Ubuntu
grub2 package

regression in xenial updates - grub2 cannot handle new arm64 relocations

Bug #1926748 reported by Dimitri John Ledkov
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Confirmed
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
grub2-signed (Ubuntu)
Invalid
Undecided
Unassigned
Trusty
Confirmed
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
grub2-unsigned (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Confirmed
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

 * regression in xenial updates - grub2 cannot handle new relocations

 * grub-efi-arm64-bin gained new recommends on -signed package which is attempted to be installed

 * it pulls in one grub which was built with a newer toolchain and has more relocations

 * non-secureboot grub-install in xenial fails to install it when creating core.efi, because it does not know how to handle new relocations.

 * We need to cherrypick patches from 2.02 (which are in bionic+) to xenial & trusty.

[Test Plan]

 * install new grub2-common grub-common

 * install grub-efi-arm64-signed from xenial-updates

 * package installation should be successful

 * this is executed as part of autopkgtest upgrades when testing any package on xenial in our autopkgtest cloud

[Where problems could occur]

 * we are rebuilding grub2 which will have to go into security pocket eventually. Thus it's best to rebuild grub2 in security pocket.

See original description
Dimitri John Ledkov (xnox)
tags: added: regresion-update-xenial regression-update xenial
removed: regression-up
Changed in grub2 (Ubuntu):
status: New → Fix Released
description: updated
Revision history for this message
Dimitri John Ledkov (xnox) wrote :
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Dimitri, or anyone else affected,

Accepted grub2 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-36ubuntu3.32 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2 (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
Revision history for this message
Julian Andres Klode (juliank) wrote :

I reran the update-notifier test that failed with grub error in xenial with the new grub added as trigger, and it installed now, so it's good to go :D

Unpacking grub-efi-arm64 (2.04-1ubuntu44) over (2.02~beta2-36ubuntu3.29) ...
Preparing to unpack .../grub-efi-arm64-bin_2.04-1ubuntu44_arm64.deb ...
Unpacking grub-efi-arm64-bin (2.04-1ubuntu44) over (2.02~beta2-36ubuntu3.29) ...
Preparing to unpack .../grub2-common_2.02~beta2-36ubuntu3.32_arm64.deb ...
Unpacking grub2-common (2.02~beta2-36ubuntu3.32) over (2.02~beta2-36ubuntu3.29) ...
Preparing to unpack .../grub-common_2.02~beta2-36ubuntu3.32_arm64.deb ...
Unpacking grub-common (2.02~beta2-36ubuntu3.32) over (2.02~beta2-36ubuntu3.29) ...
Selecting previously unselected package grub-efi-arm64-signed.
Preparing to unpack .../grub-efi-arm64-signed_1.167~16.04.1+2.04-1ubuntu44_arm64.deb ...
Unpacking grub-efi-arm64-signed (1.167~16.04.1+2.04-1ubuntu44) ...
Processing triggers for install-info (6.1.0.dfsg.1-5) ...
Processing triggers for man-db (2.7.5-1) ...
Processing triggers for systemd (229-4ubuntu21.31) ...
Setting up python-apt-common (1.1.0~beta1ubuntu0.16.04.12) ...
Setting up python3-apt (1.1.0~beta1ubuntu0.16.04.12) ...
Setting up grub-common (2.02~beta2-36ubuntu3.32) ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Setting up grub-efi-arm64-bin (2.04-1ubuntu44) ...
Setting up grub2-common (2.02~beta2-36ubuntu3.32) ...
Setting up grub-efi-arm64 (2.04-1ubuntu44) ...
Installing for arm64-efi platform.
Installation finished. No error reported.
Generating grub configuration file ...
Warning: Setting GRUB_TIMEOUT to a non-zero value when GRUB_HIDDEN_TIMEOUT is set is no longer supported.
Found linux image: /boot/vmlinuz-4.4.0-210-generic
Found initrd image: /boot/initrd.img-4.4.0-210-generic
Adding boot menu entry for EFI firmware configuration
done
Setting up grub-efi-arm64-signed (1.167~16.04.1+2.04-1ubuntu44) ...
Installing for arm64-efi platform.
Installation finished. No error reported.
Reading package lists...
Building dependency tree...
Reading state information...

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu3.32

---------------
grub2 (2.02~beta2-36ubuntu3.32) xenial; urgency=medium

  * Cherrypick upstream commit to add support for
    R_AARCH64_ADR_PREL_PG_HI21, R_AARCH64_ADD_ABS_LO12_NC,
    R_AARCH64_LDST64_ABS_LO12_NC relocations in grub-install / mkimage to
    allow generating and installing grub.efi from one-grub modules. LP:
    #1926748

grub2 (2.02~beta2-36ubuntu3.31) xenial; urgency=medium

  [ Dimitri John Ledkov & Steve Langasek ]
  * Relax dependencies to allow grub-efi be installed with later versions
    of grub-efi-amd64. Stop building grub-efi-amd64|arm64{-bin,dbg}
    packages, now provided by src:grub2-unsigned. LP: #1915536

  [ Dimitri John Ledkov ]
  * Cherrypick 2.02+dfsg1-5 patch for x86-64: Treat R_X86_64_PLT32 as
    R_X86_64_PC32 to allow processing 2.04 grub modules built with newer
    binutils.

