From 8edb63e1742552d2a80cc59e62717d9d05ad586c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 16 Feb 2021 02:42:34 -0500 Subject: [PATCH] import dbxtool-8-5.el8_3.2 --- .dbxtool.metadata | 1 + .gitignore | 1 + .../0001-don-t-use-f-in-dbxtool.service.patch | 28 ++++ ...on-missing-PK-KEK-not-return-error-s.patch | 36 +++++ SOURCES/0003-fix-relop-in-esl_iter_next.patch | 70 +++++++++ SOURCES/dbxtool-8-ccldflags.patch | 45 ++++++ SPECS/dbxtool.spec | 144 ++++++++++++++++++ 7 files changed, 325 insertions(+) create mode 100644 .dbxtool.metadata create mode 100644 .gitignore create mode 100644 SOURCES/0001-don-t-use-f-in-dbxtool.service.patch create mode 100644 SOURCES/0002-Make-quiet-exit-on-missing-PK-KEK-not-return-error-s.patch create mode 100644 SOURCES/0003-fix-relop-in-esl_iter_next.patch create mode 100644 SOURCES/dbxtool-8-ccldflags.patch create mode 100644 SPECS/dbxtool.spec diff --git a/.dbxtool.metadata b/.dbxtool.metadata new file mode 100644 index 0000000..7004fd4 --- /dev/null +++ b/.dbxtool.metadata @@ -0,0 +1 @@ +61da2c3e4ea3411e6379a671b09c14eae6954fe6 SOURCES/dbxtool-8.tar.bz2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a159012 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/dbxtool-8.tar.bz2 diff --git a/SOURCES/0001-don-t-use-f-in-dbxtool.service.patch b/SOURCES/0001-don-t-use-f-in-dbxtool.service.patch new file mode 100644 index 0000000..a2a5270 --- /dev/null +++ b/SOURCES/0001-don-t-use-f-in-dbxtool.service.patch @@ -0,0 +1,28 @@ +From 8a6039df37353a3ef9208de0c4d63b611f549922 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 19 Oct 2017 12:46:53 -0400 +Subject: [PATCH 1/2] *don't* use -f in dbxtool.service + +Use -q to make it quiet but don't try to override it when we think it +won't work. + +Related: rhbz#1489942 + +Signed-off-by: Peter Jones +--- + src/dbxtool.service | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dbxtool.service b/src/dbxtool.service +index fcfb6e6..1a2a829 100644 +--- a/src/dbxtool.service ++++ b/src/dbxtool.service +@@ -7,4 +7,4 @@ WantedBy=multi-user.target + + [Service] + RemainAfterExit=yes +-ExecStart=/usr/bin/dbxtool -a /usr/share/dbxtool/ -q -f ++ExecStart=/usr/bin/dbxtool -a /usr/share/dbxtool/ -q +-- +2.14.2 + diff --git a/SOURCES/0002-Make-quiet-exit-on-missing-PK-KEK-not-return-error-s.patch b/SOURCES/0002-Make-quiet-exit-on-missing-PK-KEK-not-return-error-s.patch new file mode 100644 index 0000000..c4fa459 --- /dev/null +++ b/SOURCES/0002-Make-quiet-exit-on-missing-PK-KEK-not-return-error-s.patch @@ -0,0 +1,36 @@ +From 946380463bb9a233381fc122a8374806d77b1778 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 23 Oct 2017 09:45:48 -0400 +Subject: [PATCH 2/2] Make quiet exit on missing PK/KEK not return error + status. + +Signed-off-by: Peter Jones +--- + src/dbxtool.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/dbxtool.c b/src/dbxtool.c +index 717c991..b2cb587 100644 +--- a/src/dbxtool.c ++++ b/src/dbxtool.c +@@ -541,13 +541,14 @@ check_pk_and_kek(bool force, bool quiet) + } + } + if (!all_found) { +- if (!quiet) { ++ if (quiet) { ++ if (!force) ++ exit(0); ++ } else { + if (!force) + errx(1, "Not attempting to apply updates."); + warnx("attempting to apply updates anyway."); + } +- if (!force) +- exit(1); + } + } + +-- +2.14.2 + diff --git a/SOURCES/0003-fix-relop-in-esl_iter_next.patch b/SOURCES/0003-fix-relop-in-esl_iter_next.patch new file mode 100644 index 0000000..90c47b3 --- /dev/null +++ b/SOURCES/0003-fix-relop-in-esl_iter_next.patch @@ -0,0 +1,70 @@ +From 50b302ea7b6bd41c38d50b2af9d89af5f715068a Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Wed, 16 May 2018 14:06:48 +0200 +Subject: [PATCH] fix relop in esl_iter_next() + +esl_iter_next() seeks to the next EFI_SIGNATURE_LIST object in the +signature database that's being processed. + +- The