[ubuntu/focal-proposed] grub2_2.04-1ubuntu42_arm64.tar.gz - (Accepted)

Dimitri John Ledkov xnox at ubuntu.com
Tue Mar 2 19:11:03 UTC 2021


grub2-unsigned (2.04-1ubuntu42) hirsute; urgency=medium

  * SECURITY UPDATE: acpi command allows privilleged user to load crafted
    ACPI tables when secure boot is enabled.
    - 0126-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch: Don't
      register the acpi command when secure boot is enabled.
    - CVE-2020-14372
  * SECURITY UPDATE: use-after-free in rmmod command
    - 0128-dl-Only-allow-unloading-modules-that-are-not-depende.patch: Don't
      allow rmmod to unload modules that are dependencies of other modules.
    - CVE-2020-25632
  * SECURITY UPDATE: out-of-bound write in grub_usb_device_initialize()
    - 0129-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
    - CVE-2020-25647
  * SECURITY UPDATE: Stack buffer overflow in grub_parser_split_cmdline
    - 0206-kern-parser-Introduce-process_char-helper.patch,
      0207-kern-parser-Introduce-terminate_arg-helper.patch,
      0208-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch,
      0209-kern-buffer-Add-variable-sized-heap-buffer.patch,
      0210-kern-parser-Fix-a-stack-buffer-overflow.patch: Add a variable
      sized heap buffer type and use this.
    - CVE-2020-27749
  * SECURITY UPDATE: cutmem command allows privileged user to remove memory
    regions when Secure Boot is enabled.
    - 0127-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch:
      Don't register cutmem and badram commands when secure boot is enabled.
    - CVE-2020-27779
  * SECURITY UPDATE: heap out-of-bounds write in short form option parser.
    - 0173-lib-arg-Block-repeated-short-options-that-require-an.patch:
      Block repeated short options that require an argument.
    - CVE-2021-20225
  * SECURITY UPDATE: heap out-of-bound write due to mis-calculation of space
    required for quoting.
    - 0175-commands-menuentry-Fix-quoting-in-setparams_prefix.patch: Fix
      quoting in setparams_prefix()
    - CVE-2021-20233
  * Partially backport the lockdown framework to restrict certain features
    when secure boot is enabled.
  * Backport various fixes for Coverity defects.
  * Add SBAT metadata to the grub EFI binary.
    - Backport patches to support adding SBAT metadata with grub-mkimage:
      + 0212-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
      + 0213-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
      + 0214-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
      + 0215-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
      + 0216-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
      + 0217-util-mkimage-Improve-data_size-value-calculation.patch
      + 0218-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
      + 0219-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
    - Add debian/sbat.csv.in
    - Update debian/build-efi-image and debian/rules

  [ Dimitri John Ledkov & Steve Langasek LP: #1915536 ]
  * Allow grub-efi-amd64|arm64 & -bin & -dbg be built by
    src:grub2-unsigned (potentially of a higher version number).
  * Add debian/rules generate-grub2-unsigned target to quickly build
    src:grub2-unsigned for binary-copy backports.
  * postinst: allow postinst to with with or without grub-multi-install
    binary.
  * postinst: allow using various grub-install options to achieve
    --no-extra-removable.
  * postinst: only call grub-check-signatures if it exists.
  * control: relax dependency on grub2-common, as maintainer script got
    fixed up to work with grub2-common/grub-common as far back as trusty.
  * control: allow higher version depdencies from grub-efi package.
  * dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar) as
    postinst script uses that directory, and yet relies on grub-common to
    create/ship it, which is not true in older releases. Also make sure
    dh_installdirs runs after the .dirs files are generated.

Date: Tue, 23 Feb 2021 16:23:39 +0000
Changed-By: Dimitri John Ledkov <xnox at ubuntu.com>
Maintainer: Launchpad Build Daemon <buildd at bos02-arm64-028.buildd>

