Univention Bugzilla – Bug 55191
grub2: Multiple issues (5.0)
Last modified: 2022-09-13 17:50:21 CEST
New Debian grub2 2.06-3~deb10u1 fixes: This update addresses the following issues: * Crafted PNG grayscale images may lead to out-of-bounds write in heap (CVE-2021-3695) * Crafted PNG image may lead to out-of-bound write during huffman table handling (CVE-2021-3696) * Crafted JPEG image can lead to buffer underflow write in the heap (CVE-2021-3697) * Integer underflow in grub_net_recv_ip4_packets (CVE-2022-28733) * Out-of-bound write when handling split HTTP headers (CVE-2022-28734) * shim_lock verifier allows non-kernel files to be loaded (CVE-2022-28735) * use-after-free in grub_cmd_chainloader() (CVE-2022-28736)
--- mirror/ftp/pool/main/m/mokutil/mokutil_0.3.0+1538710437.fb6250f-1.dsc +++ apt/ucs_5.0-0-errata5.0-2/source/mokutil_0.6.0-2~deb10u1.dsc @@ -1,3 +1,13 @@ +0.6.0-2~deb10u1 [Sat, 23 Jul 2022 14:23:40 +0200] Steve McIntyre <93sam@debian.org>: + + * Rebuild new upstream for buster, to allow for SBAT management + + Move to new upstream version 0.6.0. + + Drop old patches, no longer needed. + + Switch to Arch: any to allow for more architectures. + Closes: #987613, #991933. + + Clean up old tweaks in debian/rules, no longer needed. + + Add build-dep on libkeyutils-dev, new dependency. + 0.3.0+1538710437.fb6250f-1 [Fri, 12 Apr 2019 17:45:52 -0500] Simon Quigley <tsimonq2@debian.org>: * Upload to Debian (Closes: #925471). <http://piuparts.knut.univention.de/5.0-2/#2668085352927106244>
--- mirror/ftp/pool/main/g/grub2/grub2_2.02+dfsg1-20+deb10u4.dsc +++ apt/ucs_5.0-0-errata5.0-2/source/grub2_2.06-3~deb10u1.dsc @@ -1,3 +1,139 @@ +2.06-3~deb10u1 [Mon, 01 Aug 2022 20:26:34 +0100] Steve McIntyre <93sam@debian.org>: + + [ Steve McIntyre ] + * Switch to upstream 2.06 release, and rebuild for buster. + - Tweak build-deps etc. for the rebuild. + * Updated the 2.06-3 changelog to mention closure of CVE-2022-28736 + * Re-enable os-prober by default, don't make that change in a stable + update. + +2.06-3 [Fri, 10 Jun 2022 11:15:11 +0200] Julian Andres Klode <jak@debian.org>: + + [ Colin Watson ] + * Update a few leftover uses of "which" to use "command -v" instead. + * Remove some old Lintian overrides. + * Trim trailing whitespace. + * debian/copyright: use spaces rather than tabs to start continuation lines. + * Add missing ${misc:Depends} to Depends for grub-efi-ia32-signed-template, + grub-efi-amd64-signed-template, grub-efi-arm64-signed-template. + * Bump debhelper from old 10 to 13. + * Set upstream metadata fields: Bug-Submit (from ./configure), Repository, + Repository-Browse. + * Drop now-unnecessary sparc PIE workaround from debian/rules (thanks, + John Paul Adrian Glaubitz; closes: #952815). + + [ Debconf translations ] + * [id] Indonesian (Andika Triwidada; closes: #1007706). + + [ Julian Andres Klode ] + * Add Julian Andres Klode to uploaders + * Disable building with LTO, as used in Ubuntu and possibly other + downstreams (maybe Debian one day), as that breaks the build. + * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds + write in heap. + - 0070-video-readers-png-Drop-greyscale-support-to-fix-heap.patch: + video/readers/png: Drop greyscale support to fix heap out-of-bounds write + - CVE-2021-3695 + * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during + huffman table handling. + - 0071-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch: + video/readers/png: Avoid heap OOB R/W inserting huff table items + - CVE-2021-3696 + * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in + the heap. + - 0076-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch: + video/readers/jpeg: Block int underflow -> wild pointer write + - CVE-2021-3697 + * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets + - 0079-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment + maths safely + - CVE-2022-28733 + * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers + - 0085-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix + OOB write for split http headers + - CVE-2022-28734 + * SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded + - 0066-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch: + kern/efi/sb: Reject non-kernel files in the shim_lock verifier + - CVE-2022-28735 + - Closes: #1001057 + * SECURITY UPDATE: use-after-free in grub_cmd_chainloader() + - 0063-loader-efi-chainloader-Simplify-the-loader-state.patch: + loader/efi/chainloader: simplify the loader state + - 0064-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot: + Add API to pass context to loader + - 0065-loader-efi-chainloader-Use-grub_loader_set_ex.patch: + loader/efi/chainloader: Use grub_loader_set_ex + - 0066-loader-i386-efi-linux-Use-grub_loader_set_ex.patch: + loader/i386/efi/linux: Use grub_loader_set_ex + - CVE-2022-28736 + * Various fixes as a result of fuzzing and