position of the current (just processed) EFI_SIGNATURE_LIST object + in the signature database is "iter->offset". + +- The size of the same is in "iter->esl->SignatureListSize". + +- The size of the whole signature dabatase (containing the current + EFI_SIGNATURE_LIST) is in "iter->len". + +Thus, we need to advance "iter->offset" by "iter->esl->SignatureListSize", +to reach the next EFI_SIGNATURE_LIST object. + +While advancing, we must not exceed the whole signature database. In other +words, the (exclusive) end of the just processed EFI_SIGNATURE_LIST object +is required to precede, or equal, the (exclusive) end of the signature +database. Hence the "good" condition is: + + iter->offset + iter->esl->SignatureListSize <= iter->len + +The "bad" condition is the negation of the above: + + iter->offset + iter->esl->SignatureListSize > iter->len + +Because we don't trust "iter->esl->SignatureListSize" (since that was +simply read from the binary blob, not computed by ourselves), we don't +want to add to it or subtract from it (integer overflow!), we just want to +use it naked for comparison. So we subtract "iter->offset" from both +sides: "iter->offset" and "iter->len" are known-good because we've checked +and computed them all along, so we can perform integer operations on them. +After the subtraction, we have the following condition for *bad*: + + iter->esl->SignatureListSize > iter->len - iter->offset + +Another way to put the same condition, for *bad*, is to swing the sides +around the relop (giving a spin to the relop as well): + + iter->len - iter->offset < iter->esl->SignatureListSize + +The controlling expression in esl_iter_next() is just this, except for the +typo in the relational operator. Fix it. + +Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1508808 +Signed-off-by: Laszlo Ersek +--- + src/iter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/iter.c b/src/iter.c +index 45ee059e74c..f19166ab276 100644 +--- a/src/iter.c ++++ b/src/iter.c +@@ -222,7 +222,7 @@ esl_iter_next(esl_iter *iter, efi_guid_t *type, + vprintf("Getting next EFI_SIGNATURE_LIST\n"); + efi_guid_t type; + esl_get_type(iter, &type); +- if (iter->len - iter->offset > iter->esl->SignatureListSize) { ++ if (iter->len - iter->offset < iter->esl->SignatureListSize) { + warnx("EFI Signature List is malformed"); + errx(1, "list has %zd bytes left, element is %"PRIu32" bytes", + iter->len - iter->offset, +-- +2.29.2 + diff --git a/SOURCES/dbxtool-8-ccldflags.patch b/SOURCES/dbxtool-8-ccldflags.patch new file mode 100644 index 0000000..099f9a6 --- /dev/null +++ b/SOURCES/dbxtool-8-ccldflags.patch @@ -0,0 +1,45 @@ +From f229181c015f7353602e6b32e6ed61f9b47480ae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0abata?= +Date: Thu, 12 Apr 2018 12:58:51 +0200 +Subject: [PATCH] Respect environment CCLDFLAGS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Allow passing custom flags for the linker. + +Signed-off-by: Petr Šabata +--- + Make.defaults | 2 +- + src/Makefile | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Make.defaults b/Make.defaults +index 9bfa5b2..1030be9 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -14,7 +14,7 @@ BUILDFLAGS = $(CFLAGS) -fPIC -fshort-wchar -fno-strict-aliasing \ + --param=ssp-buffer-size=4 -fexceptions + ASFLAGS = + LDFLAGS = -nostdlib +-CCLDFLAGS = -shared ++CCLDFLAGS += -shared + INSTALL = install + COMPILER ?