INSTALL FAILS: Upcoming update for shim requires confirmation on reboot

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

INSTALL FAILS: Upcoming update for shim requires confirmation on reboot

Patrick Shanahan-2
* Johannes Segitz <[hidden email]> [01-16-15 09:09]:
> we will release a security update for shim next week that fixes three
> security issues, tracked in bnc#889332:

> - OOB read access when parsing DHCPv6 packets (remote DoS) (CVE-2014-3675).
> - Heap overflow when parsing IPv6 addresses provided by tftp:// DHCPv6 boot
>   option (RCE) (CVE-2014-3676).
> - Memory corruption when processing user provided MOK lists (CVE-2014-3677).
>
> Because of those issues we update shim to version 0.7.318.81ee561d. This
> version includes a patch that requires the user to confirm a dialog once
> on the first boot after the update is installed. You will need to be able
> to confirm this dialog, which appears before the bootloader, or your system
> will not boot. This only affects users that are still on openSUSE 13.1 and
> use a secure boot setup. You can check with 'bootctl' if you're using a
> secure boot configuration if you're not sure.


Installation fails on my 13.1 server.
Hangs at:  + /sbin/update-bootloader --reinit


Logs:

08:29 wahoo: /var/cache/zypp/packages/repo-update/x86_64 # rpm -Uhvvv ./shim-0.7.318.81ee561d-7.2.x86_64.rpm
D: ============== ./shim-0.7.318.81ee561d-7.2.x86_64.rpm
D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key
D: loading keyring from rpmdb
D: opening  db environment /var/lib/rpm cdb:private:0x201
D: opening  db index       /var/lib/rpm/Packages 0x400 mode=0x0
D: locked   db index       /var/lib/rpm/Packages
D: opening  db index       /var/lib/rpm/Name nofsync:0x400 mode=0x0
D:  read h#       1 Header SHA1 digest: OK (b0d86230a3899ea0e94d19d76dfc7a9700fca8c5)
D: added key gpg-pubkey-307e3d54-4be01a65 to keyring
D:  read h#    1310 Header SHA1 digest: OK (1469533e8536aa7267f6567bbdc17415c8547785)
D: added key gpg-pubkey-392ffa88-51f00be3 to keyring
D:  read h#    1396 Header SHA1 digest: OK (0238a3db899f61935a55058a369d6763351a1386)
D: added key gpg-pubkey-9591c39b-51971adb to keyring
D:  read h#    1708 Header SHA1 digest: OK (cda5c10fb660a86cf544f1585c79dc83f951cae3)
D: added key gpg-pubkey-ddcd7f1a-51318b5b to keyring
D:  read h#    1953 Header SHA1 digest: OK (c26f82e18c835b10068e54dbfa94818941ecd435)
D: added key gpg-pubkey-9056621d-50f6ef88 to keyring
D:  read h#    1992 Header SHA1 digest: OK (195ca3394a33f95be4c5a9c5498c55a0f3424f57)
D: added key gpg-pubkey-0f2672c8-50f6b041 to keyring
D:  read h#    2722 Header SHA1 digest: OK (22c19fc0b82edc93ba43a149752cac323eb3284f)
D: added key gpg-pubkey-c0951497-53515432 to keyring
D:  read h#    2723 Header SHA1 digest: OK (3710dbdc7146d5f5e2879c64dfe4b8a1542b865d)
D: added key gpg-pubkey-ee454f98-53515440 to keyring
D:  read h#    2725 Header SHA1 digest: OK (66971eaf91d670b694659a33e42061c5b5467075)
D: added key gpg-pubkey-3dbdc284-53674dd4 to keyring
D:  read h#    2730 Header SHA1 digest: OK (4588eb4871596b18274e6ea8198fc72ba31b5011)
D: added key gpg-pubkey-0ae6233b-53ba5c52 to keyring
D:  read h#    2799 Header SHA1 digest: OK (f69ae5ae97d84ceb4d7845419921d071c276c66a)
D: added key gpg-pubkey-ce4c0d2f-53b4640d to keyring
D:  read h#    2966 Header SHA1 digest: OK (feaa68173c427f2e313f06558ff561275666ba7a)
D: added key gpg-pubkey-bd6d129a-510add01 to keyring
D: Using legacy gpg-pubkey(s) from rpmdb
D: Expected size:       472700 = lead(96)+sigs(772)+pad(4)+data(471828)
D:   Actual size:       472700
D: ./shim-0.7.318.81ee561d-7.2.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  read h#     424 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:      added binary package [0]
D: found 0 source and 1 binary packages
D: opening  db index       /var/lib/rpm/Conflictname nofsync:0x400 mode=0x0
D: ========== +++ shim-0.7.318.81ee561d-7.2 x86_64/linux 0x0
D: opening  db index       /var/lib/rpm/Basenames nofsync:0x400 mode=0x0
D:  read h#    2981 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: /bin/bash                                     YES (db files)
D:  Requires: /bin/sh                                       YES (db files)
D: opening  db index       /var/lib/rpm/Providename nofsync:0x400 mode=0x0
D:  read h#    1754 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: grub2-efi                                     YES (db provides)
D:  read h#     579 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: perl-Bootloader                               YES (db provides)
