[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] shim 15.8 released with 6 CVE fixes
From: Alan Coopersmith <alan.coopersmith () oracle ! com>
Date: 2024-01-26 19:52:40
Message-ID: ee09edb9-6ce6-42ab-82bc-70f011ca7c88 () oracle ! com
[Download RAW message or body]
https://github.com/rhboot/shim/releases/tag/15.8 says it fixes these CVEs:
CVE-2023-40546 mok: fix LogError() invocation
CVE-2023-40547 - avoid incorrectly trusting HTTP headers
CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
According to Red Hat's bugzilla, the details on these are:
CVE-2023-40546: Out-of-bounds read printing error messages
A NULL pointer dereference error exists in mirror_one_esl() at mok.c. If shim
fails to create a new ESL variable it tries to log an error message, however
one of the variables used in the LogError() function doesn't match the format
string and additionally it may be NULL. A successful attack may lead shim to
crash resulting in a Denial-of-Service.
Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2241796
Upstream fix: https://github.com/rhboot/shim/commit/66e6579dbf921152f647a0c16da1d3b2f40861ca
https://github.com/rhboot/shim/commit/dae82f6bd72cf600e5d48046ec674a441d0f49d7
CVE-2023-40547: RCE in http boot support may lead to Secure Boot bypass
The MSRC Vulnerability & Mitigations (V&M) team discovered a critical Remote
Code Execution vulnerability in the latest version of the Linux shim
(https://github.com/rhboot/shim). The shim's http boot support (httpboot.c)
trusts attacker-controlled values when parsing an HTTP response, leading to
a completely controlled out-of-bounds write primitive.
Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2234589
Upstream fix: https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d
CVE-2023-40548: Integer overflow leads to heap buffer overflow in
verify_sbat_section on 32-bits systems
An integer overflow issue exists in shim when compiled for 32-bit processors.
The issue is due to performing addition on a user-controlled value parsed from
the PE being loaded without verifying that the result of the addition does not
overflow. The overflowed value is passed as a size to AllocatePool, and then
the resulting buffer is copied to using the original value, resulting in a
buffer overflow.
Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2241782
Upstream fix: https://github.com/rhboot/shim/commit/96dccc255b16e9465dbee50b3cef6b3db74d11c8
CVE-2023-40549: Out-of-bounds read in verify_buffer_authenticode() malformed
PE file
An out-of-bounds read issue exists in the verify_buffer_authenticode() function
in shim.c. This issue is due to adding an offset to a pointer and then accessing
the result without proper bounds checking. This bug is reachable by providing a
malformed PE file to shim. This code runs before signature validation of the PE
file.
Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2241797
Upstream fix: https://github.com/rhboot/shim/commit/afdc5039de0a4a3a40162a32daa070f94a883f09
CVE-2023-40550
Score: 5.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Desc: Out-of-bound read in verify_buffer_sbat()
There's an out of bound read in shim at verify_buffer_sbat() function, which can
lead to information disclosure.
Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2259915
Upstream fix: https://github.com/rhboot/shim/commit/93ce2552f3e9f71f888a672913bfc0eef255c56d
https://github.com/rhboot/shim/commit/e7f5fdf53ee68025f3ef2688e2f27ccb0082db83
CVE-2023-40551
Score: 5.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H
Desc: out of bounds read when parsing MZ binaries
When handling MZ binaries, crafted PE headers can lead to a out-of-bounds read,
causing shim to crash and possibly exposing sensitive information.
Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2259918
Upstream fix: https://github.com/rhboot/shim/commit/5a5147d1e19cf90ec280990c84061ac3f67ea1ab
--
-Alan Coopersmith- alan.coopersmith@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic