debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #05562
[Bug 2104316] Re: grub2+systemd-stub fails to boot on edk2 with Memory Attribute Protocol enabled
This bug was fixed in the package grub2 -
2.14~git20250718.0e36779-1ubuntu2
---------------
grub2 (2.14~git20250718.0e36779-1ubuntu2) questing; urgency=medium
* Fup grub-common -> grub2-common merger in Ubuntu specific delta
grub2 (2.14~git20250718.0e36779-1ubuntu1) questing; urgency=medium
* Merge from Debian experimental; remaining changes:
- Add Ubuntu sbat data
- build-efi-images: do not produce -installer.efi.signed. LP #1863994
- grub-common: Install canonical-uefi-ca.crt
- Check signatures
- Support installing to multiple ESP (LP #1871821)
- Split out unsigned artefacts into grub2-unsigned
- Vcs-Git: Point to ubuntu packaging branch
- Relax dependencies on grub-common and grub2-common
- UBUNTU: Do not link grub-efi-*-unsigned docs to grub-common
- UBUNTU: Default timeout changes
- UBUNTU: Replace grub-install-extra-removable
- UBUNTU: Revert "Add jfs module to signed UEFI images. Closes: #950959"
- UBUNTU: Revert "Add f2fs module to signed UEFI images"
- UBUNTU: Drop luks2
- Install grub-initrd-fallback.service again
- Build using -O1 on s390x to avoid misoptimization
- grub-check-signatures: Support gzip compressed kernels
- forward port fix for LP #1926748
- Forward port the fix for LP #1930742 and make it conditional (xenial/bionic only)
- Build grub2-unsigned packages with xz compression
- Drop i386 from grub-efi-amd64*
- Turn depends on grub-efi-amd64/arm64 unversioned
- Install grub-sort-version
- rules: Add DPKG_BUILDPACKAGE_OPTIONS to generate-grub2-unsigned
- d/postinst.in: Make empty "grub-pc/install_devices" non-fatal in "noninteractive" mode
- Add debconf options "grub-{efi,pc}/cloud_style_installation"
- grub-common.service: Add After/Requires=boot-complete.target (LP #1992643)
- d/postinst.in: Remove upgrade check for GRUB version we can no longer upgrade from
- Disable ELF metadata injection
- Provide pre-built BIOS and IEEE1275 El-Torito images (LP #2086841)
- Removed patches:
+ install-signed.patch with
+ grub-install-extra-removable.patch
+ grub-install-removable-shim.patch
- Added patches:
+ ubuntu-install-signed.patch
+ ubuntu-grub-install-extra-removable.patch
+ ubuntu-zfs-enhance-support.patch
+ ubuntu-zfs-mkconfig-ubuntu-recovery.patch
+ ubuntu-zfs-mkconfig-ubuntu-distributor.patch
+ ubuntu-zfs-mkconfig-signed-kernel.patch
+ ubuntu-zfs-gfxpayload-keep-default.patch
+ ubuntu-zfs-gfxpayload-dynamic.patch
+ ubuntu-zfs-vt-handoff.patch
+ ubuntu-zfs-mkconfig-recovery-title.patch
+ ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
+ ubuntu-support-initrd-less-boot.patch
+ ubuntu-shorter-version-info.patch
+ ubuntu-add-initrd-less-boot-fallback.patch
+ ubuntu-mkconfig-leave-breadcrumbs.patch
+ ubuntu-fix-lzma-decompressor-objcopy.patch
+ ubuntu-add-devicetree-command-support.patch
+ ubuntu-boot-from-multipath-dependent-symlink.patch
+ ubuntu-resilient-boot-ignore-alternative-esps.patch
+ ubuntu-resilient-boot-boot-order.patch
+ ubuntu-speed-zsys-history.patch
+ ubuntu-dont-verify-loopback-images.patch
+ ubuntu-recovery-dis_ucode_ldr.patch
+ ubuntu-add-initrd-less-boot-messages.patch
+ rhboot-f34-make-exit-take-a-return-code.patch
+ rhboot-f34-dont-use-int-for-efi-status.patch
+ suse-grub.texi-add-net_bootp6-document.patch