D:  Requires: /bin/sh                                       YES (cached)
D:  Requires: rpmlib(PayloadFilesHavePrefix) <= 4.0-1       YES (rpmlib provides)
D:  Requires: rpmlib(CompressedFileNames) <= 3.0.4-1        YES (rpmlib provides)
D:  Requires: rpmlib(PayloadIsLzma) <= 4.4.6-1              YES (rpmlib provides)
D: opening  db index       /var/lib/rpm/Obsoletename nofsync:0x400 mode=0x0
D: ========== --- shim-0.2-3.1 x86_64/linux 0x0
D: opening  db index       /var/lib/rpm/Requirename nofsync:0x400 mode=0x0
D: ========== recording tsort relations
D: ========== tsorting packages (order, #predecessors, #succesors, depth)
D:     0    0    0    1   +shim-0.7.318.81ee561d-7.2.x86_64
D:     1    0    0    1   -shim-0.2-3.1.x86_64
D: installing binary packages
D: Selinux disabled.
D: closed   db index       /var/lib/rpm/Obsoletename
D: closed   db index       /var/lib/rpm/Conflictname
D: closed   db index       /var/lib/rpm/Providename
D: closed   db index       /var/lib/rpm/Requirename
D: closed   db index       /var/lib/rpm/Basenames
D: closed   db index       /var/lib/rpm/Name
D: closed   db index       /var/lib/rpm/Packages
D: closed   db environment /var/lib/rpm
D: opening  db environment /var/lib/rpm cdb:private:0x201
D: opening  db index       /var/lib/rpm/Packages (none) mode=0x42
D: locked   db index       /var/lib/rpm/Packages
D: sanity checking 2 elements
D: opening  db index       /var/lib/rpm/Name nofsync mode=0x42
D:  read h#     424 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D: running pre-transaction scripts
D: computing 20 file fingerprints
D: opening  db index       /var/lib/rpm/Basenames nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Group nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Requirename nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Providename nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Conflictname nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Obsoletename nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Triggername nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Dirnames nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Installtid nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Sigmd5 nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Sha1header nofsync mode=0x42
Preparing...                          D: computing file dispositions
D: 0x0000fd01     4096     11598826      3150267 /
D: 0x0000fd02     4096      3817577      1301974 /var
################################# [100%]
D: ========== +++ shim-0.7.318.81ee561d-7.2 x86_64-linux 0x0
D: Expected size:       472700 = lead(96)+sigs(772)+pad(4)+data(471828)
D:   Actual size:       472700
D: shim-0.7.318.81ee561d-7.2.x86_64: Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:   install: shim-0.7.318.81ee561d-7.2 has 12 files
Updating / installing...
   1:shim-0.7.318.81ee561d-7.2        D: ========== Directories not explicitly included in package:
D:          0 /etc/
D:          3 /usr/lib64/
D:          5 /usr/sbin/
D:          6 /usr/share/doc/packages/
D: ==========
D: create     040755  3 (   0,   0)     0 /etc/uefi
D: create     040755  2 (   0,   0)     0 /etc/uefi/certs
D: create     100644  1 (   0,   0)  1144 /etc/uefi/certs/4659838C.crt;54c0fb6d
D: create     040755  2 (   0,   0)     0 /usr/lib64/efi
D: create     100644  1 (   0,   0)1283752 /usr/lib64/efi/MokManager.efi;54c0fb6d
D: create     100644  1 (   0,   0) 64512 /usr/lib64/efi/fallback.efi;54c0fb6d
D: create     100444  1 (   0,   0)  1144 /usr/lib64/efi/shim-opensuse.der;54c0fb6d
D: create     100755  1 (   0,   0)1294048 /usr/lib64/efi/shim-opensuse.efi;54c0fb6d
################################# [ 50%]
D: create     120777  1 (   0,   0)    17 /usr/lib64/efi/shim.efi;54c0fb6d
D: create     100755  1 (   0,   0)  7868 /usr/sbin/shim-install;54c0fb6d
D: create     040755  2 (   0,   0)     0 /usr/share/doc/packages/shim
D: create     100644  1 (   0,   0)  1411 /usr/share/doc/packages/shim/COPYRIGHT;54c0fb6d
XZDIO:      83 reads,  2655680 total bytes in 0.055314 secs
D: adding "shim" to Name index.
D: adding 12 entries to Basenames index.
D: adding "System/Boot" to Group index.
D: adding 8 entries to Requirename index.
D: adding 2 entries to Providename index.
D: adding 8 entries to Dirnames index.
D: adding 1 entries to Installtid index.
D: adding 1 entries to Sigmd5 index.
D: adding "b345736ed59e558e4179a4e84f1dfee17c4b737b" to Sha1header index.
D: %post(shim-0.7.318.81ee561d-7.2.x86_64): scriptlet start
D: %post(shim-0.7.318.81ee561d-7.2.x86_64): execv(/bin/sh) pid 30193
+ /sbin/update-bootloader --reinit




