SUSE-SU-2024:1461-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:1461-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2024:1461-1
Related
Published
2024-04-29T11:19:11Z
Modified
2024-04-29T11:19:11Z
Summary
Security update for shim
Details

This update for shim fixes the following issues:

  • Update shim-install to set the TPM2 SRK algorithm (bsc#1213945)
  • Limit the requirement of fde-tpm-helper-macros to the distro with suse_version 1600 and above (bsc#1219460)

Update to version 15.8:

Security issues fixed:

  • mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546)
  • avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547)
  • Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548)
  • Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549)
  • pe: Fix an out-of-bound read in verifybuffersbat() (bsc#1215102,CVE-2023-40550)
  • pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551)

The NX flag is disable which is same as the default value of shim-15.8, hence, not need to enable it by this patch now.

  • Generate dbx during build so we don't include binary files in sources
  • Don't require grub so shim can still be used with systemd-boot
  • Update shim-install to fix boot failure of ext4 root file system on RAID10 (bsc#1205855)
  • Adopt the macros from fde-tpm-helper-macros to update the signature in the sealed key after a bootloader upgrade

  • Update shim-install to amend full disk encryption support

    • Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector
    • Use the long name to specify the grub2 key protector
    • cryptodisk: support TPM authorized policies
    • Do not use tpmrecordpcrs unless the command is in command.lst
  • Removed POSTPROCESSPE_FLAGS=-N from the build command in shim.spec to enable the NX compatibility flag when using post-process-pe after discussed with grub2 experts in mail. It's useful for further development and testing. (bsc#1205588)

References

Affected packages

SUSE:Linux Enterprise High Performance Computing 15 SP2-LTSS / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150100.3.38.1

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150100.3.38.1"
        }
    ]
}

SUSE:Linux Enterprise Server 15 SP2-LTSS / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150100.3.38.1

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150100.3.38.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 15 SP2 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150100.3.38.1

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150100.3.38.1"
        }
    ]
}