summaryrefslogtreecommitdiff
path: root/debian/patches
AgeCommit message (Collapse)Author
2025-07-07T861: add VyOS UEFI CA alongside Debian UEFI CAHEADvyos/currentChristian Breunig
2024-05-03Cherry-pick latest grub revocation patches from upstream shimSteve McIntyre
0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
2024-05-03Switch to 15.8 upstream and drop patchesSteve McIntyre
2023-01-30Swith to using the upstream "enable NX" patchSteve McIntyre
2023-01-29Block Debian grub binaries with sbat < 4 (see #1024617)Steve McIntyre
2023-01-24Enable NX support at build timeSteve McIntyre
As required by policy for signing new shim binaries.
2023-01-22Switch to new upstream (15.7)Steve McIntyre
Also import patch to deal with buggy binutils
2022-06-23Start packaging updates for the new 15.6 upstream releaseSteve McIntyre
Remove all our patches, all upstream now
2022-05-01Update the 32-bit format patch after upstream reviewSteve McIntyre
2022-04-28Add patch headers for our patches now I've pushed PRsSteve McIntyre
2022-04-28Try again on the string format fixSteve McIntyre
2022-04-28Fix format strings for 32-bit buildsSteve McIntyre
2022-04-28Try again with includesSteve McIntyre
2022-04-27Start packaging updates for the new 15.51 upstream releaseSteve McIntyre
Remove all our patches, all upstream now.
2021-06-22In insecure mode, don't abort if we can't create the MokListXRT varSteve McIntyre
Upstream issue #372. Closes: #989962, #990158
2021-06-22Add arm64 patch to tweak section layout and stop crashing problemsSteve McIntyre
Upstream issue #371. Closes: #990082, #990190
2021-04-21Don't call QueryVariableInfo() on EFI 1.10 machinesSteve McIntyre
New patch from upstream, don't break old Macs
2021-04-21Fix handling of ignore_db and user_insecure_modeSteve McIntyre
Extra patch from upstream
2021-04-14allocate MOK config table as BootServicesDataSteve McIntyre
Another patch from upstream, needed with newer kernels on x86
2021-03-31Add one more patch from upstream to fix i386 binary relocationsSteve McIntyre
2021-03-23Remove all out outstanding patchesSteve McIntyre
* cast-CHAR8-string-handling.patch no longer needed * fix-Make.coverity-bashisms.patch went upstream
2021-02-21Add new patch cast-CHAR8-string-handling.patchSteve McIntyre
Cast CHAR8 strings to use (const char *) when using string functions Looks like gnu-efi definitions of CHAR8 are problematic
2021-02-21Trivial change to remove bashisms in Make.coveritySteve McIntyre
2021-02-21Remove all our old patches, no longer needed:Steve McIntyre
- avoid_null_vsprint.patch - check_null_sn_ln.patch - fixup_git.patch - uname.patch - use_compare_mem_gcc9.patch
2020-03-24Switch to using gcc-9 for builds. Closes: #925826Steve McIntyre
Pull upstream commit aaa09b35e73c4a35fc119d225e5241199d7cf5aa to fix an FTBFS.
2019-05-03Fix OBJ_create() to tolerate a NULL sn and lnSteve McIntyre
Cherry-picked fix from upstream MR at https://github.com/rhboot/shim/pull/174/commits/3a9e237b1baddf0d3192755406befb3e9fa5ca80 From: https://github.com/openssl/openssl/commit/f13615c5b828aeb8e3d9bf2545c803633d1c684f Apply an upstream patch from OpenSSL to tolerate a NULL sn. This avoids a NULL pointer reference in shim.c:verify_eku(). This was discovered because it causes a crash on ARM where, unlike x86, it does not necessarily have memory mapped at 0x0. Fixes: 6c180c6004ac ("shim: verify Extended Key Usage flags") Signed-off-by: dann frazier <dann.frazier@canonical.com>
2019-05-03VLogError(): Avoid NULL pointer dereferences in (V)Sprint callsSteve McIntyre
Backport of upstream fix: VLogError() calculates the size of format strings by using calls to SPrint and VSPrint with a StrSize of 0 and NULL for an output buffer. Unfortunately, this is an incorrect usage of (V)Sprint. A StrSize of "0" is special-cased to mean "there is no limit". So, we end up writing our string to address 0x0. This was discovered because it causes a crash on ARM where, unlike x86, it does not necessarily have memory mapped at 0x0. Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which handles the size calculation and allocation for us. Signed-off-by: Peter Jones <pjones@redhat.com> Fixes: 25f6fd08cd26 ("try to show errors more usefully.") [dannf: commit message ] Signed-off-by: dann frazier <dann.frazier@canonical.com>
2019-02-15Add uname.patch to avoid architecture variabilityLuca Boccassi
Signed-off-by: Luca Boccassi <bluca@debian.org>
2018-07-24debian/patches/fixup_git.patch: don't run git in clean; we're not really in ↵Mathieu Trudel-Lapierre
a git tree.
