[Bug 1911440] Re: Build using distro minilzo

Łukasz Zemczak 1911440 at bugs.launchpad.net
Tue Jan 19 18:50:05 UTC 2021 

I guess the way it's done might be a bit confusing at first, since not
sure if it will be completely obvious from first glance that not the
vendored minilzo is used but instead the sources are overwritten via
debian/rules. Maybe a mention in README.source could be useful. On the
other hand, I think stuff in grub2 is already very confusing so oh well.
Let's just proceed!

** Changed in: grub2 (Ubuntu Groovy)
       Status: New => Fix Committed

** Tags added: verification-needed verification-needed-groovy

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1911440

Title:
  Build using distro minilzo

Status in grub2 package in Ubuntu:
  Fix Released
Status in grub2-signed package in Ubuntu:
  Fix Released
Status in grub2 source package in Focal:
  Fix Committed
Status in grub2-signed source package in Focal:
  Fix Committed
Status in grub2 source package in Groovy:
  Fix Committed
Status in grub2-signed source package in Groovy:
  Fix Committed
Status in grub2 source package in Hirsute:
  Fix Released
Status in grub2-signed source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

   * grub2 builds freestanding libc-less minilzo library to be used by the bootloader code.
   * It has a vendorized copy of it, whilst the distribution has newer copies of it.
   * Specifically distribution build has FTBFS fixes for new compiler and CVE fixes, specifically https://ubuntu.com/security/cve-2014-4607

  CVE-2014-4607

   * Building grub with minilzo from the archive seems to be the best
  way to keep minilzo up to date and secure

  [Test Case]

   * Check that grub can open lzo compressed files in the command line
  prompt, for example by having /boot on btrfs filesystem with
  compress=lzo option.

  [Where problems could occur]

   * Changes limited to lzo compression, so for example grub may fail to
  mount / read data off btrfs filesystem with compress=lzo

  [Other Info]

  Fixed in:

  hirsute grub2 2.04-1ubuntu37
  hirsute grub2-signed 1.157

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1911440/+subscriptions

More information about the foundations-bugs mailing list