= + +diff --git a/src/Makefile b/src/Makefile +index 1a6277a..669bfab 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.defaults + PKLIBS = efivar + LIBS = popt + LDFLAGS = +-CCLDFLAGS = $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib))) ++CCLDFLAGS += $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib))) + BUILDFLAGS += $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) + + TARGETS = dbxtool +-- +2.17.0 + diff --git a/SPECS/dbxtool.spec b/SPECS/dbxtool.spec new file mode 100644 index 0000000..00edfc4 --- /dev/null +++ b/SPECS/dbxtool.spec @@ -0,0 +1,144 @@ +Name: dbxtool +Version: 8 +Release: 5%{?dist}.2 +Summary: Secure Boot DBX updater +License: GPLv2 +URL: https://github.com/vathpela/dbxtool +ExclusiveArch: i386 x86_64 aarch64 +BuildRequires: popt-devel git systemd +BuildRequires: efivar-devel >= 31-3 +Requires: efivar >= 31-3 +Requires(post): systemd +Requires(preun):systemd +Source0: https://github.com/vathpela/dbxtool/releases/download/dbxtool-%{version}/dbxtool-%{version}.tar.bz2 +Patch0000: %{name}-8-ccldflags.patch +Patch0001: 0001-don-t-use-f-in-dbxtool.service.patch +Patch0002: 0002-Make-quiet-exit-on-missing-PK-KEK-not-return-error-s.patch +Patch0003: 0003-fix-relop-in-esl_iter_next.patch + +%description +This package contains DBX updates for UEFI Secure Boot. + +%prep +%setup -q -n %{name}-%{version} +git init +git config user.email "%{name}-owner@fedoraproject.org" +git config user.name "Fedora Ninjas" +git add . +git commit -a -q -m "%{version} baseline." +git am %{patches} - 8-5.el8_3.2 +- Enable manual gating + Related: rhbz#1681753 + Related: rhbz#1912474 + +* Fri Jan 15 2021 Javier Martinez Canillas - 8-5.el8_3.1 +- Fix 'EFI Signature List is malformed' error (lersek) + Resolves: rhbz#1912474 + +* Thu Apr 12 2018 Petr Šabata - 8-5 +- Fix build flags injection (rhbz#1548123) + +* Wed Feb 07 2018 Fedora Release Engineering - 8-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Oct 23 2017 Peter Jones - 8-3 +- Also don't return error if we're using --quiet and PK/KEK are absent. + Resolves: rhbz#1489942 + +* Thu Oct 19 2017 Peter Jones - 8-2 +- Don't use -f in dbxtool.service; that'll make it do the thing we're + trying to avoid. + Resolves: rhbz#1489942 + +* Wed Oct 18 2017 Peter Jones - 8-1 +- Update to dbxtool 8 +- Make a "make coverity" rule to scan the source + Results at: https://scan.coverity.com/projects/rhboot-dbxtool +- Don't try to apply anything if PK and KEK aren't enrolled +- Add --force and --quiet for the PK/KEK checker, and use them in the + systemd service. + Resolves: rhbz#1489942 +- Add a .syntastic_c_config for vim's Syntastic modules +- Use tsearch()/tfind()/tdestroy() from libc instead of ccan htables +- Don't open the dbx file with O_RDWR|O_CREAT, use O_RDONLY. +- Lots of minor bug fixes gcc -Wextra and friends found. + +* Wed Aug 02 2017 Fedora Release Engineering - 7-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Jul 08 2017 Peter Jones - 7-4 +- Rebuild for efivar-31-1.fc26 + Related: rhbz#1468841 + +* Fri Feb 10 2017 Fedora Release Engineering - 7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Aug 17 2016 Peter Jones - 7-2 +- Rebuild for newer efivar. + +* Wed Aug 10 2016 Peter Jones - 7-1 +- Update to version 7 +- Add new dbxupdate.bin for CVE-2016-3320 and + https://support.microsoft.com/en-us/kb/3179577 + +* Wed Feb 03 2016 Fedora Release Engineering - 0.6-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 0.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Feb 23 2015 Peter Jones - 0.6-4 +- Zbigniew Jędrzejewski-Szmek was kind enough to audit the systemd service, + and had some suggestions, as did Harald Hoyer and Lennart Poettering. + Related: rhbz#1181568 + +* Tue Dec 09 2014 Peter Jones - 0.6-3 +- Add systemd scriptlets for the service. + +* Thu Oct 09 2014 Peter Jones - 0.6-2 +- Require efivar >= 0.14-1 specifically. + +* Wed Oct 08 2014 Peter Jones - 0.6-1 +- Update to 0.6 +- make "dbxtool -l" correctly show not-well-known guids. + +* Tue Oct 07 2014 Peter Jones - 0.5-1 +- Update to 0.5: +- make applying to dbx when it doesn't exist work (lersek) +- make displaying KEK work right + +* Wed Aug 20 2014 Peter Jones - 0.4-1 +- First packaging attempt.