SUSE-SU-2023:2086-1: important: Security update for shim

sle-updates at lists.suse.com sle-updates at lists.suse.com
Mon May 8 09:05:38 UTC 2023



# Security update for shim

Announcement ID: SUSE-SU-2023:2086-1  
Rating: important  
References:

  * #1185232
  * #1185261
  * #1185441
  * #1185621
  * #1187071
  * #1187260
  * #1193282
  * #1193315
  * #1198101
  * #1198458
  * #1201066
  * #1202120
  * #1205588

  
Cross-References:

  * CVE-2022-28737

  
CVSS scores:

  * CVE-2022-28737 ( SUSE ):  8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  
Affected Products:

  * SUSE CaaS Platform 4.0
  * SUSE Enterprise Storage 7
  * SUSE Linux Enterprise High Performance Computing 15 SP1
  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1
  * SUSE Linux Enterprise High Performance Computing 15 SP2
  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  * SUSE Linux Enterprise Server 15 SP1
  * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1
  * SUSE Linux Enterprise Server 15 SP2
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  * SUSE Linux Enterprise Server for SAP Applications 15 SP1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2

  
  
An update that solves one vulnerability, contains two features and has 12 fixes
can now be installed.

## Description:

This update for shim fixes the following issues:

  * Updated shim signature after shim 15.7 be signed back: signature-
    sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458)

  * Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to disable
    the NX compatibility flag when using post-process-pe because grub2 is not
    ready. (bsc#1205588)

  * Enable the NX compatibility flag by default. (jsc#PED-127)

Update to 15.7 (bsc#1198458) (jsc#PED-127):

  * Make SBAT variable payload introspectable
  * Reference MokListRT instead of MokList
  * Add a link to the test plan in the readme.
  * [V3] Enable TDX measurement to RTMR register
  * Discard load-options that start with a NUL
  * Fixed load_cert_file bugs
  * Add -malign-double to IA32 compiler flags
  * pe: Fix image section entry-point validation
  * make-archive: Build reproducible tarball
  * mok: remove MokListTrusted from PCR 7

Other fixes:

  * Support enhance shim measurement to TD RTMR. (jsc#PED-1273)

  * shim-install: ensure grub.cfg created is not overwritten after installing
    grub related files

  * Add logic to shim.spec to only set sbat policy when efivarfs is writeable.
    (bsc#1201066)
  * Add logic to shim.spec for detecting --set-sbat-policy option before using
    mokutil to set sbat policy. (bsc#1202120)
  * Change the URL in SBAT section to mail:security at suse.de. (bsc#1193282)

Update to 15.6 (bsc#1198458):

  * MokManager: removed Locate graphic output protocol fail error message
  * shim: implement SBAT verification for the shim_lock protocol
  * post-process-pe: Fix a missing return code check
  * Update github actions matrix to be more useful
  * post-process-pe: Fix format string warnings on 32-bit platforms
  * Allow MokListTrusted to be enabled by default
  * Re-add ARM AArch64 support
  * Use ASCII as fallback if Unicode Box Drawing characters fail
  * make: don't treat cert.S specially
  * shim: use SHIM_DEVEL_VERBOSE when built in devel mode
  * Break out of the inner sbat loop if we find the entry.
  * Support loading additional certificates
  * Add support for NX (W^X) mitigations.
  * Fix preserve_sbat_uefi_variable() logic
  * SBAT Policy latest should be a one-shot
  * pe: Fix a buffer overflow when SizeOfRawData > VirtualSize
  * pe: Perform image verification earlier when loading grub
  * Update advertised sbat generation number for shim
  * Update SBAT generation requirements for 05/24/22
  * Also avoid CVE-2022-28737 in verify_image() by @vathpela

Update to 15.5 (bsc#1198458):

  * Broken ia32 relocs and an unimportant submodule change.
  * mok: allocate MOK config table as BootServicesData
  * Don't call QueryVariableInfo() on EFI 1.10 machines (bsc#1187260)
  * Relax the check for import_mok_state() (bsc#1185261)
  * SBAT.md: trivial changes
  * shim: another attempt to fix load options handling
  * Add tests for our load options parsing.
  * arm/aa64: fix the size of .rela* sections
  * mok: fix potential buffer overrun in import_mok_state
  * mok: relax the maximum variable size check
  * Don't unhook ExitBootServices when EBS protection is disabled
  * fallback: find_boot_option() needs to return the index for the boot entry in
    optnum
  * httpboot: Ignore case when checking HTTP headers
  * Fallback allocation errors
  * shim: avoid BOOTx64.EFI in message on other architectures
  * str: remove duplicate parameter check
  * fallback: add compile option FALLBACK_NONINTERACTIVE
  * Test mok mirror
  * Modify sbat.md to help with readability.
  * csv: detect end of csv file correctly
  * Specify that the .sbat section is ASCII not UTF-8
  * tests: add "include-fixed" GCC directory to include directories
  * pe: simplify generate_hash()
  * Don't make shim abort when TPM log event fails (RHBZ #2002265)
  * Fallback to default loader if parsed one does not exist
  * fallback: Fix for BootOrder crash when index returned
  * Better console checks
  * docs: update SBAT UEFI variable name
  * Don't parse load options if invoked from removable media path
  * fallback: fix fallback not passing arguments of the first boot option
  * shim: Don't stop forever at "Secure Boot not enabled" notification
  * Allocate mokvar table in runtime memory.
  * Remove post-process-pe on 'make clean'
  * pe: missing perror argument