+ ubuntu-verifiers-last.patch
+ ubuntu-os-prober-auto.patch
+ grub-sort-version.patch
+ Revert-kern-ieee1275-init-ppc64-Display-upper_mem_limit-w.patch
+ Revert-kern-ieee1275-init-ppc64-Fix-a-comment.patch
+ Revert-kern-ieee1275-ieee1275-Display-successful-memory-c.patch
+ Revert-loader-powerpc-ieee1275-Use-new-allocation-functio.patch
+ Revert-kern-ieee1275-cmain-ppc64-Introduce-flags-to-ident.patch
+ Revert-kern-ieee1275-init-ppc64-Rename-regions_claim-to-g.patch
+ Revert-kern-ieee1275-init-ppc64-Add-support-for-alignment.patch
+ Revert-kern-ieee1275-init-ppc64-Return-allocated-address-.patch
+ Revert-kern-ieee1275-init-ppc64-Decide-by-request-whether.patch
+ Revert-kern-ieee1275-init-ppc64-Introduce-a-request-for-r.patch
+ grub-install-efi-title.patch
* Add grub.ubuntu26,1 SBAT entry to indicate upcoming LTS
grub2 (2.14~git20250718.0e36779-1) experimental; urgency=medium
[ Mate Kukri ]
* Import git snapshot of upcoming GRUB 2.14 upstream release
* d/patches: rebase patches for 2.14 git snapshot
* d/rules: add erofs_test to XFAIL test
* peimage: add NX support, fix some bugs (LP: #2104316)
* Fix ipconfig2 route table parsing (LP: #2088181)
[ Luca Boccassi ]
* efi images: enable 'bli' module
[ Graham Inggs ]
* debian/control: mark qemu-system build-dependency <!nocheck>
[ Pascal Hambourg ]
* debian/grub.d/05_debian_theme: quote background image pathname in output
[ Mate Kukri ]
* Resolve zfs root identification (Closes: #848945)
* Check out missing distfiles from upstream git branch
* d/build-efi-images: Remove filesystems no longer allowed under lockdown
* debian: Remove references to dead ports kfreebsd-* and kopensolaris-*
* d/control: Sync dependencies of grub-efi-{riscv64,loong64} with grub-efi-*
* d/control: Clean up package relations
* debian: Tanglu is a dead distro, drop references to it
* debian: Get rid of non-systemd init scripts
* debian: Merge grub-common into grub2-common
* debian: Get rid of update-grub script for grub-legacy
* debian: Remove support for the yeeloong target
* Remove support for WUBI (Windows Based Ubuntu Installer)
* debian/patches: Drop a number of obsolete patches
* Add "noescape" argument to cmdline creation (LP: #2112179)
* d/control: Cleanup more package relations
* Remove IA64 support
* Remove old maintscripts
* d/postinst.in: remove grub legacy related functionality
* Add Provides grub-common to merged grub2-common
* Update Debian specific SBAT line to grub.debian14 for forky
grub2 (2.12-9) unstable; urgency=medium
* Apply patch by Ben Hutchings to not strip .exec or .image files
(Closes: #1072167)
grub2 (2.12-8) unstable; urgency=medium
[ Mate Kukri ]
* d/default/grub: Always get distributor string from `/etc/os-release`
* Avoid adding extra GNU/Linux suffix to menu entries (Closes: #1076723)
grub2 (2.12-7) unstable; urgency=medium
[ Mate Kukri ]
* Drop NTFS patches that seem to be causing regressions
(Closes: #1100486, #1100470)
grub2 (2.12-6) unstable; urgency=medium
[ Mate Kukri ]
* Fix out of bounds XSDT access, re-enable ACPI SPCR table support
[ Miroslav Kure ]
* Updated Czech translation of grub debconf messages. (Closes: #1035052)
[ Viktar Siarheichyk ]
* Updated Belarusian translation. (Closes: #1034905)
[ Carles Pina i Estany ]
* Update translation
[ Felix Zielcke ]
* Move d/legacy/* files to grub-legacy.
* Remove traces of ../legacy/ dir in d/rules.