2018-07-24debian/patches/abort_abort_abort.patch: dropped patch, included upstream.Mathieu Trudel-Lapierre
2017-11-07Clean up old patches.Mathieu Trudel-Lapierre
2017-11-06debian/patches/abort_abort_abort.patch: signtool.exe isn't happy with some ↵Mathieu Trudel-Lapierre
of the structure of our binary, partly because abort() is thought to be an external symbol, which causes some relocalisations to appear.
2017-09-29Drop buildid_write_return.patch; no longer needed.Mathieu Trudel-Lapierre
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
2017-09-13Drop PHONY fix patch; merged upstream.Mathieu Trudel-Lapierre
2017-08-31debian/patches/buildid_write_return.patch: workaround our strict compile ↵Mathieu Trudel-Lapierre
rules failing the build: make sure write calls check the return value.
2017-08-29debian/patches/fix_makefile_phony.patch: fix a makefile bug causing shim to ↵Mathieu Trudel-Lapierre
fail to build, because it gets confused about the .signed efi files.
2017-08-29Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback and ↵Mathieu Trudel-Lapierre
MokManager. Also drop debian/patches/sbsigntool-no-pesign: with this change from upstream it is no longer needed..
2017-08-07debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, ↵Mathieu Trudel-Lapierre
included upstream.
2017-08-07debian/patches/sbsigntool-no-pesign: refreshed.Mathieu Trudel-Lapierre
2017-08-07Set DEFAULT_LOADER; this makes second-stage-path unnecessary.Mathieu Trudel-Lapierre
2017-08-07Update changelog/changes for released 0.9+1474479173.6c180c6-1ubuntu10.9+1474479173.6c180c6-1ubuntu1Mathieu Trudel-Lapierre
2016-09-22* debian/patches/unused-variable: dropped; applied upstream.Mathieu Trudel-Lapierre
* debian/patches/binutils-version-matching: dropped, fixed upstream.
2016-07-26* debian/patches/unused-variable: remove unused variable size.Mathieu Trudel-Lapierre
* debian/patches/binutils-version-matching: revert d9a4c912 to correctly match objcopy's version on Ubuntu.
2016-07-26* Refreshed patches.Mathieu Trudel-Lapierre
- Remaining patches: + second-stage-path + sbsigntool-not-pesign
2015-05-12More GCC 5 fixes: stdarg.h and other include tweaks, cherry-pick fromMathieu Trudel-Lapierre
d51739a4.
2015-05-12Fix build with GCC 5, forcing -std=gnu89 to not rely on stdint.hMathieu Trudel-Lapierre
required by efibind.h, and not found with -nostdinc. (LP: #1429978)
2015-05-06debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:Mathieu Trudel-Lapierre
refreshed.
2015-05-06debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,Mathieu Trudel-Lapierre
debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included in the upstream release.
2014-10-08* SECURITY UPDATE: heap overflow and out-of-bounds read access whenSteve Langasek
parsing DHCPv6 information - debian/patches/CVE-2014-3675.patch: apply proper bounds checking when parsing data provided in DHCPv6 packets. - CVE-2014-3675 - CVE-2014-3676 * SECURITY UPDATE: memory corruption when processing user-provided key lists - debian/patches/CVE-2014-3677.patch: detect malformed machine owner key (MOK) lists and ignore them, avoiding possible memory corruption. - CVE-2014-3677
2014-10-07Update debian/patches/prototypes with some new declarations needed forSteve Langasek
openssl 0.9.8za update.
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-16 21:26:37 +0000