  * CVE-2022-28737: Fixed a buffer overflow when SizeOfRawData > VirtualSize
    (bsc#1198458)

  * Add mokutil command to post script for setting sbat policy to latest mode
    when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created.
    (bsc#1198458)

  * Updated vendor dbx binary and script (bsc#1198458)

  * Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding SLES-UEFI-SIGN-
    Certificate-2021-05.crt to vendor dbx list.

  * Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding openSUSE-
    UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.
  * Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt and
    openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment.
  * Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin file
    which includes all .der for testing environment.

  * avoid buffer overflow when copying data to the MOK config table
    (bsc#1185232)

  * Disable exporting vendor-dbx to MokListXRT since writing a large RT variable
    could crash some machines (bsc#1185261)
  * ignore the odd LoadOptions length (bsc#1185232)
  * shim-install: reset def_shim_efi to "shim.efi" if the given file doesn't
    exist
  * relax the maximum variable size check for u-boot (bsc#1185621)
  * handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071)

  * Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse
    for shim-sles and shim-opensuse to reduce the size of MokListXRT
    (bsc#1185261)

  * Also update generate-vendor-dbx.sh in dbx-cert.tar.xz

## Patch Instructions:

To install this SUSE Important update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2023-2086=1

  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-2086=1

  * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2023-2086=1

  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-2086=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP1  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2023-2086=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP2  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2023-2086=1

  * SUSE Enterprise Storage 7  
    zypper in -t patch SUSE-Storage-7-2023-2086=1

  * SUSE CaaS Platform 4.0  
To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform
you if it detects new updates and let you then trigger updating of the complete
cluster in a controlled way.

## Package List:

  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (x86_64)
    * shim-debuginfo-15.7-150100.3.35.1
    * shim-15.7-150100.3.35.1
    * shim-debugsource-15.7-150100.3.35.1
  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (x86_64)
    * shim-debuginfo-15.7-150100.3.35.1
    * shim-15.7-150100.3.35.1
    * shim-debugsource-15.7-150100.3.35.1
  * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (x86_64)
    * shim-debuginfo-15.7-150100.3.35.1
    * shim-15.7-150100.3.35.1
    * shim-debugsource-15.7-150100.3.35.1
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (x86_64)
    * shim-debuginfo-15.7-150100.3.35.1
    * shim-15.7-150100.3.35.1
    * shim-debugsource-15.7-150100.3.35.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP1 (x86_64)
    * shim-debuginfo-15.7-150100.3.35.1
    * shim-15.7-150100.3.35.1
    * shim-debugsource-15.7-150100.3.35.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (x86_64)
    * shim-debuginfo-15.7-150100.3.35.1
    * shim-15.7-150100.3.35.1
    * shim-debugsource-15.7-150100.3.35.1
  * SUSE Enterprise Storage 7 (x86_64)
    * shim-debuginfo-15.7-150100.3.35.1
    * shim-15.7-150100.3.35.1
    * shim-debugsource-15.7-150100.3.35.1
  * SUSE CaaS Platform 4.0 (x86_64)
    * shim-debuginfo-15.7-150100.3.35.1
    * shim-15.7-150100.3.35.1
    * shim-debugsource-15.7-150100.3.35.1

## References:

  * https://www.suse.com/security/cve/CVE-2022-28737.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1185232
  * https://bugzilla.suse.com/show_bug.cgi?id=1185261
  * https://bugzilla.suse.com/show_bug.cgi?id=1185441
  * https://bugzilla.suse.com/show_bug.cgi?id=1185621
  * https://bugzilla.suse.com/show_bug.cgi?id=1187071
  * https://bugzilla.suse.com/show_bug.cgi?id=1187260
  * https://bugzilla.suse.com/show_bug.cgi?id=1193282
  * https://bugzilla.suse.com/show_bug.cgi?id=1193315
  * https://bugzilla.suse.com/show_bug.cgi?id=1198101
  * https://bugzilla.suse.com/show_bug.cgi?id=1198458
  * https://bugzilla.suse.com/show_bug.cgi?id=1201066
  * https://bugzilla.suse.com/show_bug.cgi?id=1202120
  * https://bugzilla.suse.com/show_bug.cgi?id=1205588
  * https://jira.suse.com/browse/PED-127
  * https://jira.suse.com/browse/PED-1273

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20230508/23c4e12c/attachment.htm>


More information about the sle-updates mailing list