[ Mate Kukri ]
* Cherry-pick upstream security patches
* Bump SBAT level to grub,5
* SECURITY UPDATE: video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG
- CVE-2024-45774
* SECURITY UPDATE: commands/extcmd: Missing check for failed allocation
- CVE-2024-45775
* SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write or read
- CVE-2024-45776
* SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write
- CVE-2024-45777
* SECURITY UPDATE: fs/bfs: Integer overflow
- CVE-2024-45778
* SECURITY UPDATE: fs/bfs: integer overflow leads to heap OOB read
- CVE-2024-45779
* SECURITY UPDATE: fs/tar: Integer overflow leads to heap OOB write
- CVE-2024-45780
* SECURITY UPDATE: fs/ufs: `strcpy` use leading to heap OOB write
- CVE-2024-45781
* SECURITY UPDATE: fs/hfs: `strcpy` use leading to potential heap OOB write
- CVE-2024-45782
* SECURITY UPDATE: fs/hfsplus: incorrect refcount handling leading to UAF
- CVE-2024-45783
* SECURITY UPDATE: command/gpg: Use-after-free due to hooks not being removed on module unload
- CVE-2025-0622
* SECURITY UPDATE: net: Out-of-bounds write in grub_net_search_config_file()
- CVE-2025-0624
* SECURITY UPDATE: UFS: Integer overflow may lead to heap based out-of-bounds write when handling symlinks
- CVE-2025-0677
* SECURITY UPDATE: squash4: Integer overflow may lead to heap based out-of-bounds write when reading data
- CVE-2025-0678
* SECURITY UPDATE: reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
- CVE-2025-0684
* SECURITY UODATE: jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
- CVE-2025-0685
* SECURITY UPDATE: romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
- CVE-2025-0686
* SECURITY UPDATE: udf: Heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution
- CVE-2025-0689
* SECURITY UPDATE: read: Integer overflow may lead to out-of-bounds write
- CVE-2025-0690
* SECURITY UPDATE: commands/dump: The dump command is not in lockdown when secure boot is enabled
- CVE-2025-1118
* SECURITY UPDATE: fs/hfs: Integer overflow may lead to heap based out-of-bounds write
- CVE-2025-1125
* SECURITY UPDATE: insmod: incorrect refcount handling leading to UAF [LP: #2055835]
-- Mate Kukri <mate.kukri@xxxxxxxxxxxxx> Wed, 13 Aug 2025 14:57:58
+0100
** Changed in: grub2 (Ubuntu)
Status: In Progress => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45774
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45775
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45776
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45777
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45778
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45779
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45780
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45781
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45782
** CVE added: https://cve.org/CVERecord?id=CVE-2024-45783
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0622
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0624
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0677
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0678
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0684
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0685
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0686
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0689
** CVE added: https://cve.org/CVERecord?id=CVE-2025-0690
** CVE added: https://cve.org/CVERecord?id=CVE-2025-1118
** CVE added: https://cve.org/CVERecord?id=CVE-2025-1125
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2104316
Title:
grub2+systemd-stub fails to boot on edk2 with Memory Attribute
Protocol enabled
Status in Gadget snap for Personal Computers using Intel or AMD processors:
New
Status in edk2 package in Ubuntu:
Fix Released
Status in grub2 package in Ubuntu:
Fix Released
Status in systemd package in Ubuntu:
New
Bug description:
25.04 beta hybrid TPMFDE: first boot failure
Using virt-manager, creating a VM, adjusting the firmware for UEFI
(.ms), and adding a TPM (default settings), the resulting system
appears to install but fails on first boot.
The screen shows TianoCore along with
BdsDxe: loading Booot0003...
BdsDxe: starting Booot0003...
If I repeat this test with ubuntu 24.04.2 boot makes it boots as
expected, showing this prior to continuing to the desktop:
BdsDxe: loading Booot0003...
BdsDxe: starting Booot0003...
/EndEntire
/EndEntire
On 24.04.2, if I hit escape during the /EndEntire bit, I can see the
Grub menu offering the "Run Ubuntu Core" option, which never seems to
work on the 25.04 beta install.
To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-pc/+bug/2104316/+subscriptions
