[Medium] Patch shim-unsigned-x64 for CVE-2024-13176

[v-smalavathu]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

shim-unsigned-x64: Patch for CVE-2024-13176

Change Log

• new file: SPECS/shim-unsigned-x64/CVE-2024-13176.patch
• modified: SPECS/shim-unsigned-x64/shim-unsigned-x64.spec
• modified: SPECS/shim/shim.spec

Does this affect the toolchain?

NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2024-13176

Test Methodology

• Pipeline build id: xxxx

[v-smalavathu]

The old version code for function "int bn_from_mont_fixed_top(..)" and current version code for function "int BN_from_montgomery(..) is the same.
Attaching snapshots..
Thanks.

[kgodara912]

We are putting dispute for shim-unsigned-aarch64 with reason "For 2.0, we do not build shim, we only take the efi files" as per the CVE page. Are we building these files for x64?

[v-smalavathu]

We are putting dispute for shim-unsigned-aarch64 with reason "For 2.0, we do not build shim, we only take the efi files" as per the CVE page. Are we building these files for x64?

Yes, Initially I was in same impression and asked same thing in "Daily Stand-up [CVS-Updates]" group as shown below snapshot.

But, I got following response from Nikhil Vetteth

-Thanks

[kgodara912]

Buddy build.

[kgodara912]

There are significant differences from the upstream patch. Could you please put a little summary for the changes? Like, is ec_lib.h not part of our version which is fixed in upstream?

[v-smalavathu]

@kgodara912 ,
Here, the summary:

1. The affected files need to change for this CVE from Astrolab as shown below snapshot.
   

2. As shown from "Upstream Reference Patch", file ...crypto/ec/ec_lib.c is not part of affected file in 'Astrolab' snapshot as shown above and this file is not available in our version,

3. The "Upstream Reference Patch" was old patch and function definition bn_from_mont_fixed_top() is not available in our version, Hence, I did back porting the changes to our version to make sure that to get same affect in our version, like
   old version code for function bn_from_mont_fixed_top() is same as function BN_mod_exp_mont() in our version, This difference captured in my first comment in this CVE.
   -Thanks

[kgodara912]

Please address the build failure, it seems that you need to create one shim file as well.

Failed to download ...signed-shim-x86_64-15.8-2.cm2.efi). Error: invalid response: 404. 
Unable to hydrate file: signed-shim-x86_64-15.8-2.cm2.efi 

[v-smalavathu]

signed-shim-x86_64

I couldn't get this issue.
on my local VM, the build and test was successful without any issues.

Here, the logs attached

shim-unsigned-x64-15.8-2.cm2.src.rpm.log

shim-unsigned-x64-15.8-2.cm2.src.rpm.test.log

-Thanks

[v-smalavathu]

@kgodara912 ,
Today, rebased to latest top of tree and tried to rebuild the package shim-unsigned-x64 from scratch and it was successful.
Here, the snapshots and logs attached.

shim-unsigned-x64-15.8-2.cm2.src.rpm.log

shim-unsigned-x64-15.8-2.cm2.src.rpm.test.log

Kindly let me know if I missed something here.
-Thanks

[Kanishk-Bansal]

Build of amd is failing

[v-smalavathu]

Please address the build failure, it seems that you need to create one shim file as well.

Failed to download ...signed-shim-x86_64-15.8-2.cm2.efi). Error: invalid response: 404. 
Unable to hydrate file: signed-shim-x86_64-15.8-2.cm2.efi 

I didn't find the 'signed-shim' package in 'SPECS' folder,

The following package folders are found that related to shim variants.
./SPECS/shim/shim.spec
./SPECS/shim-unsigned/shim-unsigned.spec
./SPECS/shim-unsigned-x64/shim-unsigned-x64.spec
./SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.spec

I have bumped up version in './SPECS/shim/shim.spec', Here, the current shim Version is '15.8' and Release '1' is matching with ./SPECS/shim-unsigned-x64/shim-unsigned-x64.spec, so, bumped up the version.

The other 2 variants of shim was not matching (as shown below) current version of shim and release, so I didn't bump up.

./SPECS/shim-unsigned/shim-unsigned.spec - current shim Version is '15.4' and Release is '2'
./SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.spec - current shim Version is '15' and Release is '5'

Is this any issues?
-Thanks

[kgodara912]

Buddy build

[v-smalavathu]

Buddy build

FYI