-------------- next part --------------
Format: 1.8
Date: Tue, 23 Feb 2021 16:23:39 +0000
Source: grub2-unsigned
Binary: grub-efi-arm64 grub-efi-arm64-bin grub-efi-arm64-dbg
Built-For-Profiles: noudeb
Architecture: arm64
Version: 2.04-1ubuntu42
Distribution: hirsute
Urgency: medium
Maintainer: Launchpad Build Daemon <buildd at bos02-arm64-028.buildd>
Changed-By: Dimitri John Ledkov <xnox at ubuntu.com>
Description:
 grub-efi-arm64 - GRand Unified Bootloader, version 2 (ARM64 UEFI version)
 grub-efi-arm64-bin - GRand Unified Bootloader, version 2 (ARM64 UEFI modules)
 grub-efi-arm64-dbg - GRand Unified Bootloader, version 2 (ARM64 UEFI debug files)
Launchpad-Bugs-Fixed: 1915536
Changes:
 grub2-unsigned (2.04-1ubuntu42) hirsute; urgency=medium
 .
   * SECURITY UPDATE: acpi command allows privilleged user to load crafted
     ACPI tables when secure boot is enabled.
     - 0126-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch: Don't
       register the acpi command when secure boot is enabled.
     - CVE-2020-14372
   * SECURITY UPDATE: use-after-free in rmmod command
     - 0128-dl-Only-allow-unloading-modules-that-are-not-depende.patch: Don't
       allow rmmod to unload modules that are dependencies of other modules.
     - CVE-2020-25632
   * SECURITY UPDATE: out-of-bound write in grub_usb_device_initialize()
     - 0129-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
     - CVE-2020-25647
   * SECURITY UPDATE: Stack buffer overflow in grub_parser_split_cmdline
     - 0206-kern-parser-Introduce-process_char-helper.patch,
       0207-kern-parser-Introduce-terminate_arg-helper.patch,
       0208-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch,
       0209-kern-buffer-Add-variable-sized-heap-buffer.patch,
       0210-kern-parser-Fix-a-stack-buffer-overflow.patch: Add a variable
       sized heap buffer type and use this.
     - CVE-2020-27749
   * SECURITY UPDATE: cutmem command allows privileged user to remove memory
     regions when Secure Boot is enabled.
     - 0127-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch:
       Don't register cutmem and badram commands when secure boot is enabled.
     - CVE-2020-27779
   * SECURITY UPDATE: heap out-of-bounds write in short form option parser.
     - 0173-lib-arg-Block-repeated-short-options-that-require-an.patch:
       Block repeated short options that require an argument.
     - CVE-2021-20225
   * SECURITY UPDATE: heap out-of-bound write due to mis-calculation of space
     required for quoting.
     - 0175-commands-menuentry-Fix-quoting-in-setparams_prefix.patch: Fix
       quoting in setparams_prefix()
     - CVE-2021-20233
   * Partially backport the lockdown framework to restrict certain features
     when secure boot is enabled.
   * Backport various fixes for Coverity defects.
   * Add SBAT metadata to the grub EFI binary.
     - Backport patches to support adding SBAT metadata with grub-mkimage:
       + 0212-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
       + 0213-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
       + 0214-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
       + 0215-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
       + 0216-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
       + 0217-util-mkimage-Improve-data_size-value-calculation.patch
       + 0218-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
       + 0219-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
     - Add debian/sbat.csv.in
     - Update debian/build-efi-image and debian/rules
 .
   [ Dimitri John Ledkov & Steve Langasek LP: #1915536 ]
   * Allow grub-efi-amd64|arm64 & -bin & -dbg be built by
     src:grub2-unsigned (potentially of a higher version number).
   * Add debian/rules generate-grub2-unsigned target to quickly build
     src:grub2-unsigned for binary-copy backports.
   * postinst: allow postinst to with with or without grub-multi-install
     binary.
   * postinst: allow using various grub-install options to achieve
     --no-extra-removable.
   * postinst: only call grub-check-signatures if it exists.
   * control: relax dependency on grub2-common, as maintainer script got
     fixed up to work with grub2-common/grub-common as far back as trusty.
   * control: allow higher version depdencies from grub-efi package.
   * dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar) as
     postinst script uses that directory, and yet relies on grub-common to
     create/ship it, which is not true in older releases. Also make sure
     dh_installdirs runs after the .dirs files are generated.
Checksums-Sha1:
 db03ddbd6c46c6b61b24c1257b516a0e42349304 625660 grub-efi-arm64-bin_2.04-1ubuntu42_arm64.deb
 ce73b9a314687fef86434f5a481016529150def5 3232104 grub-efi-arm64-dbg_2.04-1ubuntu42_arm64.deb
 bb6b147986732c740d3ee82871e6af94cfd94dbc 46852 grub-efi-arm64_2.04-1ubuntu42_arm64.deb
 489377ba8b9551e92cc20cf68ae7593683218306 12000 grub2-unsigned_2.04-1ubuntu42_arm64.buildinfo
 ea253c1ca03517220a11aeb1b46c6bbb56fe1d8c 1634875 grub2_2.04-1ubuntu42_arm64.tar.gz
Checksums-Sha256:
 872ce906f029799217e090a96ae8ab35ee89bfac907ffad0e705398992985a5f 625660 grub-efi-arm64-bin_2.04-1ubuntu42_arm64.deb
 f9886da1ab6df34ed44b8d37b9b87c877ae5a56c814f2a773f230f0130ce2624 3232104 grub-efi-arm64-dbg_2.04-1ubuntu42_arm64.deb
 1713e8f40d20aad3d59731d5361d52eb7a68f5cc34a88c4ba10b6037ea52e9ee 46852 grub-efi-arm64_2.04-1ubuntu42_arm64.deb
 a9031d8fa081ae559b82479b522020839cf972c593365488ab9c32f372dc8080 12000 grub2-unsigned_2.04-1ubuntu42_arm64.buildinfo
 e2e04e64362715c1779b75f17830fe12eda7a5eefb859d2723b94e27128b55a8 1634875 grub2_2.04-1ubuntu42_arm64.tar.gz
Files:
 de7363cb2584af88c334fc76d4ecbdd0 625660 admin optional grub-efi-arm64-bin_2.04-1ubuntu42_arm64.deb
 30b23eb6d597c496985bf25ea2203e27 3232104 debug optional grub-efi-arm64-dbg_2.04-1ubuntu42_arm64.deb
 2811d27af25c9dbd41812638f99dd43c 46852 admin optional grub-efi-arm64_2.04-1ubuntu42_arm64.deb
 0b16afc71834c2bd4d7b01f89ffb2ad0 12000 admin optional grub2-unsigned_2.04-1ubuntu42_arm64.buildinfo
 02a50761df0a8eee9131f50ed8384a30 1634875 raw-uefi - grub2_2.04-1ubuntu42_arm64.tar.gz
Original-Maintainer: GRUB Maintainers <pkg-grub-devel at alioth-lists.debian.net>


More information about the Focal-changes mailing list