--
(paka)Patrick Shanahan       Plainfield, Indiana, USA          @ptilopteri
http://en.opensuse.org    openSUSE Community Member    facebook/ptilopteri
http://wahoo.no-ip.org        Photo Album: http://wahoo.no-ip.org/gallery2
Registered Linux User #207535                    @ http://linuxcounter.net
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: INSTALL FAILS: Upcoming update for shim requires confirmation on reboot

Johannes Segitz
On Thu, Jan 22, 2015 at 02:21:51PM -0500, Patrick Shanahan wrote:
> Installation fails on my 13.1 server.
> Hangs at:  + /sbin/update-bootloader --reinit

I just tried to reproduce the problem but couldn't. Please open a bug (and
try if update-bootloader --reinit hangs if you run it manually. It should
not)

Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE LINUX GmbH        Maxfeldstraße 5            90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: INSTALL FAILS: Upcoming update for shim requires confirmation on reboot

Patrick Shanahan-2
* [hidden email] <[hidden email]> [01-23-15 03:44]:
> On Thu, Jan 22, 2015 at 02:21:51PM -0500, Patrick Shanahan wrote:
> > Installation fails on my 13.1 server.
> > Hangs at:  + /sbin/update-bootloader --reinit
>
> I just tried to reproduce the problem but couldn't. Please open a bug (and
> try if update-bootloader --reinit hangs if you run it manually. It should
> not)

that hangs also :^(

I <ctrl><c> to regain console and:

/sbin/update-bootloader --reinit

^CPerl-Bootloader: 2015-01-23 08:17:32 <3> pbl-0919.2
/Core::RunCommand.1642: Error: Command '/usr/sbin/grub2-mkconfig -o
//boot/grub2/grub.cfg >/var/log/YaST2/y2log_bootloader 2>&1' failed with
//code 2 and output:


will open bug and report here

--
(paka)Patrick Shanahan       Plainfield, Indiana, USA          @ptilopteri
http://en.opensuse.org    openSUSE Community Member    facebook/ptilopteri
http://wahoo.no-ip.org        Photo Album: http://wahoo.no-ip.org/gallery2
Registered Linux User #207535                    @ http://linuxcounter.net
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: INSTALL FAILS: Upcoming update for shim requires confirmation on reboot

Patrick Shanahan-2
* Patrick Shanahan <[hidden email]> [01-23-15 08:23]:

> * [hidden email] <[hidden email]> [01-23-15 03:44]:
> > On Thu, Jan 22, 2015 at 02:21:51PM -0500, Patrick Shanahan wrote:
> > > Installation fails on my 13.1 server.
> > > Hangs at:  + /sbin/update-bootloader --reinit
> >
> > I just tried to reproduce the problem but couldn't. Please open a bug (and
> > try if update-bootloader --reinit hangs if you run it manually. It should
> > not)
>
> that hangs also :^(
>
> I <ctrl><c> to regain console and:
>
> /sbin/update-bootloader --reinit
>
> ^CPerl-Bootloader: 2015-01-23 08:17:32 <3> pbl-0919.2
> /Core::RunCommand.1642: Error: Command '/usr/sbin/grub2-mkconfig -o
> //boot/grub2/grub.cfg >/var/log/YaST2/y2log_bootloader 2>&1' failed with
> //code 2 and output:
>
>
> will open bug and report here

https://bugzilla.opensuse.org/show_bug.cgi?id=914513

tks
--
(paka)Patrick Shanahan       Plainfield, Indiana, USA          @ptilopteri
http://en.opensuse.org    openSUSE Community Member    facebook/ptilopteri
http://wahoo.no-ip.org        Photo Album: http://wahoo.no-ip.org/gallery2
Registered Linux User #207535                    @ http://linuxcounter.net
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]