group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1915536] Re: one grub

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1915536@xxxxxxxxxxxxxxxxxx>
Date: Wed, 03 Mar 2021 08:53:48 -0000
Reply-to: Bug 1915536 <1915536@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package grub2 - 2.04-1ubuntu42

---------------
grub2 (2.04-1ubuntu42) hirsute; urgency=medium

  * SECURITY UPDATE: acpi command allows privilleged user to load crafted
    ACPI tables when secure boot is enabled.
    - 0126-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch: Don't
      register the acpi command when secure boot is enabled.
    - CVE-2020-14372
  * SECURITY UPDATE: use-after-free in rmmod command
    - 0128-dl-Only-allow-unloading-modules-that-are-not-depende.patch: Don't
      allow rmmod to unload modules that are dependencies of other modules.
    - CVE-2020-25632
  * SECURITY UPDATE: out-of-bound write in grub_usb_device_initialize()
    - 0129-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
    - CVE-2020-25647
  * SECURITY UPDATE: Stack buffer overflow in grub_parser_split_cmdline
    - 0206-kern-parser-Introduce-process_char-helper.patch,
      0207-kern-parser-Introduce-terminate_arg-helper.patch,
      0208-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch,
      0209-kern-buffer-Add-variable-sized-heap-buffer.patch,
      0210-kern-parser-Fix-a-stack-buffer-overflow.patch: Add a variable
      sized heap buffer type and use this.
    - CVE-2020-27749
  * SECURITY UPDATE: cutmem command allows privileged user to remove memory
    regions when Secure Boot is enabled.
    - 0127-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch:
      Don't register cutmem and badram commands when secure boot is enabled.
    - CVE-2020-27779
  * SECURITY UPDATE: heap out-of-bounds write in short form option parser.
    - 0173-lib-arg-Block-repeated-short-options-that-require-an.patch:
      Block repeated short options that require an argument.
    - CVE-2021-20225
  * SECURITY UPDATE: heap out-of-bound write due to mis-calculation of space
    required for quoting.
    - 0175-commands-menuentry-Fix-quoting-in-setparams_prefix.patch: Fix
      quoting in setparams_prefix()
    - CVE-2021-20233
  * Partially backport the lockdown framework to restrict certain features
    when secure boot is enabled.
  * Backport various fixes for Coverity defects.
  * Add SBAT metadata to the grub EFI binary.
    - Backport patches to support adding SBAT metadata with grub-mkimage:
      + 0212-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
      + 0213-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
      + 0214-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
      + 0215-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
      + 0216-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
      + 0217-util-mkimage-Improve-data_size-value-calculation.patch
      + 0218-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
      + 0219-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
    - Add debian/sbat.csv.in
    - Update debian/build-efi-image and debian/rules

  [ Dimitri John Ledkov & Steve Langasek LP: #1915536 ]
  * Allow grub-efi-amd64|arm64 & -bin & -dbg be built by
    src:grub2-unsigned (potentially of a higher version number).
  * Add debian/rules generate-grub2-unsigned target to quickly build
    src:grub2-unsigned for binary-copy backports.
  * postinst: allow postinst to with with or without grub-multi-install
    binary.
  * postinst: allow using various grub-install options to achieve
    --no-extra-removable.
  * postinst: only call grub-check-signatures if it exists.
  * control: relax dependency on grub2-common, as maintainer script got
    fixed up to work with grub2-common/grub-common as far back as trusty.
  * control: allow higher version depdencies from grub-efi package.
  * dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar) as
    postinst script uses that directory, and yet relies on grub-common to
    create/ship it, which is not true in older releases. Also make sure
    dh_installdirs runs after the .dirs files are generated.

 -- Dimitri John Ledkov <xnox@xxxxxxxxxx>  Tue, 23 Feb 2021 16:23:39
+0000

** Changed in: grub2 (Ubuntu Hirsute)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-14372

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-25632

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-25647

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-27749

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-27779

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-20225

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-20233

** Changed in: grub2-signed (Ubuntu Hirsute)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1915536

Title:
  one grub

Status in grub2 package in Ubuntu:
  Fix Released
Status in grub2-signed package in Ubuntu:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Committed
Status in grub2-signed source package in Xenial:
  Fix Committed
Status in grub2 source package in Bionic:
  Fix Committed
Status in grub2-signed source package in Bionic:
  Fix Committed
Status in grub2 source package in Focal:
  Fix Committed
Status in grub2-signed source package in Focal:
  Fix Committed
Status in grub2 source package in Groovy:
  Fix Committed
Status in grub2-signed source package in Groovy:
  Fix Committed
Status in grub2 source package in Hirsute:
  Fix Released
Status in grub2-signed source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

  The proposal is to split src:grub2 into two source packages.

  src:grub2 will continue to build most things, apart from bin|dbg
  |signing-tempate binary packages for platforms that get signed.

  src:grub2-unsigned source package is source-full copy of src:grub2
  that only builds bin|dbg|signing-tempate binary packages for platforms
  that get signed and submits monolithic binaries for signing.

  src:grub2-signed is built as before, but its maintainer scripts should
  be compatible across grub2-common from precise and up.

  Stable series will receive grub2 update that drops building bin|dbg
  |signing-template.

  Stable series will receive binary-copy of grub2-unsigned &
  grub2-signed, thus on signed platforms EFI apps and modules will be
  the same across all series.

  [Caveats]

  * In devel series, always upload grub2 with matching
  src:grub2-unsigned and src:grub2-signed. The unsigned package can be
  build with ./debian/rules generate-grub2-unsigned command from
  src:grub2.

  * In stable series, only upload src:grub2 when fixes needed in update-
  grub / grub.cfg / grub-install / etc, but not in the efi modules &
  apps.

  * As needed, binary copy grub2-unsigned & grub2-signed from later
  series to stable series.

  [Test Case]

   * Upgrade to new packages

   * Observe that system boots, one can use grub-mkimage / grub-mkrescue
  without issues.

  [Where problems could occur]

   * There might be regression on the EFI platforms with grub 2.04 that
  have not so far been caught on Focal / Groovy / Hirsute.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1915536/+subscriptions