-
grub2-unsigned (2.06-2ubuntu14.4) jammy; urgency=high
* SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
and may leak sensitive information into the GRUB pager.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-
label.patch:
fs/ntfs: Fix an OOB read when parsing a volume label
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for-
index-at.patch:
fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory-
entries-fr.patch:
fs/ntfs: Fix an OOB read when parsing directory entries from resident and
non-resident index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe-
reside.patch:
fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
attribute
- CVE-2023-4693
* SECURITY UPDATE: Crafted file system images can cause heap-based buffer
overflow and may allow arbitrary code execution and secure boot bypass.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-
ATTRIBUTE_LIST-.patch:
fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
the $MFT file
- d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch
fs/ntfs: Make code more readable
- CVE-2023-4692
* efi/fdt: Apply device tree fixups directly after loading
- add debian/patches/fdt-fixup-after-load.patch
- LP: #2028931
* Source package generated from src:grub2 using make -f ./debian/rules
generate-grub2-unsigned
-- Mate Kukri <email address hidden> Mon, 02 Oct 2023 15:26:59 +0100
-
grub2-unsigned (2.06-2ubuntu14.2) kinetic; urgency=medium
* Cherry-pick more upstream memory patches (LP: #2004643)
* Source package generated from src:grub2 using make -f ./debian/rules
generate-grub2-unsigned
-- Julian Andres Klode <email address hidden> Mon, 20 Feb 2023 17:29:00 +0100
-
grub2-unsigned (2.06-2ubuntu14.1) kinetic; urgency=medium
* Cherry-pick all memory patches from rhboot
- Allocate initrd > 4 GB (LP: #1842320)
- Allocate kernels as code, not data (needed for newer firmware)
* ubuntu: Fix casts on i386-efi target
* Cherry-pick all the 2.12 memory management changes (LP: #1842320)
* Allocate executables as CODE, not DATA in chainloader and arm64
* Source package generated from src:grub2 using make -f ./debian/rules
generate-grub2-unsigned
-- Julian Andres Klode <email address hidden> Mon, 30 Jan 2023 11:51:57 +0100
-
grub2-unsigned (2.06-2ubuntu14) kinetic; urgency=medium
* SECURITY UPDATE: Fix out of bounds writes due specially crafted fonts.
- add debian/patches/font-Fix-several-integer-overflows-in-grub_font_construct.patch
- add debian/patches/font-Fix-an-integer-underflow-in-blit_comb.patch
- CVE-2022-2601, CVE-2022-3775
- LP: #1996950
* Fix various issues as a result of fuzzing, static analysis and code
review:
- add debian/patches/font-Reject-glyphs-exceeds-font-max_glyph_width-or-font-m.patch
- add debian/patches/font-Fix-size-overflow-in-grub_font_get_glyph_internal.patch
- add debian/patchces/font-Remove-grub_font_dup_glyph.patch
- add debian/patches/font-Fix-integer-overflow-in-ensure_comb_space.patch
- add debian/patches/font-Fix-integer-overflow-in-BMP-index.patch
- add debian/patches/font-Fix-integer-underflow-in-binary-search-of-char-index.patch
- add debian/patches/fbutil-Fix-integer-overflow.patch
- add debian/patches/font-Harden-grub_font_blit_glyph-and-grub_font_blit_glyph.patch
- add debian/patches/font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
- add debian/patches/normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
* Enforce verification of fonts when secure boot is enabled:
- add debian/patches/kern-efi-sb-Enforce-verification-of-font-files.patch
* Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary
- update debian/control
- update debian/build-efi-image
- add debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch
* Fix LP: #1997006 - add support for performing measurements to RTMRs
- add debian/patches/commands-efi-tpm-Refine-the-status-of-log-event.patch
- add debian/patches/commands-efi-tpm-Use-grub_strcpy-instead-of-grub_memcpy.patch
- add debian/patches/efi-tpm-Add-EFI_CC_MEASUREMENT_PROTOCOL-support.patch
* Fix the squashfs tests during the build
- remove debian/patches/ubuntu-fix-reproducible-squashfs-test.patch
- add debian/patches/tests-Explicitly-unset-SOURCE_DATE_EPOCH-before-running-f.patch
* Bump SBAT generation:
- update debian/sbat.ubuntu.csv.in
* Source package generated from src:grub2 using make -f ./debian/rules
generate-grub2-unsigned
-- Chris Coulson <email address hidden> Wed, 16 Nov 2022 14:40:42 +0000
-
grub2-unsigned (2.06-2ubuntu10) jammy; urgency=medium
[ Chris Coulson ]
* SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
write in heap.
- 0139-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
video/readers/png: Drop greyscale support to fix heap out-of-bounds write
- CVE-2021-3695
* SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
huffman table handling.
