[Bug 1911440] Re: Build using distro minilzo

Dimitri John Ledkov 1911440 at bugs.launchpad.net
Mon Feb 15 13:09:52 UTC 2021 

** Changed in: grub2-signed (Ubuntu Groovy)
       Status: Fix Committed => Fix Released

** Description changed:

  [Impact]
  
   * grub2 builds freestanding libc-less minilzo library to be used by the bootloader code.
   * It has a vendorized copy of it, whilst the distribution has newer copies of it.
   * Specifically distribution build has FTBFS fixes for new compiler and CVE fixes, specifically https://ubuntu.com/security/cve-2014-4607
  
  CVE-2014-4607
  
   * Building grub with minilzo from the archive seems to be the best way
  to keep minilzo up to date and secure
  
  [Test Case]
  
   * Check that grub can open lzo compressed files in the command line
  prompt, for example by having /boot on btrfs filesystem with
  compress=lzo option.
  
  [Where problems could occur]
  
   * Changes limited to lzo compression, so for example grub may fail to
  mount / read data off btrfs filesystem with compress=lzo
  
  [Other Info]
  
  Fixed in:
  
  hirsute grub2 2.04-1ubuntu37
+ groovy grub2 2.04-1ubuntu35.2
+ focal grub2 2.04-1ubuntu26.8
+ 
  hirsute grub2-signed 1.157
+ groovy grub2-signed 1.155.2
+ focal grub2-signed 1.142.10

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1911440

Title:
  Build using distro minilzo

Status in grub2 package in Ubuntu:
  Fix Released
Status in grub2-signed package in Ubuntu:
  Fix Released
Status in grub2 source package in Focal:
  Fix Released
Status in grub2-signed source package in Focal:
  Fix Released
Status in grub2 source package in Groovy:
  Fix Released
Status in grub2-signed source package in Groovy:
  Fix Released
Status in grub2 source package in Hirsute:
  Fix Released
Status in grub2-signed source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

   * grub2 builds freestanding libc-less minilzo library to be used by the bootloader code.
   * It has a vendorized copy of it, whilst the distribution has newer copies of it.
   * Specifically distribution build has FTBFS fixes for new compiler and CVE fixes, specifically https://ubuntu.com/security/cve-2014-4607

  CVE-2014-4607

   * Building grub with minilzo from the archive seems to be the best
  way to keep minilzo up to date and secure

  [Test Case]

   * Check that grub can open lzo compressed files in the command line
  prompt, for example by having /boot on btrfs filesystem with
  compress=lzo option.

  [Where problems could occur]

   * Changes limited to lzo compression, so for example grub may fail to
  mount / read data off btrfs filesystem with compress=lzo

  [Other Info]

  Fixed in:

  hirsute grub2 2.04-1ubuntu37
  groovy grub2 2.04-1ubuntu35.2
  focal grub2 2.04-1ubuntu26.8

  hirsute grub2-signed 1.157
  groovy grub2-signed 1.155.2
  focal grub2-signed 1.142.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1911440/+subscriptions

More information about the foundations-bugs mailing list