efi-boot-shim.git - (mirror of https://github.com/vyos/efi-boot-shim.git)

Age	Commit message (Collapse)	Author
2021-04-21	Don't call QueryVariableInfo() on EFI 1.10 machines	Steve McIntyre
	New patch from upstream, don't break old Macs
2021-04-21	Fix handling of ignore_db and user_insecure_mode	Steve McIntyre
	Extra patch from upstream
2021-04-14	allocate MOK config table as BootServicesData	Steve McIntyre
	Another patch from upstream, needed with newer kernels on x86
2021-03-31	Add one more patch from upstream to fix i386 binary relocations	Steve McIntyre

2021-03-23	Remove all out outstanding patches	Steve McIntyre
	* cast-CHAR8-string-handling.patch no longer needed * fix-Make.coverity-bashisms.patch went upstream
2021-02-21	Add new patch cast-CHAR8-string-handling.patch	Steve McIntyre
	Cast CHAR8 strings to use (const char *) when using string functions Looks like gnu-efi definitions of CHAR8 are problematic
2021-02-21	Trivial change to remove bashisms in Make.coverity	Steve McIntyre

2021-02-21	Remove all our old patches, no longer needed:	Steve McIntyre
	- avoid_null_vsprint.patch - check_null_sn_ln.patch - fixup_git.patch - uname.patch - use_compare_mem_gcc9.patch
2020-03-24	Switch to using gcc-9 for builds. Closes: #925826	Steve McIntyre
	Pull upstream commit aaa09b35e73c4a35fc119d225e5241199d7cf5aa to fix an FTBFS.
2019-05-03	Fix OBJ_create() to tolerate a NULL sn and ln	Steve McIntyre
	Cherry-picked fix from upstream MR at https://github.com/rhboot/shim/pull/174/commits/3a9e237b1baddf0d3192755406befb3e9fa5ca80 From: https://github.com/openssl/openssl/commit/f13615c5b828aeb8e3d9bf2545c803633d1c684f Apply an upstream patch from OpenSSL to tolerate a NULL sn. This avoids a NULL pointer reference in shim.c:verify_eku(). This was discovered because it causes a crash on ARM where, unlike x86, it does not necessarily have memory mapped at 0x0. Fixes: 6c180c6004ac ("shim: verify Extended Key Usage flags") Signed-off-by: dann frazier <dann.frazier@canonical.com>
2019-05-03	VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls	Steve McIntyre
	Backport of upstream fix: VLogError() calculates the size of format strings by using calls to SPrint and VSPrint with a StrSize of 0 and NULL for an output buffer. Unfortunately, this is an incorrect usage of (V)Sprint. A StrSize of "0" is special-cased to mean "there is no limit". So, we end up writing our string to address 0x0. This was discovered because it causes a crash on ARM where, unlike x86, it does not necessarily have memory mapped at 0x0. Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which handles the size calculation and allocation for us. Signed-off-by: Peter Jones <pjones@redhat.com> Fixes: 25f6fd08cd26 ("try to show errors more usefully.") [dannf: commit message ] Signed-off-by: dann frazier <dann.frazier@canonical.com>
2019-02-15	Add uname.patch to avoid architecture variability	Luca Boccassi
	Signed-off-by: Luca Boccassi <bluca@debian.org>
2018-07-24	debian/patches/fixup_git.patch: don't run git in clean; we're not really in ↵	Mathieu Trudel-Lapierre
	a git tree.
2018-07-24	debian/patches/abort_abort_abort.patch: dropped patch, included upstream.	Mathieu Trudel-Lapierre

2017-11-07	Clean up old patches.	Mathieu Trudel-Lapierre

2017-11-06	debian/patches/abort_abort_abort.patch: signtool.exe isn't happy with some ↵	Mathieu Trudel-Lapierre
	of the structure of our binary, partly because abort() is thought to be an external symbol, which causes some relocalisations to appear.
2017-09-29	Drop buildid_write_return.patch; no longer needed.	Mathieu Trudel-Lapierre
	Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
2017-09-13	Drop PHONY fix patch; merged upstream.	Mathieu Trudel-Lapierre