static analysis: + - 0067-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch: + kern/file: Do not leak device_name on error in grub_file_open() + - 0068-video-readers-png-Abort-sooner-if-a-read-operation-f.patch: + video/readers/png: Abort sooner if a read operation fails + - 0069-video-readers-png-Refuse-to-handle-multiple-image-he.patch: + video/readers/png: Refuse to handle multiple image headers + - 0072-video-readers-png-Sanity-check-some-huffman-codes.patch: + video/readers/png: Sanity check some huffman codes + - 0073-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch: + video/readers/jpeg: Abort sooner if a read operation fails + - 0074-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch: + video/readers/jpeg: Do not reallocate a given huff table + - 0075-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch: + video/readers/jpeg: Refuse to handle multiple start of streams + - 0077-normal-charset-Fix-array-out-of-bounds-formatting-un.patch: + normal/charset: Fix array out-of-bounds formatting unicode for display + - 0078-net-netbuff-Block-overly-large-netbuff-allocs.patch: + net/netbuff: Block overly large netbuff allocs + - 0080-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch: + net/dns: Fix double-free addresses on corrupt DNS response + - 0081-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch: + net/dns: Don't read past the end of the string we're checking against + - 0082-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch: + net/tftp: Prevent a UAF and double-free from a failed seek + - 0083-net-tftp-Avoid-a-trivial-UAF.patch: net/tftp: Avoid a trivial UAF + - 0084-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch: + net/http: Do not tear down socket if it's already been torn down + - 0086-net-http-Error-out-on-headers-with-LF-without-CR.patch: + net/http: Error out on headers with LF without CR + - 0087-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch: + fs/f2fs: Do not read past the end of nat journal entries + - 0088-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch: + fs/f2fs: Do not read past the end of nat bitmap + - 0089-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch: + fs/f2fs: Do not copy file names that are too long + - 0090-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch: + fs/btrfs: Fix several fuzz issues with invalid dir item sizing + - 0091-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch: + fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing + - 0092-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch: + fs/btrfs: Fix more fuzz issues related to chunks + * Bump SBAT generation: + - update debian/sbat.debian.csv.in + +2.06-2 [Mon, 29 Nov 2021 00:10:09 +0000] Colin Watson <cjwatson@debian.org>: + + * Update to minilzo-2.10, fixing build failures on armel, mips64el, + mipsel, and ppc64el. + +2.06-1 [Sun, 28 Nov 2021 13:30:32 +0000] Colin Watson <cjwatson@debian.org>: + + * Use "command -v" in maintainer scripts rather than "which". + * New upstream release. + - Switch to the upstream shim_lock verifier, dropping several more + manual checks for UEFI Secure Boot. + * Cherry-pick from upstream: + - fs/xfs: Fix unreadable filesystem with v4 superblock + - tests/ahci: Change "ide-drive" deprecated QEMU device name to "ide-hd" + (closes: #997100) + * Remove dir_to_symlink maintainer script code, which was only needed for + upgrades from before jessie. + +2.02+dfsg1-20+deb10u5 [Wed, 03 Mar 2021 11:15:15 +0000] Colin Watson <cjwatson@debian.org>: + + * Pass --sbat when building the d-i netboot image as well. + 2.02+dfsg1-20+deb10u4 [Mon, 01 Mar 2021 22:50:45 +0000] Colin Watson <cjwatson@debian.org>: * Fix broken advice in message when the postinst has to bail out (thanks <http://piuparts.knut.univention.de/5.0-2/#2668085352927106244>
--- mirror/ftp/pool/main/g/grub-efi-amd64-signed/grub-efi-amd64-signed_1+2.02+dfsg1+20+deb10u4.dsc +++ apt/ucs_5.0-0-errata5.0-2/source/grub-efi-amd64-signed_1+2.06+3~deb10u1.dsc @@ -1,6 +1,6 @@ -1+2.02+dfsg1+20+deb10u4 [Mon, 01 Mar 2021 22:50:45 +0000] Debian signing service <ftpmaster@debian.org>: +1+2.06+3~deb10u1 [Mon, 01 Aug 2022 20:26:34 +0100] Debian signing service <ftpmaster@debian.org>: - * Update to grub2 2.02+dfsg1-20+deb10u4 + * Update to grub2 2.06-3~deb10u1 1 [Sat, 07 Apr 2018 17:16:27 +0200] Philipp Matthias Hahn <pmhahn@debian.org>: <http://piuparts.knut.univention.de/5.0-2/#2668085352927106244>
OK: yaml OK: announce_errata grub2.yaml grub-efi-amd64-signed.yaml mokutil.yaml OK: patch OK: piuparts OK: Update with SB OK: New ISO with SB OK: mokutil --sb-state OK: mokutil --list-sbat-revocations OK: mokutil --import codesigning2020.der OK: mokutil --list-enrolled
<https://errata.software-univention.de/#/?erratum=5.0x423> <https://errata.software-univention.de/#/?erratum=5.0x424> <https://errata.software-univention.de/#/?erratum=5.0x425>