shim 15.8

What's New

* Various CVE fixes:
  CVE-2023-40546 mok: fix LogError() invocation
  CVE-2023-40547 - avoid incorrectly trusting HTTP headers
  CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
  CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
  CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
  CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries

What's Changed

• Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in #535
• Enable the NX compatibility flag by default. by @vathpela in #530
• CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in #546
• pe: Align section size up to page size for mem attrs by @nicholasbishop in #539
• Don't loop forever in load_certs() with buggy firmware by @rmetrich in #547
• Optionally allow to keep shim protocol installed by @bluca in #565
• Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in #537
• test-sbat: Fix exit code by @nicholasbishop in #540
• Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in #550
• SBAT-related documents formatting and spelling by @aronowski in #566
• Add a security contact email address in README.md by @vathpela in #572
• Add SbatLevel_Variable.txt to document the various revocations by @jsetje in #569
• Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in #576
• Minor housekeeping by @vathpela in #578
• Test ImageAddress() by @vathpela in #579
• Verify signature before verifying sbat levels by @jsetje in #583
• Add libFuzzer support for csv.c and sbat.c by @vathpela in #584
• mok: Avoid underflow in maximum variable size calculation by @alpernebbi in #587
• Housekeeping by @vathpela in #605
• mok: fix LogError() invocation by @vathpela in #577

New Contributors

• @bluca made their first contribution in #565
• @aronowski made their first contribution in #566
• @alpernebbi made their first contribution in #587

Full Changelog: 15.7...15.8