[ubuntu/focal-proposed] grub2_2.04-1ubuntu47.5_amd64.tar.gz - (Accepted)

Chris Coulson chris.coulson at canonical.com
Fri Dec 9 00:20:37 UTC 2022 

grub2-unsigned (2.04-1ubuntu47.5) focal; urgency=medium

  [ Chris Coulson ]
  * SECURITY UPDATE: Fix out of bounds writes due specially crafted fonts.
    - add debian/patches/font-Fix-several-integer-overflows-in-grub_font_construct.patch
    - add debian/patches/font-Fix-an-integer-underflow-in-blit_comb.patch
    - CVE-2022-2601, CVE-2022-3775
    - LP: #1996950
  * Fix various issues as a result of fuzzing, static analysis and code
    review:
    - add debian/patches/font-Reject-glyphs-exceeds-font-max_glyph_width-or-font-m.patch
    - add debian/patches/font-Fix-size-overflow-in-grub_font_get_glyph_internal.patch
    - add debian/patchces/font-Remove-grub_font_dup_glyph.patch
    - add debian/patches/font-Fix-integer-overflow-in-ensure_comb_space.patch
    - add debian/patches/font-Fix-integer-overflow-in-BMP-index.patch
    - add debian/patches/font-Fix-integer-underflow-in-binary-search-of-char-index.patch
    - add debian/patches/fbutil-Fix-integer-overflow.patch
    - add debian/patches/font-Harden-grub_font_blit_glyph-and-grub_font_blit_glyph.patch
    - add debian/patches/font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
    - add debian/patches/normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
  * Forbid loading of external fonts when secure boot is enabled:
    - add debian/patches/font-Forbid-loading-of-font-files-when-secure-boot-is-ena.patch
  * Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary
    - update debian/control
    - update debian/build-efi-image
    - add debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch
  * Fix the squashfs tests during the build
    - remove debian/patches/ubuntu-fix-reproducible-squashfs-test.patch
    - add debian/patches/tests-Explicitly-unset-SOURCE_DATE_EPOCH-before-running-f.patch
  * Bump SBAT generation:
    - update debian/sbat.ubuntu.csv.in
  * Make grub-efi-{amd64,arm64} depend on grub2-common 2.02~beta2-36ubuntu3.33
    in xenial and 2.02-2ubuntu8.25 in bionic to fix LP: #1995751 (thanks
    Julian Klode for the base-files hack to make a single binary be able to
    depend on 2 different versions of the same package)

  [ dann frazier ]
  * linuxefi: Invalidate i-cache before starting the kernel (LP: #1987924)
    - d/p/linuxefi-Invalidate-i-cache-before-starting-the-kern.patch

Date: Thu, 17 Nov 2022 13:27:15 +0000
Changed-By: Chris Coulson <chris.coulson at canonical.com>
Maintainer: Launchpad Build Daemon <buildd at lcy02-amd64-059.buildd>

