[ubuntu/focal-proposed] grub2_2.04-1ubuntu47.5_arm64.tar.gz - (Accepted)

Chris Coulson chris.coulson at canonical.com
Fri Dec 9 00:20:37 UTC 2022 

grub2-unsigned (2.04-1ubuntu47.5) focal; urgency=medium

  [ Chris Coulson ]
  * SECURITY UPDATE: Fix out of bounds writes due specially crafted fonts.
    - add debian/patches/font-Fix-several-integer-overflows-in-grub_font_construct.patch
    - add debian/patches/font-Fix-an-integer-underflow-in-blit_comb.patch
    - CVE-2022-2601, CVE-2022-3775
    - LP: #1996950
  * Fix various issues as a result of fuzzing, static analysis and code
    review:
    - add debian/patches/font-Reject-glyphs-exceeds-font-max_glyph_width-or-font-m.patch
    - add debian/patches/font-Fix-size-overflow-in-grub_font_get_glyph_internal.patch
    - add debian/patchces/font-Remove-grub_font_dup_glyph.patch
    - add debian/patches/font-Fix-integer-overflow-in-ensure_comb_space.patch
    - add debian/patches/font-Fix-integer-overflow-in-BMP-index.patch
    - add debian/patches/font-Fix-integer-underflow-in-binary-search-of-char-index.patch
    - add debian/patches/fbutil-Fix-integer-overflow.patch
    - add debian/patches/font-Harden-grub_font_blit_glyph-and-grub_font_blit_glyph.patch
    - add debian/patches/font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
    - add debian/patches/normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
  * Forbid loading of external fonts when secure boot is enabled:
    - add debian/patches/font-Forbid-loading-of-font-files-when-secure-boot-is-ena.patch
  * Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary
    - update debian/control
    - update debian/build-efi-image
    - add debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch
  * Fix the squashfs tests during the build
    - remove debian/patches/ubuntu-fix-reproducible-squashfs-test.patch
    - add debian/patches/tests-Explicitly-unset-SOURCE_DATE_EPOCH-before-running-f.patch
  * Bump SBAT generation:
    - update debian/sbat.ubuntu.csv.in
  * Make grub-efi-{amd64,arm64} depend on grub2-common 2.02~beta2-36ubuntu3.33
    in xenial and 2.02-2ubuntu8.25 in bionic to fix LP: #1995751 (thanks
    Julian Klode for the base-files hack to make a single binary be able to
    depend on 2 different versions of the same package)

  [ dann frazier ]
  * linuxefi: Invalidate i-cache before starting the kernel (LP: #1987924)
    - d/p/linuxefi-Invalidate-i-cache-before-starting-the-kern.patch

Date: Thu, 17 Nov 2022 13:27:15 +0000
Changed-By: Chris Coulson <chris.coulson at canonical.com>
Maintainer: Launchpad Build Daemon <buildd at bos02-arm64-055.buildd>

