[Bug 1995751] Re: update to 2.04-1ubuntu47.4 drops zz-update-grub

Launchpad Bug Tracker 1995751 at bugs.launchpad.net
Wed Jan 11 05:29:17 UTC 2023 

This bug was fixed in the package grub2-unsigned - 2.04-1ubuntu47.5

---------------
grub2-unsigned (2.04-1ubuntu47.5) focal; urgency=medium

  [ Chris Coulson ]
  * SECURITY UPDATE: Fix out of bounds writes due specially crafted fonts.
    - add debian/patches/font-Fix-several-integer-overflows-in-grub_font_construct.patch
    - add debian/patches/font-Fix-an-integer-underflow-in-blit_comb.patch
    - CVE-2022-2601, CVE-2022-3775
    - LP: #1996950
  * Fix various issues as a result of fuzzing, static analysis and code
    review:
    - add debian/patches/font-Reject-glyphs-exceeds-font-max_glyph_width-or-font-m.patch
    - add debian/patches/font-Fix-size-overflow-in-grub_font_get_glyph_internal.patch
    - add debian/patchces/font-Remove-grub_font_dup_glyph.patch
    - add debian/patches/font-Fix-integer-overflow-in-ensure_comb_space.patch
    - add debian/patches/font-Fix-integer-overflow-in-BMP-index.patch
    - add debian/patches/font-Fix-integer-underflow-in-binary-search-of-char-index.patch
    - add debian/patches/fbutil-Fix-integer-overflow.patch
    - add debian/patches/font-Harden-grub_font_blit_glyph-and-grub_font_blit_glyph.patch
    - add debian/patches/font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
    - add debian/patches/normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
  * Forbid loading of external fonts when secure boot is enabled:
    - add debian/patches/font-Forbid-loading-of-font-files-when-secure-boot-is-ena.patch
  * Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary
    - update debian/control
    - update debian/build-efi-image
    - add debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch
  * Fix the squashfs tests during the build
    - remove debian/patches/ubuntu-fix-reproducible-squashfs-test.patch
    - add debian/patches/tests-Explicitly-unset-SOURCE_DATE_EPOCH-before-running-f.patch
  * Bump SBAT generation:
    - update debian/sbat.ubuntu.csv.in
  * Make grub-efi-{amd64,arm64} depend on grub2-common 2.02~beta2-36ubuntu3.33
    in xenial and 2.02-2ubuntu8.25 in bionic to fix LP: #1995751 (thanks
    Julian Klode for the base-files hack to make a single binary be able to
    depend on 2 different versions of the same package)

  [ dann frazier ]
  * linuxefi: Invalidate i-cache before starting the kernel (LP: #1987924)
    - d/p/linuxefi-Invalidate-i-cache-before-starting-the-kern.patch

  [ Chris Coulson ]
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Chris Coulson <chris.coulson at canonical.com>  Thu, 17 Nov 2022
13:27:15 +0000

** Changed in: grub2-unsigned (Ubuntu Focal)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2601

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3775

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1995751

Title:
  update to 2.04-1ubuntu47.4 drops zz-update-grub

Status in grub2 package in Ubuntu:
  Invalid
Status in grub2-unsigned package in Ubuntu:
  Confirmed
Status in grub2 source package in Bionic:
  Fix Released
Status in grub2-unsigned source package in Bionic:
  Confirmed
Status in grub2-unsigned source package in Focal:
  Fix Released

Bug description:
  [Impact]
  New kernels don't appear in boot menu after install

  [Test plan]
  On a bionic VM, purge all grub and shim packages.

  Test 1: Upgrade release EFI stack
  - Install shim-signed with only release pocket
  - Enable -updates and add the proposed package, and upgrade

  Test 2: Upgrade broken EFI stack
  - Install shim-signed with only release and updates pocket
  - Upgrade grub2 binaries from proposed

  Test 3: Install latest EFI stack
  - Install shim-signed with release, updates, proposed grub2 enabled.

  Test 1a: Upgrade hybrid release stack:
  (same as 1, but install shim-signed and grub-pc)
  Test 2a: Upgrade hybrid broken stack:
  (same as 2, but install shim-signed and grub-pc)
  Test 3a: Upgrade hybrid broken stack:
  (same as 2, but install shim-signed and grub-pc)

  In all cases check that no errors occur and the
  /etc/kernel/postinst.d/zz-update-grub script exists at the end.

  Test 10: (grub2-unsigned)

  Ensure that grub-efi-{amd64,arm64} binary cannot be installed with
  older grub2-common binary installed  / pulls in new binary.

  Test 20: (grub2-signed)

  Ensure that grub-efi-{amd64,arm64}-signed binary cannot be installed
  with older grub2-common binary installed / pulls in new binary.

  [Where problems could occur]
  Could have missed a grub-.* binary or gotten the versions wrong and cause file conflicts.

  [build in -security]
  SRU is built in -security and binary copied to facilitate releasing the security update to grub2-unsigned that needs it.

  [Original bug report]
  A user reported that the GRUB menu was no longer being updated on a freshly deployed bionic system, and that this appears to be because /etc/kernel/postinst.d/zz-update-grub has disappeared.

  # The version in the bionic-security pocket has it:
  ubuntu at akis:~$ dpkg -c grub-efi-amd64_2.04-1ubuntu44.1.2_amd64.deb | grep zz
  -rwxr-xr-x root/root       646 2021-03-03 11:42 ./etc/kernel/postinst.d/zz-update-grub
  -rwxr-xr-x root/root       646 2021-03-03 11:42 ./etc/kernel/postrm.d/zz-update-grub

  # The version in bionic-updates does not:
  ubuntu at akis:~$ dpkg -c grub-efi-amd64_2.04-1ubuntu47.4_amd64.deb | grep zz
  ubuntu at akis:~$

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1995751/+subscriptions

More information about the foundations-bugs mailing list