Update to shim 15.8

Bug #2051151 reported by Mate Kukri
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
shim (Debian)
Fix Released
Unknown
shim (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Confirmed
Undecided
Mate Kukri
Jammy
Confirmed
Undecided
Mate Kukri
Mantic
Won't Fix
Undecided
Mate Kukri
Noble
Fix Released
Undecided
Unassigned
shim-signed (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Confirmed
Undecided
Mate Kukri
Jammy
Confirmed
Undecided
Mate Kukri
Mantic
Won't Fix
Undecided
Mate Kukri
Noble
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

shim 15.7 is affected by multiple CVEs, including a critical severity one allowing Secure Boot bypass when netbooting.

[Test Plan]

Make sure the system is bootable both from disk and network with the new shim on each affected series

[Where problems could occur]

Boot regressions are always possible when updating such a critical component.

tags: added: upgrade-software-version
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in shim (Ubuntu):
status: New → Confirmed
Changed in shim-signed (Ubuntu):
status: New → Confirmed
Changed in shim (Debian):
status: Unknown → New
Mate Kukri (mkukri)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.8-0ubuntu1

---------------
shim (15.8-0ubuntu1) mantic; urgency=medium

  * New upstream version 15.8 (LP: #2051151):
    - pe: Align section size up to page size for mem attrs (LP: #2036604)
    - SBAT level: shim,4
    - SBAT policy:
      - Latest: "shim,4\ngrub,3\ngrub.debian,4\n"
      - Automatic: "shim,2\ngrub,3\ngrub.debian,4\n"
      - Note that this does not yet revoke pre NTFS CVE fix GRUB binaries.
  * SECURITY UPDATE: a bug in an error message [LP: #2051151]
    - mok: fix LogError() invocation
    - CVE-2023-40546
  * SECURITY UPDATE: out-of-bounds write and UEFI Secure Boot bypass
    when booting via HTTP [LP: #2051151]
    - avoid incorrectly trusting HTTP headers
    - CVE-2023-40547
  * SECURITY UPDATE: out-of-bounds write and possible bug [LP: #2051151]
    - Fix integer overflow on SBAT section size on 32-bit system
    - CVE-2023-40548
  * SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
    - Authenticode: verify that the signature header is in bounds.
    - CVE-2023-40549
  * SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
    - pe: Fix an out-of-bound read in verify_buffer_sbat()
    - CVE-2023-40550
  * SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
    - pe-relocate: Fix bounds check for MZ binaries
    - CVE-2023-40551
  * debian/rules: Update COMMIT_ID

 -- Mate Kukri <email address hidden> Thu, 25 Jan 2024 08:55:28 +0000

Changed in shim (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.57

---------------
shim-signed (1.57) mantic; urgency=medium

  * New upstream version 15.8 (LP: #2051151):
    - pe: Align section size up to page size for mem attrs (LP: #2036604)
    - SBAT level: shim,4
    - SBAT policy:
      - Latest: "shim,4\ngrub,3\ngrub.debian,4\n"
      - Automatic: "shim,2\ngrub,3\ngrub.debian,4\n"
      - Note that this does not yet revoke pre NTFS CVE fix GRUB binaries.
  * SECURITY UPDATE: a bug in an error message [LP: #2051151]
    - mok: fix LogError() invocation
    - CVE-2023-40546
  * SECURITY UPDATE: out-of-bounds write and UEFI Secure Boot bypass
    when booting via HTTP [LP: #2051151]
    - avoid incorrectly trusting HTTP headers
    - CVE-2023-40547
  * SECURITY UPDATE: out-of-bounds write and possible bug [LP: #2051151]
    - Fix integer overflow on SBAT section size on 32-bit system
    - CVE-2023-40548
  * SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
    - Authenticode: verify that the signature header is in bounds.
    - CVE-2023-40549
  * SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
    - pe: Fix an out-of-bound read in verify_buffer_sbat()
    - CVE-2023-40550
  * SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
    - pe-relocate: Fix bounds check for MZ binaries
    - CVE-2023-40551
  * Makefile: Add option for building without an externally signed shim

 -- Mate Kukri <email address hidden> Thu, 29 Feb 2024 10:26:43 +0000

Changed in shim-signed (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Mate Kukri (mkukri) wrote :

Targeting to series with Noble marked 'Fix Released'.

Next steps are updating this bug to follow the SRU template, and prepare SRUs for the marked series.

ESM updates could potentially be required later.

Changed in shim (Ubuntu Focal):
assignee: nobody → Mate Kukri (mkukri)
Changed in shim (Ubuntu Jammy):
assignee: nobody → Mate Kukri (mkukri)
Changed in shim (Ubuntu Mantic):
assignee: nobody → Mate Kukri (mkukri)
Changed in shim-signed (Ubuntu Focal):
assignee: nobody → Mate Kukri (mkukri)
Changed in shim-signed (Ubuntu Jammy):
assignee: nobody → Mate Kukri (mkukri)
Changed in shim-signed (Ubuntu Mantic):
assignee: nobody → Mate Kukri (mkukri)
Mate Kukri (mkukri)
description: updated
Changed in shim (Debian):
status: New → Fix Committed
Changed in shim (Debian):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in shim (Ubuntu Focal):
status: New → Confirmed
Changed in shim (Ubuntu Jammy):
status: New → Confirmed
Changed in shim (Ubuntu Mantic):
status: New → Confirmed
Changed in shim-signed (Ubuntu Focal):
status: New → Confirmed
Changed in shim-signed (Ubuntu Jammy):
status: New → Confirmed
Changed in shim-signed (Ubuntu Mantic):
status: New → Confirmed
Revision history for this message
Brian Murray (brian-murray) wrote :

Ubuntu 23.10 (Mantic Minotaur) has reached end of life, so this bug will not be fixed for that specific release.

Changed in shim (Ubuntu Mantic):
status: Confirmed → Won't Fix
Changed in shim-signed (Ubuntu Mantic):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.