- 0140-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
video/readers/png: Avoid heap OOB R/W inserting huff table items
- CVE-2021-3696
* SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
the heap.
- 0145-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
video/readers/jpeg: Block int underflow -> wild pointer write
- CVE-2021-3697
* SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
- 0148-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
maths safely
- CVE-2022-28733
* SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
- 0154-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
OOB write for split http headers
- CVE-2022-28734
* SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
- 0135-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
kern/efi/sb: Reject non-kernel files in the shim_lock verifier
- CVE-2022-28735
* SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
- 0130-loader-efi-chainloader-simplify-the-loader-state.patch:
loader/efi/chainloader: simplify the loader state
- 0131-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
Add API to pass context to loader
- 0132-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
loader/efi/chainloader: Use grub_loader_set_ex
- 0133-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
loader/i386/efi/linux: Use grub_loader_set_ex
* Various fixes as a result of fuzzing and static analysis:
- 0129-loader-efi-chainloader-grub_load_and_start_image-doe.patch:
loader/efi/chainloader: grub_load_and_start_image doesn't load and start
- 0134-loader-i386-efi-linux-Fix-a-memory-leak-in-the-initr.patch:
loader/i386/efi/linux: Fix a memory leak in the initrd command
- 0136-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
kern/file: Do not leak device_name on error in grub_file_open()
- 0137-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
video/readers/png: Abort sooner if a read operation fails
- 0138-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
video/readers/png: Refuse to handle multiple image headers
- 0141-video-readers-png-Sanity-check-some-huffman-codes.patch:
video/readers/png: Sanity check some huffman codes
- 0142-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
video/readers/jpeg: Abort sooner if a read operation fails
- 0143-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch:
video/readers/jpeg: Do not reallocate a given huff table
- 0144-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch:
video/readers/jpeg: Refuse to handle multiple start of streams
- 0146-normal-charset-Fix-array-out-of-bounds-formatting-un.patch:
normal/charset: Fix array out-of-bounds formatting unicode for display
- 0147-net-netbuff-Block-overly-large-netbuff-allocs.patch:
net/netbuff: Block overly large netbuff allocs
- 0149-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch:
net/dns: Fix double-free addresses on corrupt DNS response
- 0150-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch:
net/dns: Don't read past the end of the string we're checking against
- 0151-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch:
net/tftp: Prevent a UAF and double-free from a failed seek
- 0152-net-tftp-Avoid-a-trivial-UAF.patch: net/tftp: Avoid a trivial UAF
- 0153-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch:
net/http: Do not tear down socket if it's already been torn down
- 0155-net-http-Error-out-on-headers-with-LF-without-CR.patch:
net/http: Error out on headers with LF without CR
- 0156-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch:
fs/f2fs: Do not read past the end of nat journal entries
- 0157-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch:
fs/f2fs: Do not read past the end of nat bitmap
- 0158-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch:
fs/f2fs: Do not copy file names that are too long
- 0159-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch:
fs/btrfs: Fix several fuzz issues with invalid dir item sizing
- 0160-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch:
fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
- 0161-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch:
fs/btrfs: Fix more fuzz issues related to chunks
* Bump SBAT generation:
- update debian/sbat.ubuntu.csv.in
* Make the grub2/no_efi_extra_removable setting work correctly
- update debian/postinst.in
* Build grub2-unsigned packages with xz compression for compatibility
with xenial dpkg
- update debian/rules
[ Steve Langasek ]
* Bump versioned dependency on grub2-common to 2.02~beta2-36ubuntu3.32 for
necessary arm relocation support. LP: #1926748.
* debian/postinst.in: Unconditionally call grub-install with
--force-extra-removable on xenial and bionic, so that the \EFI\BOOT
removable path as used in cloud images receives the updates. LP: #1930742.
