diff options
Diffstat (limited to 'debian/patches')
3 files changed, 91 insertions, 0 deletions
diff --git a/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch b/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch new file mode 100644 index 00000000..25977c16 --- /dev/null +++ b/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch @@ -0,0 +1,42 @@ +From 63edf92f8ae11b884bc7d24aecb8229cbc4ae014 Mon Sep 17 00:00:00 2001 +From: Julian Andres Klode <julian.klode@canonical.com> +Date: Fri, 5 Apr 2024 21:57:07 +0200 +Subject: [PATCH 1/2] sbat: Add grub.peimage,2 to latest (CVE-2024-2312) + +Add the previous latest level to the switch for automatic. + +Signed-off-by: Julian Andres Klode <julian.klode@canonical.com> +--- + include/sbat_var_defs.h | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h +index f8cba029..04d708f2 100644 +--- a/include/sbat_var_defs.h ++++ b/include/sbat_var_defs.h +@@ -47,6 +47,8 @@ + #define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\n" + #elif SBAT_AUTOMATIC_DATE == 2023012900 + #define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n" ++#elif SBAT_AUTOMATIC_DATE == 2024010900 ++#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\n" + #else + #error "Unknown SBAT_AUTOMATIC_DATE" + #endif /* SBAT_AUTOMATIC_DATE == */ +@@ -56,10 +58,10 @@ + SBAT_VAR_AUTOMATIC_REVOCATIONS + + /* +- * Revocations for January 2024 shim CVEs ++ * Revocations for January 2024 shim CVEs + Debian/Ubuntu (peimage) CVE-2024-2312 + */ +-#define SBAT_VAR_LATEST_DATE "2024010900" +-#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\n" ++#define SBAT_VAR_LATEST_DATE "2024040500" ++#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\ngrub.peimage,2\n" + #define SBAT_VAR_LATEST \ + SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \ + SBAT_VAR_LATEST_REVOCATIONS +-- +2.39.2 + diff --git a/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch b/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch new file mode 100644 index 00000000..f1c3028d --- /dev/null +++ b/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch @@ -0,0 +1,47 @@ +From 3e1394e8e6fd0071a69196230f991612a960c154 Mon Sep 17 00:00:00 2001 +From: Julian Andres Klode <julian.klode@canonical.com> +Date: Tue, 9 Apr 2024 18:55:12 +0200 +Subject: [PATCH 2/2] sbat: Also bump latest for grub,4 (and to todays date) + +Back in January we decided to bump the SBAT level for the shim +CVE without bumping the grub level for the previous NTFS issues +- CVE-2023-4692 CVE-2023-4693 - as not every vendor was signing +the ntfs module. + +Catch up on this revocation to ensure it doesn't get lost. Doing +so also allows us to remove the grub.debian,4 revocation as this +happened before grub,4 and hence is obsolete. + +Also bump the date of the sbat variable to today's. Don't copy +the April 5 one to a previous selection, as it wasn't shipped +to anyone. + +Signed-off-by: Julian Andres Klode <julian.klode@canonical.com> +--- + include/sbat_var_defs.h | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h +index 04d708f2..5c7115b9 100644 +--- a/include/sbat_var_defs.h ++++ b/include/sbat_var_defs.h +@@ -58,10 +58,13 @@ + SBAT_VAR_AUTOMATIC_REVOCATIONS + + /* +- * Revocations for January 2024 shim CVEs + Debian/Ubuntu (peimage) CVE-2024-2312 ++ * Revocations for: ++ * - January 2024 shim CVEs ++ * - October 2023 grub CVEs ++ * - Debian/Ubuntu (peimage) CVE-2024-2312 + */ +-#define SBAT_VAR_LATEST_DATE "2024040500" +-#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\ngrub.peimage,2\n" ++#define SBAT_VAR_LATEST_DATE "2024040900" ++#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,4\ngrub.peimage,2\n" + #define SBAT_VAR_LATEST \ + SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \ + SBAT_VAR_LATEST_REVOCATIONS +-- +2.39.2 + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 00000000..01fd2987 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch +0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch |