Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 26 Jan 2024 11:52:40 -0800
From: Alan Coopersmith <>
Subject: shim 15.8 released with 6 CVE fixes says it fixes these CVEs:

   CVE-2023-40546 mok: fix LogError() invocation
   CVE-2023-40547 - avoid incorrectly trusting HTTP headers
   CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
   CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
   CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
   CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries

According to Red Hat's bugzilla, the details on these are:

CVE-2023-40546: Out-of-bounds read printing error messages

A NULL pointer dereference error exists in mirror_one_esl() at mok.c. If shim
fails to create a new ESL variable it tries to log an error message, however
one of the variables used in the LogError() function doesn't match the format
string and additionally it may be NULL. A successful attack may lead shim to
crash resulting in a Denial-of-Service.

Upstream bug:
Upstream fix:

CVE-2023-40547: RCE in http boot support may lead to Secure Boot bypass

The MSRC Vulnerability & Mitigations (V&M) team discovered a critical Remote
Code Execution vulnerability in the latest version of the Linux shim
( The shim's http boot support (httpboot.c)
trusts attacker-controlled values when parsing an HTTP response, leading to
a completely controlled out-of-bounds write primitive.

Upstream bug:
Upstream fix:

CVE-2023-40548: Integer overflow leads to heap buffer overflow in
  verify_sbat_section on 32-bits systems

An integer overflow issue exists in shim when compiled for 32-bit processors.
The issue is due to performing addition on a user-controlled value parsed from
the PE being loaded without verifying that the result of the addition does not
overflow. The overflowed value is passed as a size to AllocatePool, and then
the resulting buffer is copied to using the original value, resulting in a
buffer overflow.

Upstream bug:
Upstream fix:

CVE-2023-40549: Out-of-bounds read in verify_buffer_authenticode() malformed
  PE file

An out-of-bounds read issue exists in the verify_buffer_authenticode() function
in shim.c. This issue is due to adding an offset to a pointer and then accessing
the result without proper bounds checking. This bug is reachable by providing a
malformed PE file to shim. This code runs before signature validation of the PE

Upstream bug:
Upstream fix:

Score: 5.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Desc: Out-of-bound read in verify_buffer_sbat()

There's an out of bound read in shim at verify_buffer_sbat() function, which can
lead to information disclosure.

Upstream bug:
Upstream fix:

Score: 5.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H
Desc: out of bounds read when parsing MZ binaries

When handling MZ binaries, crafted PE headers can lead to a out-of-bounds read,
causing shim to crash and possibly exposing sensitive information.

Upstream bug:
Upstream fix:

         -Alan Coopersmith-       
          Oracle Solaris Engineering -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.