-- Chris Coulson <email address hidden> Tue, 07 Jun 2022 17:36:27 +0100
-
grub2-unsigned (2.06-2ubuntu7) jammy; urgency=medium
[ Heinrich Schuchardt ]
* Disable LOAD FILE2 protocol for initrd on ARM (LP: #1967562)
[ dann frazier ]
* Source package generated from src:grub2 using make -f ./debian/rules
generate-grub2-unsigned
-- dann frazier <email address hidden> Fri, 15 Apr 2022 15:50:11 -0600
-
grub2-unsigned (2.06-2ubuntu6) jammy; urgency=medium
[ Heinrich Schuchardt ]
* efivar: check that efivarfs is writeable (LP: #1965288)
[ Dimitri John Ledkov ]
* Do not validate kernels twice. (LP: #1964943)
[ Heinrich Schuchardt ]
* efi: EFI Device Tree Fixup Protocol (LP: #1965796)
* fdt: add debug output to devicetree command
[ Julian Andres Klode ]
* Source package generated from src:grub2 using make -f ./debian/rules
generate-grub2-unsigned
-- Julian Andres Klode <email address hidden> Fri, 25 Mar 2022 16:03:11 +0100
-
grub2-unsigned (2.06-2ubuntu5) jammy; urgency=medium
[ Julian Andres Klode ]
* Free correct size when freeing params, rather than 16 Ki (LP: #1958623)
* Build with FUSE3 (LP: #1935659)
* Only run os-prober on first run and if it previously found other OS
(LP: #1955109)
[ Heinrich Schuchardt ]
* Rename grub-core/loader/efi/linux.c
* Add patches for GRUB on RISC-V
* fat: fix listing the root directory
* Enable building for RISC-V (LP: #1876620)
[ Julian Andres Klode ]
* Re-enable peimage code on other archs outside secure boot; this
fixes LP: #1947046 when not booting in secure boot mode (secure
boot pending security review of the code)
* Source package generated from src:grub2 using make -f ./debian/rules
generate-grub2-unsigned
-- Julian Andres Klode <email address hidden> Fri, 18 Feb 2022 17:21:16 +0100
-
grub2-unsigned (2.06-2ubuntu4) jammy; urgency=medium
* UBUNTU: Move verifiers after decompressors (LP: #1954683)
* grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
* Source package generated from src:grub2 using make -f ./debian/rules
generate-grub2-unsigned
-- Julian Andres Klode <email address hidden> Mon, 10 Jan 2022 14:52:04 +0100
-
grub2-unsigned (2.06-2ubuntu3) jammy; urgency=medium
* Cherry-pick the missing hunk back that changes parameter loading
in grub-core/loader/i386/linux.c, this should fix booting on
BIOS systems.
* Fix the fallback for kernel addresses on amd64 EFI, if the kernel
could not be allocated at the preferred address, reset errno such
that if the 2nd allocation succeeds, we do not fail erroneously.
* Source package generated from src:grub2 using make -f ./debian/rules
generate-grub2-unsigned
-- Julian Andres Klode <email address hidden> Mon, 13 Dec 2021 14:27:53 +0100
-
grub2-unsigned (2.06-2ubuntu2) jammy; urgency=medium
* Restore still relevant patches lost in rebase.
They got lost in a first rebase, when we did not include
ubuntu-linuxefi.patch as they modify code in there.
- no-devicetree-if-secure-boot.patch
- 0077-ubuntu-Update-the-linux-boot-protocol-version-check.patch
- 0096-linuxefi-fail-kernel-validation-without-shim-protoco.patch
- 0099-chainloader-Avoid-a-double-free-when-validation-fail.patch
- 0105-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch
* Source package generated from src:grub2 using make -f ./debian/rules
generate-grub2-unsigned
-- Julian Andres Klode <email address hidden> Wed, 08 Dec 2021 17:14:50 +0100
-
grub2-unsigned (2.06-2ubuntu1) jammy; urgency=medium
* Merge from Debian unstable; remaining changes:
- Build without lto
- Add Ubuntu sbat data
- Make prebuilt netboot image look for MAAS grub.cfg
- build-efi-images: add smbios module to the prebuilt signed EFI images
(LP: 1856424)
- build-efi-images: do not produce -installer.efi.signed. LP: 1863994
- build-efi-images: Add http to netboot images
- grub-common: Install canonical-uefi-ca.crt
- Check signatures
- minilzo: built using the distribution's minilzo
- Support installing to multiple ESP (LP: 1871821)
- Disable various bits on i386
- Split out unsigned artefacts into grub2-unsigned
- Vcs-Git: Point to ubuntu packaging branch
- Relax dependencies on grub-common and grub2-common
- grub-pc: Avoid the possibility of breaking grub on SRU update due
to ABI change
- UBUNTU: Default timeout changes
- Disable os-prober for ppc64el on the PowerNV platform (for Petitboot)
- dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar)
