Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 922931 (CVE-2023-40546, CVE-2023-40547, CVE-2023-40548, CVE-2023-40549, CVE-2023-40550, CVE-2023-40551)

Summary: <sys-boot/shim-15.8: multiple vulnerabilities
Product: Gentoo Security Reporter: Christopher Fore <csfore>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: ajak, zerochaos
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/rhboot/shim/releases/tag/15.8
See Also: https://github.com/gentoo/gentoo/pull/35949
Whiteboard: B2 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 941219    
Bug Blocks:    

Description Christopher Fore 2024-01-25 23:54:50 UTC 
CVE-2023-40546 mok: fix LogError() invocation

CVE-2023-40547:

A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.

CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system

CVE-2023-40549 Authenticode: verify that the signature header is in bounds.

CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()

CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries


The above are fixed in 15.8
Comment 1 Christopher Fore 2024-01-25 23:58:55 UTC 
CVE-2023-40547 (https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d):

A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.

The above is also fixed in 15.8
Comment 2 Christopher Fore 2024-02-07 21:31:50 UTC 
Currently waiting for upstream (Fedora) to publish a release before we can update our ebuild.

https://bugzilla.redhat.com/show_bug.cgi?id=2259914
Comment 3 Larry the Git Cow gentoo-dev 2024-03-28 00:42:06 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=504e3442d89171f17e94bbc63cb80b6a80c047cf

commit 504e3442d89171f17e94bbc63cb80b6a80c047cf
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2024-03-27 20:04:38 +0000
Commit:     Rick Farina <zerochaos@gentoo.org>
CommitDate: 2024-03-28 00:41:56 +0000

    sys-boot/shim: add 15.8, security bump
    
    Also fixes some QA warnings (moves S up)
    
    Bug: https://bugs.gentoo.org/922931
    Closes: https://github.com/gentoo/gentoo/pull/35949
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Signed-off-by: Rick Farina <zerochaos@gentoo.org>

 sys-boot/shim/Manifest         |  3 +++
 sys-boot/shim/shim-15.6.ebuild |  5 ++---
 sys-boot/shim/shim-15.8.ebuild | 29 +++++++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 3 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2025-03-23 09:01:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7046d1ba4a06fd37589eb6957c5f38336b3f06d7

commit 7046d1ba4a06fd37589eb6957c5f38336b3f06d7
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2025-03-23 08:47:04 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2025-03-23 09:01:09 +0000

    sys-boot/shim: drop 15.6
    
    Bug: https://bugs.gentoo.org/922931
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 sys-boot/shim/Manifest         |  3 ---
 sys-boot/shim/shim-15.6.ebuild | 29 -----------------------------
 2 files changed, 32 deletions(-)