-------------- next part --------------
Format: 1.8
Date: Thu, 17 Nov 2022 13:27:15 +0000
Source: grub2-unsigned
Binary: grub-efi-arm64 grub-efi-arm64-bin grub-efi-arm64-dbg
Architecture: arm64 arm64_translations
Version: 2.04-1ubuntu47.5
Distribution: focal
Urgency: medium
Maintainer: Launchpad Build Daemon <buildd at bos02-arm64-055.buildd>
Changed-By: Chris Coulson <chris.coulson at canonical.com>
Description:
 grub-efi-arm64 - GRand Unified Bootloader, version 2 (ARM64 UEFI version)
 grub-efi-arm64-bin - GRand Unified Bootloader, version 2 (ARM64 UEFI modules)
 grub-efi-arm64-dbg - GRand Unified Bootloader, version 2 (ARM64 UEFI debug files)
Launchpad-Bugs-Fixed: 1987924 1995751 1996950
Changes:
 grub2-unsigned (2.04-1ubuntu47.5) focal; urgency=medium
 .
   [ Chris Coulson ]
   * SECURITY UPDATE: Fix out of bounds writes due specially crafted fonts.
     - add debian/patches/font-Fix-several-integer-overflows-in-grub_font_construct.patch
     - add debian/patches/font-Fix-an-integer-underflow-in-blit_comb.patch
     - CVE-2022-2601, CVE-2022-3775
     - LP: #1996950
   * Fix various issues as a result of fuzzing, static analysis and code
     review:
     - add debian/patches/font-Reject-glyphs-exceeds-font-max_glyph_width-or-font-m.patch
     - add debian/patches/font-Fix-size-overflow-in-grub_font_get_glyph_internal.patch
     - add debian/patchces/font-Remove-grub_font_dup_glyph.patch
     - add debian/patches/font-Fix-integer-overflow-in-ensure_comb_space.patch
     - add debian/patches/font-Fix-integer-overflow-in-BMP-index.patch
     - add debian/patches/font-Fix-integer-underflow-in-binary-search-of-char-index.patch
     - add debian/patches/fbutil-Fix-integer-overflow.patch
     - add debian/patches/font-Harden-grub_font_blit_glyph-and-grub_font_blit_glyph.patch
     - add debian/patches/font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
     - add debian/patches/normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
   * Forbid loading of external fonts when secure boot is enabled:
     - add debian/patches/font-Forbid-loading-of-font-files-when-secure-boot-is-ena.patch
   * Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary
     - update debian/control
     - update debian/build-efi-image
     - add debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch
   * Fix the squashfs tests during the build
     - remove debian/patches/ubuntu-fix-reproducible-squashfs-test.patch
     - add debian/patches/tests-Explicitly-unset-SOURCE_DATE_EPOCH-before-running-f.patch
   * Bump SBAT generation:
     - update debian/sbat.ubuntu.csv.in
   * Make grub-efi-{amd64,arm64} depend on grub2-common 2.02~beta2-36ubuntu3.33
     in xenial and 2.02-2ubuntu8.25 in bionic to fix LP: #1995751 (thanks
     Julian Klode for the base-files hack to make a single binary be able to
     depend on 2 different versions of the same package)
 .
   [ dann frazier ]
   * linuxefi: Invalidate i-cache before starting the kernel (LP: #1987924)
     - d/p/linuxefi-Invalidate-i-cache-before-starting-the-kern.patch
Checksums-Sha1:
 df9ca81e8eb1e90555366f3c832b93b4253b2728 1481724 grub-efi-arm64-bin_2.04-1ubuntu47.5_arm64.deb
 084e46c6de94d7110f8518398849cdf10fec8fbb 3237316 grub-efi-arm64-dbg_2.04-1ubuntu47.5_arm64.deb
 9060a4891169373839794c603f86fc92a4438901 46972 grub-efi-arm64_2.04-1ubuntu47.5_arm64.deb
 61589b9df5735cf0f5aaf172c894037deb43a3a4 13146 grub2-unsigned_2.04-1ubuntu47.5_arm64.buildinfo
 c09f26f205cdbd5bc233fa76442f44efedc5b157 3905818 grub2-unsigned_2.04-1ubuntu47.5_arm64_translations.tar.gz
 41fe22cca42efc2f6dd39498a3d9315c4fb027dd 4188218 grub2_2.04-1ubuntu47.5_arm64.tar.gz
Checksums-Sha256:
 c33e81348af4e445514afa62ae1484b1aaba91f37a8510e7724b6b4d8ff87da9 1481724 grub-efi-arm64-bin_2.04-1ubuntu47.5_arm64.deb
 2c2e09377453211a7a31ab5ad9c2d2a91e2e33005acb34ab1142db0118b7e9cf 3237316 grub-efi-arm64-dbg_2.04-1ubuntu47.5_arm64.deb
 6b95e9e76afad081a2e1337ab92669a0a7a01630cb577e71f1ef02e19dfe252b 46972 grub-efi-arm64_2.04-1ubuntu47.5_arm64.deb
 3be13aec1a309634eedfe6ab931eef4aeb2054c4b21f3346819c62c5374b37ae 13146 grub2-unsigned_2.04-1ubuntu47.5_arm64.buildinfo
 f5412b61ce1e513091375b1a69921d706efaef9fb707f77670f279ceb695541e 3905818 grub2-unsigned_2.04-1ubuntu47.5_arm64_translations.tar.gz
 7c4a8b82cf7a010376a37f0d1dab7aedfb37d3cd8678d03f612b3f365100ceef 4188218 grub2_2.04-1ubuntu47.5_arm64.tar.gz
Files:
 2d910ef1be3caf271b6242f1d4edec0f 1481724 admin optional grub-efi-arm64-bin_2.04-1ubuntu47.5_arm64.deb
 86d4f1e71fe9e32fc3641c42e96f3e25 3237316 debug optional grub-efi-arm64-dbg_2.04-1ubuntu47.5_arm64.deb
 3bcfafdf6b34a57fe309107324d326e5 46972 admin optional grub-efi-arm64_2.04-1ubuntu47.5_arm64.deb
 7d1b9aaf182cc8c9393f3c1b2da12f99 13146 admin optional grub2-unsigned_2.04-1ubuntu47.5_arm64.buildinfo
 19e7a1902521e2010a6633ba0ec36cc4 3905818 raw-translations - grub2-unsigned_2.04-1ubuntu47.5_arm64_translations.tar.gz
 44167aaa4afa952f7e888280da23afae 4188218 raw-uefi - grub2_2.04-1ubuntu47.5_arm64.tar.gz
Original-Maintainer: GRUB Maintainers <pkg-grub-devel at alioth-lists.debian.net>

More information about the Focal-changes mailing list