- Link grub-efi-{amd64,arm64}-bin docs directory
- grub-common.service: port init.d script to systemd unit. Add warning
message, when initrdless boot fails triggering fallback. LP: 1901553
- Removed patches:
- grub-install-extra-removable.patch
- grub-install-removable-shim.patch
- Added patches:
+ ubuntu-grub-install-extra-removable.patch
+ ubuntu-zfs-enhance-support.patch
+ ubuntu-zfs-gfxpayload-keep-default.patch
+ ubuntu-zfs-mkconfig-ubuntu-distributor.patch
+ ubuntu-zfs-mkconfig-signed-kernel.patch
+ ubuntu-zfs-maybe-quiet.patch
+ ubuntu-zfs-quick-boot.patch
+ ubuntu-zfs-gfxpayload-dynamic.patch
+ ubuntu-zfs-vt-handoff.patch
+ ubuntu-zfs-mkconfig-recovery-title.patch
+ ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
+ ubuntu-support-initrd-less-boot.patch
+ ubuntu-shorter-version-info.patch
+ ubuntu-add-initrd-less-boot-fallback.patch
+ ubuntu-mkconfig-leave-breadcrumbs.patch
+ ubuntu-fix-lzma-decompressor-objcopy.patch
+ ubuntu-temp-keep-auto-nvram.patch
+ ubuntu-add-devicetree-command-support.patch
+ ubuntu-boot-from-multipath-dependent-symlink.patch
+ ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch
+ ubuntu-efi-allow-loopmount-chainload.patch
+ 0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
+ ubuntu-resilient-boot-ignore-alternative-esps.patch
+ ubuntu-resilient-boot-boot-order.patch
+ ubuntu-speed-zsys-history.patch
+ ubuntu-flavour-order.patch
+ ubuntu-dont-verify-loopback-images.patch
+ ubuntu-recovery-dis_ucode_ldr.patch
+ ubuntu-linuxefi-arm64.patch
+ ubuntu-add-initrd-less-boot-messages.patch
+ ubuntu-fix-reproducible-squashfs-test.patch
+ rhboot-f34-make-exit-take-a-return-code.patch
+ rhboot-f34-dont-use-int-for-efi-status.patch
+ rhboot-f34-make-pmtimer-tsc-calibration-fast.patch
+ suse-add-support-for-UEFI-network-protocols.patch
+ suse-AUDIT-0-http-boot-tracker-bug.patch
+ rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch
+ 0241-Call-hwmatch-only-on-the-grub-pc-platform.patch
* Dropped changes:
- Remove obsolete dependencies on dh-autoreconf and automake
- Remove explicit --with systemd in debhelper invocation
- Remove debian/gettext-patches; they do not seem to be necessary anymore
- Remove inadvertent change to debian/signing-template.json.in, we do not
use that file anyway.
- Merged upstream:
+ merged: 0074-uefi-firmware-rename-fwsetup-menuentry-to-UEFI-Firmw.patch
+ merged: 0075-smbios-Add-a-linux-argument-to-apply-linux-modalias-.patch
+ merged security patches 0081-0105, and 0128-0240
+ various cherry picks: cherry-* and cherrypick-*.patch
+ grub-install-backup-and-restore.patch
+ uefi-firmware-setup.patch
+ sleep-shift.patch
+ vsnprintf-upper-case-hex.patch
+ rhboot-f34-update-info-with-grub.cfg-netboot-selection-order.patch
+ suse-search-for-specific-config-files-for-netboot.patch
+ tftp-rollover-block-counter.patch
+ ubuntu-efi-console-set-text-mode-as-needed.patch
- Merged in Debian:
+ install-efi-ubuntu-flavours.patch
+ ubuntu-dejavu-font-path.patch
+ ubuntu-tpm-unknown-error-non-fatal.patch
- Not applicable:
+ 0077-ubuntu-Update-the-linux-boot-protocol-version-check.patch: The
check has been removed.
* Fix zstd build on s390x
* Cherry-pick two upstream fixes to fix closing of SNP protocol in EFI
networking stack
* Build with -O1 on s390x to avoid build failure due to gcc optimization
failure causing it to wrongly assume variables as uninitialized.
* Revert integration of jfs and f2fs modules into signed images, we do not
support these file systems on /boot.
* Source package generated from src:grub2 using make -f ./debian/rules
generate-grub2-unsigned
-- Julian Andres Klode <email address hidden> Tue, 07 Dec 2021 13:40:32 +0100
-
grub2-unsigned (2.04-1ubuntu48) jammy; urgency=medium
[ Mauricio Faria de Oliveira ]
* d/p/0241-Call-hwmatch-only-on-the-grub-pc-platform.patch:
Fix "error: can't find command `hwmatch'." on non-i386/pc
platforms such as x86_64/efi. (LP: #1840560)
[ Julian Andres Klode ]
* Source package generated from src:grub2 using make -f ./debian/rules
generate-grub2-unsigned
-- Mauricio Faria de Oliveira <email address hidden> Thu, 04 Nov 2021 10:48:06 -0300
-
grub2-unsigned (2.04-1ubuntu47) impish; urgency=medium
* Drop grub.cfg-400.patch (LP: #1933826)
* Source package generated from src:grub2 using make -f ./debian/rules
generate-grub2-unsigned
-- Julian Andres Klode <email address hidden> Thu, 02 Sep 2021 14:37:43 +0200
