[Bug 1996950] Re: CVE-2022-2601, CVE-2022-3775: font security fixes

Ɓukasz Zemczak 1996950 at bugs.launchpad.net
Wed Jan 18 18:15:22 UTC 2023 

Hello Julian, or anyone else affected,

Accepted grub2-unsigned into bionic-proposed. The package will build now
and be available at
https://launchpad.net/ubuntu/+source/grub2-unsigned/2.06-2ubuntu14 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
bionic to verification-done-bionic. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-bionic. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: grub2-unsigned (Ubuntu Bionic)
       Status: New => Fix Committed

** Tags added: verification-needed-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1996950

Title:
  CVE-2022-2601, CVE-2022-3775: font security fixes

Status in grub2-signed package in Ubuntu:
  Fix Released
Status in grub2-unsigned package in Ubuntu:
  Fix Released
Status in grub2-signed source package in Bionic:
  New
Status in grub2-unsigned source package in Bionic:
  Fix Committed
Status in grub2-signed source package in Focal:
  Fix Released
Status in grub2-unsigned source package in Focal:
  Fix Committed
Status in grub2-signed source package in Jammy:
  New
Status in grub2-unsigned source package in Jammy:
  Fix Committed
Status in grub2-signed source package in Kinetic:
  New
Status in grub2-unsigned source package in Kinetic:
  Fix Committed
Status in grub2-signed source package in Lunar:
  Fix Released
Status in grub2-unsigned source package in Lunar:
  Fix Released

Bug description:
  [Impact]
  security update staged in updates

  [Test plan]
  Boot it on multiple systems. Notably juliank will be doing semi-automated testing in QEMU that does chainbooting over network (shim->grub->shim->grub); and boots on T14 G3 AMD and an XPS 13; chrisccoulson did his own security testing before that.

  [Where problems could occur]
  Font loading is disabled, could cause rendering issues

  Unicode font stuffed in xz squashfs, could cause more memory issues
  during boot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1996950/+subscriptions

More information about the foundations-bugs mailing list