← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable

 

This bug was fixed in the package grub2-unsigned - 2.06-2ubuntu10

---------------
grub2-unsigned (2.06-2ubuntu10) jammy; urgency=medium

  [ Chris Coulson ]
  * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
    write in heap.
    - 0139-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
      video/readers/png: Drop greyscale support to fix heap out-of-bounds write
    - CVE-2021-3695
  * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
    huffman table handling.
    - 0140-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
      video/readers/png: Avoid heap OOB R/W inserting huff table items
    - CVE-2021-3696
  * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
    the heap.
    - 0145-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
      video/readers/jpeg: Block int underflow -> wild pointer write
    - CVE-2021-3697
  * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
    - 0148-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
      maths safely
    - CVE-2022-28733
  * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
    - 0154-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
      OOB write for split http headers
    - CVE-2022-28734
  * SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
    - 0135-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
      kern/efi/sb: Reject non-kernel files in the shim_lock verifier
    - CVE-2022-28735
  * SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
    - 0130-loader-efi-chainloader-simplify-the-loader-state.patch:
      loader/efi/chainloader: simplify the loader state
    - 0131-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
      Add API to pass context to loader
    - 0132-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
      loader/efi/chainloader: Use grub_loader_set_ex
    - 0133-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
      loader/i386/efi/linux: Use grub_loader_set_ex
  * Various fixes as a result of fuzzing and static analysis:
    - 0129-loader-efi-chainloader-grub_load_and_start_image-doe.patch:
      loader/efi/chainloader: grub_load_and_start_image doesn't load and start
    - 0134-loader-i386-efi-linux-Fix-a-memory-leak-in-the-initr.patch:
      loader/i386/efi/linux: Fix a memory leak in the initrd command
    - 0136-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
      kern/file: Do not leak device_name on error in grub_file_open()
    - 0137-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
      video/readers/png: Abort sooner if a read operation fails
    - 0138-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
      video/readers/png: Refuse to handle multiple image headers
    - 0141-video-readers-png-Sanity-check-some-huffman-codes.patch:
      video/readers/png: Sanity check some huffman codes
    - 0142-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
      video/readers/jpeg: Abort sooner if a read operation fails
    - 0143-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch:
      video/readers/jpeg: Do not reallocate a given huff table
    - 0144-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch:
      video/readers/jpeg: Refuse to handle multiple start of streams
    - 0146-normal-charset-Fix-array-out-of-bounds-formatting-un.patch:
      normal/charset: Fix array out-of-bounds formatting unicode for display
    - 0147-net-netbuff-Block-overly-large-netbuff-allocs.patch:
      net/netbuff: Block overly large netbuff allocs
    - 0149-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch:
      net/dns: Fix double-free addresses on corrupt DNS response
    - 0150-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch:
      net/dns: Don't read past the end of the string we're checking against
    - 0151-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch:
      net/tftp: Prevent a UAF and double-free from a failed seek
    - 0152-net-tftp-Avoid-a-trivial-UAF.patch: net/tftp: Avoid a trivial UAF
    - 0153-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch:
      net/http: Do not tear down socket if it's already been torn down
    - 0155-net-http-Error-out-on-headers-with-LF-without-CR.patch:
      net/http: Error out on headers with LF without CR
    - 0156-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch:
      fs/f2fs: Do not read past the end of nat journal entries
    - 0157-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch:
      fs/f2fs: Do not read past the end of nat bitmap
    - 0158-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch:
      fs/f2fs: Do not copy file names that are too long
    - 0159-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch:
      fs/btrfs: Fix several fuzz issues with invalid dir item sizing
    - 0160-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch:
      fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
    - 0161-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch:
      fs/btrfs: Fix more fuzz issues related to chunks
  * Bump SBAT generation:
    - update debian/sbat.ubuntu.csv.in
  * Make the grub2/no_efi_extra_removable setting work correctly
    - update debian/postinst.in
  * Build grub2-unsigned packages with xz compression for compatibility
    with xenial dpkg
    - update debian/rules

  [ Steve Langasek ]
  * Bump versioned dependency on grub2-common to 2.02~beta2-36ubuntu3.32 for
    necessary arm relocation support.  LP: #1926748.
  * debian/postinst.in: Unconditionally call grub-install with
    --force-extra-removable on xenial and bionic, so that the \EFI\BOOT
    removable path as used in cloud images receives the updates.  LP: #1930742.