-------------- next part --------------
Format: 1.8
Date: Thu, 17 Nov 2022 13:27:15 +0000
Source: grub2-unsigned
Binary: grub-efi-amd64 grub-efi-amd64-bin grub-efi-amd64-dbg
Architecture: amd64 amd64_translations
Version: 2.04-1ubuntu47.5
Distribution: focal
Urgency: medium
Maintainer: Launchpad Build Daemon <buildd at lcy02-amd64-059.buildd>
Changed-By: Chris Coulson <chris.coulson at canonical.com>
Description:
 grub-efi-amd64 - GRand Unified Bootloader, version 2 (EFI-AMD64 version)
 grub-efi-amd64-bin - GRand Unified Bootloader, version 2 (EFI-AMD64 modules)
 grub-efi-amd64-dbg - GRand Unified Bootloader, version 2 (EFI-AMD64 debug files)
Launchpad-Bugs-Fixed: 1987924 1995751 1996950
Changes:
 grub2-unsigned (2.04-1ubuntu47.5) focal; urgency=medium
 .
   [ Chris Coulson ]
   * SECURITY UPDATE: Fix out of bounds writes due specially crafted fonts.
     - add debian/patches/font-Fix-several-integer-overflows-in-grub_font_construct.patch
     - add debian/patches/font-Fix-an-integer-underflow-in-blit_comb.patch
     - CVE-2022-2601, CVE-2022-3775
     - LP: #1996950
   * Fix various issues as a result of fuzzing, static analysis and code
     review:
     - add debian/patches/font-Reject-glyphs-exceeds-font-max_glyph_width-or-font-m.patch
     - add debian/patches/font-Fix-size-overflow-in-grub_font_get_glyph_internal.patch
     - add debian/patchces/font-Remove-grub_font_dup_glyph.patch
     - add debian/patches/font-Fix-integer-overflow-in-ensure_comb_space.patch
     - add debian/patches/font-Fix-integer-overflow-in-BMP-index.patch
     - add debian/patches/font-Fix-integer-underflow-in-binary-search-of-char-index.patch
     - add debian/patches/fbutil-Fix-integer-overflow.patch
     - add debian/patches/font-Harden-grub_font_blit_glyph-and-grub_font_blit_glyph.patch
     - add debian/patches/font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
     - add debian/patches/normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
   * Forbid loading of external fonts when secure boot is enabled:
     - add debian/patches/font-Forbid-loading-of-font-files-when-secure-boot-is-ena.patch
   * Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary
     - update debian/control
     - update debian/build-efi-image
     - add debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch
   * Fix the squashfs tests during the build
     - remove debian/patches/ubuntu-fix-reproducible-squashfs-test.patch
     - add debian/patches/tests-Explicitly-unset-SOURCE_DATE_EPOCH-before-running-f.patch
   * Bump SBAT generation:
     - update debian/sbat.ubuntu.csv.in
   * Make grub-efi-{amd64,arm64} depend on grub2-common 2.02~beta2-36ubuntu3.33
     in xenial and 2.02-2ubuntu8.25 in bionic to fix LP: #1995751 (thanks
     Julian Klode for the base-files hack to make a single binary be able to
     depend on 2 different versions of the same package)
 .
   [ dann frazier ]
   * linuxefi: Invalidate i-cache before starting the kernel (LP: #1987924)
     - d/p/linuxefi-Invalidate-i-cache-before-starting-the-kern.patch
Checksums-Sha1:
 23823a3870a9e4a67d9172a3eb36f46eed87c6ce 1584232 grub-efi-amd64-bin_2.04-1ubuntu47.5_amd64.deb
 920dc92c9ba96598aa89f0feb755920127b0a3d3 3935112 grub-efi-amd64-dbg_2.04-1ubuntu47.5_amd64.deb
 ee95465bf44c2c9cf819a4efca94206036bb3841 47056 grub-efi-amd64_2.04-1ubuntu47.5_amd64.deb
 b759e3d6190d7c6882759c0766036970f0d21f53 17417 grub2-unsigned_2.04-1ubuntu47.5_amd64.buildinfo
 669cfa8373231b77d07392d2e4091ab200178527 3907644 grub2-unsigned_2.04-1ubuntu47.5_amd64_translations.tar.gz
 ff97202158316f3508649644acbcbaadf9e08eec 4116090 grub2_2.04-1ubuntu47.5_amd64.tar.gz
Checksums-Sha256:
 dc7fe561ad622e3d429db8193956422ba3d8e67247019ea2963627e79bd9e451 1584232 grub-efi-amd64-bin_2.04-1ubuntu47.5_amd64.deb
 58d38132442d0e885fe585fd1a655cdff640de3047dafb81ea3b94ba2c86b5a6 3935112 grub-efi-amd64-dbg_2.04-1ubuntu47.5_amd64.deb
 c4edfac6002bd2acac26b559bbbf3c3d54fd13b46f971b2f0ac2773cd8acc0b5 47056 grub-efi-amd64_2.04-1ubuntu47.5_amd64.deb
 0adf737f1b92e6ba5f9d2254b791df23379c2944cd3f0f579f363d357106de20 17417 grub2-unsigned_2.04-1ubuntu47.5_amd64.buildinfo
 40f5bafbe217eb227ec5a3ec0f8c43204579fe47fb9c9dab694a413fccadd2fd 3907644 grub2-unsigned_2.04-1ubuntu47.5_amd64_translations.tar.gz
 795455f9363bec3ca700063e2dc46828a264938ed7f240a2831d8364109bc84f 4116090 grub2_2.04-1ubuntu47.5_amd64.tar.gz
Files:
 48a4690cd4b580237bd0856fdb32adcc 1584232 admin optional grub-efi-amd64-bin_2.04-1ubuntu47.5_amd64.deb
 6d054e1ad0a3fc4ef8548553d13b62aa 3935112 debug optional grub-efi-amd64-dbg_2.04-1ubuntu47.5_amd64.deb
 60360a1cc29b48b23a95acf5d8db5e26 47056 admin optional grub-efi-amd64_2.04-1ubuntu47.5_amd64.deb
 f7a562e7341f57770d3b0b528817b647 17417 admin optional grub2-unsigned_2.04-1ubuntu47.5_amd64.buildinfo
 bc80e8f79e0243bb3c0dc05ac503b285 3907644 raw-translations - grub2-unsigned_2.04-1ubuntu47.5_amd64_translations.tar.gz
 a01702859883ee53d450fac6ff8eee1f 4116090 raw-uefi - grub2_2.04-1ubuntu47.5_amd64.tar.gz
Original-Maintainer: GRUB Maintainers <pkg-grub-devel at alioth-lists.debian.net>

More information about the Focal-changes mailing list