Hughsie/zhangyoufu #5
There are no files selected for viewing
File renamed without changes.
File renamed without changes.
Binary file not shown.
Binary file not shown.
File renamed without changes.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
There was a problem hiding this comment. This update removed There was a problem hiding this comment. AFAIK, CVE-2023-28005 is not related to this release. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!-- Copyright 2022 Richard Hughes <[email protected]> --> | ||
| <component type="firmware"> | ||
| <id>org.linuxfoundation.dbx.x64.firmware</id> | ||
| <name>Secure Boot dbx</name> | ||
| <name_variant_suffix>x64</name_variant_suffix> | ||
| <summary>UEFI Secure Boot Forbidden Signature Database</summary> | ||
| <description> | ||
| <p> | ||
| Updating the UEFI dbx prevents starting EFI binaries with known security issues. | ||
| </p> | ||
| </description> | ||
| <provides> | ||
| <!-- Microsoft Corporation KEK CA 2011 - | ||
| UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64 --> | ||
| <firmware type="flashed">f8ba2887-9411-5c36-9cee-88995bb39731</firmware> | ||
| </provides> | ||
| <url type="homepage">https://uefi.org/revocationlistfile</url> | ||
| <metadata_license>CC0-1.0</metadata_license> | ||
| <project_license>proprietary</project_license> | ||
| <developer_name>Microsoft Corporation</developer_name> | ||
| <releases> | ||
| <!-- for the version use `fwupdtool firmware-parse foo.bin efi-signature-list` --> | ||
| <release urgency="high" version="183" date="2020-10-12"> | ||
| <checksum filename="DBXUpdate-20201012.x64.bin" target="content"/> | ||
| <description> | ||
| <p> | ||
| An insecure version of software from Cisco has been added to the list of forbidden | ||
| signatures due to a discovered security problem. | ||
| This updates the dbx to the latest release from Microsoft. | ||
| </p> | ||
| <p> | ||
| Before installing the update, fwupd will check for any affected executables | ||
| in the ESP and will refuse to update if it finds any boot binaries signed | ||
| with any of the forbidden signatures. | ||
| </p> | ||
| </description> | ||
| <issues> | ||
| <issue type="cve">CVE-2023-28005</issue> | ||
| </issues> | ||
| </release> | ||
| </releases> | ||
| <requires> | ||
| <id compare="ge" version="1.8.14">org.freedesktop.fwupd</id> | ||
| </requires> | ||
| <custom> | ||
| <value key="LVFS::UpdateProtocol">org.uefi.dbx</value> | ||
| <value key="LVFS::VersionFormat">number</value> | ||
| </custom> | ||
| <categories> | ||
| <category>X-Configuration</category> | ||
| </categories> | ||
| </component> |
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
|
There was a problem hiding this comment. CVE-2023-28005 describes a vulnerability in Trend Micro Endpoint Encryption Full Disk Encryption version 6.0.0.3204 and below. We shouldn't mention it in a DBXUpdate that deals with VMware esx-boot. There was a problem hiding this comment. Agree. Can you include that in your pull request please. I'd be very grateful for any help. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!-- Copyright 2022 Richard Hughes <[email protected]> --> | ||
| <component type="firmware"> | ||
| <id>org.linuxfoundation.dbx.aa64.firmware</id> | ||
| <name>Secure Boot dbx</name> | ||
| <name_variant_suffix>aa64</name_variant_suffix> | ||
| <summary>UEFI Secure Boot Forbidden Signature Database</summary> | ||
| <description> | ||
| <p> | ||
| Updating the UEFI dbx prevents starting EFI binaries with known security issues. | ||
| </p> | ||
| </description> | ||
| <provides> | ||
| <!-- Microsoft Corporation KEK CA 2011 - | ||
| UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_AA64 --> | ||
| <firmware type="flashed">67d35028-ca5b-5834-834a-f97380381082</firmware> | ||
| </provides> | ||
| <url type="homepage">https://uefi.org/revocationlistfile</url> | ||
| <metadata_license>CC0-1.0</metadata_license> | ||
| <project_license>proprietary</project_license> | ||
| <developer_name>Microsoft Corporation</developer_name> | ||
| <releases> | ||
| <!-- for the version use `fwupdtool firmware-parse foo.bin efi-signature-list` --> | ||
| <release urgency="high" version="22" date="2022-09-07"> | ||
| <checksum filename="DBXUpdate-20220907.aa64.bin" target="content"/> | ||
| <description> | ||
| <p> | ||
| An insecure version of software from VMware has been added to the list of forbidden | ||
| signatures due to a discovered security problem. | ||
| This updates the dbx to the latest release from Microsoft. | ||
| </p> | ||
| <p> | ||
| Before installing the update, fwupd will check for any affected executables | ||
| in the ESP and will refuse to update if it finds any boot binaries signed | ||
| with any of the forbidden signatures. | ||
| </p> | ||
| </description> | ||
| <issues> | ||
| <issue type="cve">CVE-2023-28005</issue> | ||
| </issues> | ||
| </release> | ||
| </releases> | ||
| <requires> | ||
| <id compare="ge" version="1.8.14">org.freedesktop.fwupd</id> | ||
| </requires> | ||
| <custom> | ||
| <value key="LVFS::UpdateProtocol">org.uefi.dbx</value> | ||
| <value key="LVFS::VersionFormat">number</value> | ||
| </custom> | ||
| <categories> | ||
| <category>X-Configuration</category> | ||
| </categories> | ||
| </component> |
Binary file not shown.