2017-08-31	debian/patches/buildid_write_return.patch: workaround our strict compile ↵	Mathieu Trudel-Lapierre
	rules failing the build: make sure write calls check the return value.
2017-08-29	debian/patches/fix_makefile_phony.patch: fix a makefile bug causing shim to ↵	Mathieu Trudel-Lapierre
	fail to build, because it gets confused about the .signed efi files.
2017-08-29	Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback and ↵	Mathieu Trudel-Lapierre
	MokManager. Also drop debian/patches/sbsigntool-no-pesign: with this change from upstream it is no longer needed..
2017-08-07	debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, ↵	Mathieu Trudel-Lapierre
	included upstream.
2017-08-07	debian/patches/sbsigntool-no-pesign: refreshed.	Mathieu Trudel-Lapierre

2017-08-07	Set DEFAULT_LOADER; this makes second-stage-path unnecessary.	Mathieu Trudel-Lapierre

2017-08-07	Update changelog/changes for released 0.9+1474479173.6c180c6-1ubuntu10.9+1474479173.6c180c6-1ubuntu1	Mathieu Trudel-Lapierre

2016-09-22	* debian/patches/unused-variable: dropped; applied upstream.	Mathieu Trudel-Lapierre
	* debian/patches/binutils-version-matching: dropped, fixed upstream.
2016-07-26	* debian/patches/unused-variable: remove unused variable size.	Mathieu Trudel-Lapierre
	* debian/patches/binutils-version-matching: revert d9a4c912 to correctly match objcopy's version on Ubuntu.
2016-07-26	* Refreshed patches.	Mathieu Trudel-Lapierre
	- Remaining patches: + second-stage-path + sbsigntool-not-pesign
2015-05-12	More GCC 5 fixes: stdarg.h and other include tweaks, cherry-pick from	Mathieu Trudel-Lapierre
	d51739a4.
2015-05-12	Fix build with GCC 5, forcing -std=gnu89 to not rely on stdint.h	Mathieu Trudel-Lapierre
	required by efibind.h, and not found with -nostdinc. (LP: #1429978)
2015-05-06	debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:	Mathieu Trudel-Lapierre
	refreshed.
2015-05-06	debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,	Mathieu Trudel-Lapierre
	debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included in the upstream release.
2014-10-08	* SECURITY UPDATE: heap overflow and out-of-bounds read access when	Steve Langasek
	parsing DHCPv6 information - debian/patches/CVE-2014-3675.patch: apply proper bounds checking when parsing data provided in DHCPv6 packets. - CVE-2014-3675 - CVE-2014-3676 * SECURITY UPDATE: memory corruption when processing user-provided key lists - debian/patches/CVE-2014-3677.patch: detect malformed machine owner key (MOK) lists and ignore them, avoiding possible memory corruption. - CVE-2014-3677
2014-10-07	Update debian/patches/prototypes with some new declarations needed for	Steve Langasek
	openssl 0.9.8za update.
2014-10-07	Restore debian/patches/prototypes, which still is needed on shim 0.7	Steve Langasek
	but only detected on the buildds.
2014-10-07	debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick	Steve Langasek
	openssl 0.9.8za in via upstream.
2014-10-07	Drop prototypes patch, apparently not needed upstream	Steve Langasek

2014-10-06	Merge upstream version 0.7	Steve Langasek

2013-09-23	debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to	Steve Langasek
	the netboot code.
2013-09-20	debian/patches/tftp-proper-nul-termination: fix nul termination	Steve Langasek
	errors in filenames passed to tftp.
2013-09-20	Fix remaining compiler warnings in netboot.c.	Steve Langasek

2013-09-20	typo	Steve Langasek

2013-09-20	Build with -Werror to catch future prototype mismatches.	Steve Langasek

2013-09-20	debian/patches/fix-tftp-prototype: pass the right arguments to	Steve Langasek
	EFI_PXE_BASE_CODE_TFTP_READ_FILE.
2013-08-08	Fix for LP: #1087501	Stéphane Graber

2013-07-03	debian/patches/no-output-by-default.patch: Don't print any	Steve Langasek
	informational messages. Closes LP: #1074302.
2013-07-02	Merge upstream release 0.4	Steve Langasek

2012-12-13	debian/patches/sbsigntool-not-pesign: Sign MokManager with	Steve Langasek
	sbsigntool instead of pesign.
2012-12-13	Import new upstream snapshot	Steve Langasek

2012-10-10	debian/patches/shim-before-loadimage: Use direct verification first	Steve Langasek
	before LoadImage. Addresses an issue where Lenovo's SecureBoot implementation pops an error message on any verification failure - avoid calling LoadImage at all unless we have to.