[Medium] Patch shim-unsigned-x64 for CVE-2024-9143

[v-smalavathu]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

shim-unsigned-x64: Patch for CVE-2024-9143

Change Log

• new file: SPECS/shim-unsigned-x64/CVE-2024-9143.patch
• modified: SPECS/shim-unsigned-x64/shim-unsigned-x64.spec
• modified: SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.spec
• modified: SPECS/shim/shim.spec

Does this affect the toolchain?

NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2024-9143

Test Methodology

• Pipeline build id: xxxx

[kgodara912]

Check the #13962 and see if requested changes are applicable here as well.

[v-smalavathu]

Check the #13962 and see if requested changes are applicable here as well.

Yes, I updated as per PR #13962 details here too.
Let me know are you expecting other than this.
-Thanks

[v-smalavathu]

@kgodara912,
Here, the Patch summary

1. The affected files need to change for this CVE from Astrolab as shown below snapshot.
   

2. As shown from "Upstream Reference Patch", the file test/ec_internal_test.c is not part of affected file in 'Astrolab' snapshot as shown above and this file is not available in our version,

Kindly let me know if I need to add something here.
-Thanks

[Kanishk-Bansal]

Buddy Build

[akhila-guruju]

@kgodara912, Here, the Patch summary

1. The affected files need to change for this CVE from Astrolab as shown below snapshot.
   
2. As shown from "Upstream Reference Patch", the file test/ec_internal_test.c is not part of affected file in 'Astrolab' snapshot as shown above and this file is not available in our version,

Kindly let me know if I need to add something here. -Thanks

Another information to be noted:
Instead of the line # include <openssl/ec.h> in upstream patch, the macro OPENSSL_ECC_MAX_FIELD_BITS is directly defined (taken from openssl/ec.h which is present in source tarball) in the created patch.

[kgodara912]

As such patch is matching with upstream reference and is applied during build. The macro is taken directly from ec.h though it may change in future but for the current use case, it should be good enough. Package is building and installing fine. We need to get signoff from bootloader team as well.

[kgodara912]

https://github.com/openssl/openssl/blob/master/include/openssl/ec.h#L103