UbuntuUpdates.org

Package "shim"

Name: shim

Description:

boot loader to chain-load signed boot loaders under Secure Boot
Latest version: 15.8-0ubuntu1
Release: jammy (22.04)
Level: updates
Repository: main

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "shim"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "shim" in Jammy

Repository Area Version
base main 15.4-0ubuntu9
security main 15.7-0ubuntu1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 15.8-0ubuntu1 2024-08-26 11:07:13 UTC

  shim (15.8-0ubuntu1) mantic; urgency=medium

  * New upstream version 15.8 (LP: #2051151):
    - pe: Align section size up to page size for mem attrs (LP: #2036604)
    - SBAT level: shim,4
    - SBAT policy:
      - Latest: "shim,4\ngrub,3\ngrub.debian,4\n"
      - Automatic: "shim,2\ngrub,3\ngrub.debian,4\n"
      - Note that this does not yet revoke pre NTFS CVE fix GRUB binaries.
  * SECURITY UPDATE: a bug in an error message [LP: #2051151]
    - mok: fix LogError() invocation
    - CVE-2023-40546
  * SECURITY UPDATE: out-of-bounds write and UEFI Secure Boot bypass
    when booting via HTTP [LP: #2051151]
    - avoid incorrectly trusting HTTP headers
    - CVE-2023-40547
  * SECURITY UPDATE: out-of-bounds write and possible bug [LP: #2051151]
    - Fix integer overflow on SBAT section size on 32-bit system
    - CVE-2023-40548
  * SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
    - Authenticode: verify that the signature header is in bounds.
    - CVE-2023-40549
  * SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
    - pe: Fix an out-of-bound read in verify_buffer_sbat()
    - CVE-2023-40550
  * SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
    - pe-relocate: Fix bounds check for MZ binaries
    - CVE-2023-40551
  * debian/rules: Update COMMIT_ID

 -- Mate Kukri <email address hidden> Thu, 25 Jan 2024 08:55:28 +0000
Source diff to previous version
CVE-2023-40546 A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an err
CVE-2023-40547 A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This
CVE-2023-40548 A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed
CVE-2023-40549 An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an atta
CVE-2023-40550 An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's
CVE-2023-40551 A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during t

Version: 15.7-0ubuntu1 2023-02-16 13:07:09 UTC

  shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100
1996503 shim 15.7-0ubuntu1
1995852 shim TDX enablement
1987541 shim executes GRUB w/ dirty instruction cache on arm64


About   -   Send Feedback to @ubuntu_updates