 -- Chris Coulson <chris.coulson@xxxxxxxxxxxxx>  Tue, 07 Jun 2022
17:36:27 +0100

** Changed in: grub2-unsigned (Ubuntu Jammy)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3695

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3696

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3697

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-28733

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-28734

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-28735

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1930742

Title:
  cloud images in xenial do not get their boot path updated because we
  don't call grub-install --force-extra-removable

Status in grub2-signed package in Ubuntu:
  Fix Released
Status in grub2-unsigned package in Ubuntu:
  Fix Released
Status in shim-signed package in Ubuntu:
  Invalid
Status in grub2-signed source package in Xenial:
  Fix Released
Status in grub2-unsigned source package in Xenial:
  Fix Released
Status in shim-signed source package in Xenial:
  Fix Released
Status in grub2-signed source package in Bionic:
  Fix Released
Status in grub2-unsigned source package in Bionic:
  Fix Released
Status in shim-signed source package in Bionic:
  Invalid
Status in grub2-unsigned source package in Jammy:
  Fix Released

Bug description:
  [Impact]
  Verification of the previous SRU, bug #1928674, exposed that we have a regression on xenial/arm64 cloud images because they boot from the removable media path, which is not updated by the maintainer scripts in those images; and because we have never supported the monolithic signed EFI executable on xenial/arm64, there is an ABI mismatch between the updated contents of /boot/grub and the not-updated contents of \EFI\boot\bootaa64.efi.

  The fact that \EFI\boot is not updated on xenial cloud images is ALSO
  an issue on amd64 - it doesn't lead to a boot failure there because we
  do support secureboot on xenial/amd64, so the bootloader doesn't
  depend on loading modules from /boot/grub; however, \EFI\boot not
  being uploaded means that the systems still do not benefit from the
  updated grub, AND are subject to boot failures in the future due to
  the fact that the old shim has been revoked by Microsoft and these
  revocations may propagate to the cloud instance's revocation database
  in nvram, one way or another.

  [Test Case]
  - Boot an arm64 Ubuntu image in AWS
  - Enable -proposed
  - Upgrade the grub-efi-amd64 package
  - Reboot
  - Verify that the system comes up

  - Boot an amd64 Ubuntu image in GCE
  - rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
  - touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
  - Enabled -proposed
  - Upgrade the grub-efi-amd64-signed package
  - Reboot
  - Verify that the system comes up
  - rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
  - touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
  - Upgrade the shim-signed package
  - Reboot
  - Verify that the system comes up

  [Where problems could occur]
  Because there were no provisions in the cloud images at the time they were built for updates to \EFI\boot, the only practical way to fix this for existing images (which is where the upgrade bug is an issue) is by unconditionally installing to the removable media path on all systems as part of the upgrade.  This means that non-cloud systems, which do not normally boot Ubuntu via \EFI\boot, will have the contents of \EFI\boot replaced when this was not previously the case (and contrary to the debconf setting).  In newer Ubuntu releases, we install to \EFI\boot unconditionally; but this is a behavior change in a stable series.  If a user has something other than Ubuntu grub+shim installed to \EFI\boot, this may be an unexpected behavior change from an SRU.

  The risk of this causing a problem for users is mitigated on bionic by
  the fact that all the most recent install media for Ubuntu 18.04 also
  install shim+grub to the removable path, so this is already the
  default behavior.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions



References