer overflow on SBAT section size on 32-bit system</issue>
  <issue tracker="bnc" id="1198101">VUL-0: shim: openSUSE tumbleweed not fully locked down? Add opensuse-cert-prompt back to openSUSE shim</issue>
  <issue tracker="bnc" id="1215098">VUL-0: CVE-2023-40547: shim: trusting http headers</issue>
  <issue tracker="bnc" id="1213945">AUDIT-TRACKER: fde-tools,pcr-oracle,grub2: TPM based unattended disk unlocking</issue>
  <issue tracker="bnc" id="1210382">The bootx64.efi in EFI boot partition is not updated after shim be upgraded.</issue>
  <issue tracker="bnc" id="1215099">VUL-0: CVE-2023-40546: shim: format specifier issues when calling LogError</issue>
  <issue tracker="bnc" id="1215101">VUL-0: CVE-2023-40549: shim: Authenticode: verify that the signature header is in bounds.</issue>
  <issue tracker="bnc" id="1205588">Page Fault when booting with PE NX-compatibility DLL Characteristic flag</issue>
  <issue tracker="jsc" id="PED-922"/>
  <packager>dtseng</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for shim</summary>
  <description>This update for shim fixes the following issues:

- Update shim-install to set the TPM2 SRK algorithm (bsc#1213945)
- Limit the requirement of fde-tpm-helper-macros to the distro with
  suse_version 1600 and above (bsc#1219460)

Update to version 15.8:

Security issues fixed:

- mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546)
- avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547)
- Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548)
- Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549)
- pe: Fix an out-of-bound read in verify_buffer_sbat() (bsc#1215102,CVE-2023-40550)
- pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551)

        
The NX flag is disable which is same as the default value of shim-15.8, hence, not need to enable it by this patch now.

- Generate dbx during build so we don't include binary files in sources
- Don't require grub so shim can still be used with systemd-boot
- Update shim-install to fix boot failure of ext4 root file system
  on RAID10 (bsc#1205855)
- Adopt the macros from fde-tpm-helper-macros to update the
  signature in the sealed key after a bootloader upgrade

- Update shim-install to amend full disk encryption support
  - Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector
  - Use the long name to specify the grub2 key protector
  - cryptodisk: support TPM authorized policies
  - Do not use tpm_record_pcrs unless the command is in command.lst

- Removed POST_PROCESS_PE_FLAGS=-N from the build command in shim.spec to
  enable the NX compatibility flag when using post-process-pe after
  discussed with grub2 experts in mail. It's useful for further development
  and testing. (bsc#1205588)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places