Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 922931 (CVE-2023-40546, CVE-2023-40547, CVE-2023-40548, CVE-2023-40549, CVE-2023-40550, CVE-2023-40551) - sys-boot/shim: multiple vulnerabilities
Summary: sys-boot/shim: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2023-40546, CVE-2023-40547, CVE-2023-40548, CVE-2023-40549, CVE-2023-40550, CVE-2023-40551
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/rhboot/shim/releas...
Whiteboard: B2 [stable?]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2024-01-25 23:54 UTC by Christopher Fore
Modified: 2024-03-28 00:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2024-01-25 23:54:50 UTC 
CVE-2023-40546 mok: fix LogError() invocation

CVE-2023-40547:

A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.

CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system

CVE-2023-40549 Authenticode: verify that the signature header is in bounds.

CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()

CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries


The above are fixed in 15.8
Comment 1 Christopher Fore 2024-01-25 23:58:55 UTC 
CVE-2023-40547 (https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d):

A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.

The above is also fixed in 15.8
Comment 2 Christopher Fore 2024-02-07 21:31:50 UTC 
Currently waiting for upstream (Fedora) to publish a release before we can update our ebuild.

https://bugzilla.redhat.com/show_bug.cgi?id=2259914
Comment 3 Larry the Git Cow gentoo-dev 2024-03-28 00:42:06 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=504e3442d89171f17e94bbc63cb80b6a80c047cf

commit 504e3442d89171f17e94bbc63cb80b6a80c047cf
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2024-03-27 20:04:38 +0000
Commit:     Rick Farina <zerochaos@gentoo.org>
CommitDate: 2024-03-28 00:41:56 +0000

    sys-boot/shim: add 15.8, security bump
    
    Also fixes some QA warnings (moves S up)
    
    Bug: https://bugs.gentoo.org/922931
    Closes: https://github.com/gentoo/gentoo/pull/35949
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Signed-off-by: Rick Farina <zerochaos@gentoo.org>

 sys-boot/shim/Manifest         |  3 +++
 sys-boot/shim/shim-15.6.ebuild |  5 ++---
 sys-boot/shim/shim-15.8.ebuild | 29 +++++++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 3 deletions(-)