|
There was a problem hiding this comment. CVE-2023-28005 describes a vulnerability in Trend Micro Endpoint Encryption Full Disk Encryption version 6.0.0.3204 and below. We shouldn't mention it in a DBXUpdate that deals with VMware esx-boot. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!-- Copyright 2022 Richard Hughes <[email protected]> --> | ||
| <component type="firmware"> | ||
| <id>org.linuxfoundation.dbx.x64.firmware</id> | ||
| <name>Secure Boot dbx</name> | ||
| <name_variant_suffix>x64</name_variant_suffix> | ||
| <summary>UEFI Secure Boot Forbidden Signature Database</summary> | ||
| <description> | ||
| <p> | ||
| Updating the UEFI dbx prevents starting EFI binaries with known security issues. | ||
| </p> | ||
| </description> | ||
| <provides> | ||
| <!-- Microsoft Corporation KEK CA 2011 - | ||
| UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64 --> | ||
| <firmware type="flashed">f8ba2887-9411-5c36-9cee-88995bb39731</firmware> | ||
| </provides> | ||
| <url type="homepage">https://uefi.org/revocationlistfile</url> | ||
| <metadata_license>CC0-1.0</metadata_license> | ||
| <project_license>proprietary</project_license> | ||
| <developer_name>Microsoft Corporation</developer_name> | ||
| <releases> | ||
| <!-- for the version use `fwupdtool firmware-parse foo.bin efi-signature-list` --> | ||
| <release urgency="high" version="218" date="2022-09-07"> | ||
| <checksum filename="DBXUpdate-20220907.x64.bin" target="content"/> | ||
| <description> | ||
| <p> | ||
| An insecure version of software from VMware has been added to the list of forbidden | ||
| signatures due to a discovered security problem. | ||
| This updates the dbx to the latest release from Microsoft. | ||
| </p> | ||
| <p> | ||
| Before installing the update, fwupd will check for any affected executables | ||
| in the ESP and will refuse to update if it finds any boot binaries signed | ||
| with any of the forbidden signatures. | ||
| </p> | ||
| </description> | ||
| <issues> | ||
| <issue type="cve">CVE-2023-28005</issue> | ||
| </issues> | ||
| </release> | ||
| </releases> | ||
| <requires> | ||
| <id compare="ge" version="1.8.14">org.freedesktop.fwupd</id> | ||
| </requires> | ||
| <custom> | ||
| <value key="LVFS::UpdateProtocol">org.uefi.dbx</value> | ||
| <value key="LVFS::VersionFormat">number</value> | ||
| </custom> | ||
| <categories> | ||
| <category>X-Configuration</category> | ||
| </categories> | ||
| </component> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hughsie marked this conversation as resolved.
Show resolved
Hide resolved
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You must obtained this file from WinSxS directory. I found two samples that match your date & time.
You can find win32 FILETIME in
_manifest_.cix.xmlfile, and a little-endian uint64 after thePA30magic string in the delta file.This one contains
x86_microsoft-windows-s..boot-firmwareupdate_31bf3856ad364e35_6.2.9200.16895_none_b16766b7d6f0546cwith130419008663852453(2014-04-13 22:14:26).This one contains
amd64_microsoft-windows-s..boot-firmwareupdate_31bf3856ad364e35_6.2.9200.16895_none_0d86023b8f4dc5a2with130419008688273408(2014-04-13 22:14:28).I would prefer to use KB / UEFI Forum release date, instead of mtime of dbxupdate.bin file which may be days or months before the release date. Every single KB comes with many msu/cab with different mtime. It's messy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that works for me. Would you mind submitting a pull request to this branch to fix this up please?