 -- Dimitri John Ledkov <email address hidden> Fri, 30 Apr 2021 13:33:21 +0100

Changed in grub2 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Stéphane Graber (stgraber) wrote : Update Released

The verification of the Stable Release Update for grub2 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Steve Langasek (vorlon)
Changed in grub2-unsigned (Ubuntu):
status: New → Invalid
Changed in grub2-signed (Ubuntu):
status: New → Invalid
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Dimitri, or anyone else affected,

Accepted grub2-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.167~18.04.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2-signed (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
removed: verification-done
Changed in grub2-unsigned (Ubuntu Bionic):
status: New → Fix Committed
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Dimitri, or anyone else affected,

Accepted grub2-unsigned into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-unsigned/2.04-1ubuntu44.1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2-signed (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
removed: verification-done-xenial
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Dimitri, or anyone else affected,

Accepted grub2-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.167~16.04.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Dimitri, or anyone else affected,

Accepted grub2-unsigned into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-unsigned/2.04-1ubuntu44.1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2-unsigned (Ubuntu Xenial):
status: New → Fix Committed
Revision history for this message
Joshua Powers (powersj) wrote :

# Bionic Verification

## Test Steps

Booted AWS arm64 baremetal and VM systems
Ran the following script: https://paste.ubuntu.com/p/B5XPR8StXy/
Ensure system successfully reboots

## Results

t4g.medium: https://paste.ubuntu.com/p/QH8Xrr4Sck/
c6g.metal: https://paste.ubuntu.com/p/4q688QqC4v/

Both systems successfully updated grub from proposed and rebooted.

Revision history for this message
Joshua Powers (powersj) wrote :

# Xenial AWS Verification

## Test Steps

Booted AWS arm64 baremetal and VM systems
Ran the following script: https://paste.ubuntu.com/p/B5XPR8StXy/
Ensure system successfully reboots

## Results

t4g.medium: https://paste.ubuntu.com/p/ys4hgfTfRm/
c6g.metal: https://paste.ubuntu.com/p/2RFYbCmFxh/

Both systems successfully updated grub from proposed and rebooted.

Revision history for this message
Joshua Powers (powersj) wrote :

Marking verification done

tags: added: verification-done verification-done-bionic verification-done-xenial
removed: verification-needed verification-needed-bionic verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-unsigned - 2.04-1ubuntu44.1.2

---------------
grub2-unsigned (2.04-1ubuntu44.1.2) bionic; urgency=medium

  * Bump versioned dependency on grub2-common to 2.02~beta2-36ubuntu3.32 for
    necessary arm relocation support. LP: #1926748.

grub2-unsigned (2.04-1ubuntu44.1.1) bionic; urgency=medium

  * debian/postinst.in: Unconditionally call grub-install with
    --force-extra-removable, so that the \EFI\BOOT removable path as used in
    cloud images receives the updates. LP: #1930742.

 -- Steve Langasek <email address hidden> Mon, 07 Jun 2021 13:12:58 -0700

Changed in grub2-unsigned (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.167~16.04.6

---------------
grub2-signed (1.167~16.04.6) xenial; urgency=medium

  * Rebuild against grub2 2.04-1ubuntu44.1.2. LP: #1926748.

grub2-signed (1.167~16.04.5) xenial; urgency=medium

  * Rebuild against grub2 2.04-1ubuntu44.1.1.
  * debian/*.postinst: Unconditionally call grub-install with
    --force-extra-removable, so that the \EFI\BOOT removable path as used in
    cloud images receives the updates. LP: #1930742.

 -- Steve Langasek <email address hidden> Mon, 07 Jun 2021 13:26:45 -0700

Changed in grub2-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-unsigned - 2.04-1ubuntu44.1.2

---------------
grub2-unsigned (2.04-1ubuntu44.1.2) bionic; urgency=medium

  * Bump versioned dependency on grub2-common to 2.02~beta2-36ubuntu3.32 for
    necessary arm relocation support. LP: #1926748.

grub2-unsigned (2.04-1ubuntu44.1.1) bionic; urgency=medium

  * debian/postinst.in: Unconditionally call grub-install with
    --force-extra-removable, so that the \EFI\BOOT removable path as used in
    cloud images receives the updates. LP: #1930742.

 -- Steve Langasek <email address hidden> Mon, 07 Jun 2021 13:12:58 -0700

Changed in grub2-unsigned (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.167~18.04.5

---------------
grub2-signed (1.167~18.04.5) bionic; urgency=medium

  * Rebuild against grub2 2.04-1ubuntu44.1.2. LP: #1926748.

grub2-signed (1.167~18.04.4) bionic; urgency=medium

  * Rebuild against grub2 2.04-1ubuntu44.1.1. LP: #1930742.

 -- Steve Langasek <email address hidden> Mon, 07 Jun 2021 13:25:54 -0700

Changed in grub2-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
Mathew Hodson (mhodson)
Changed in grub2-signed (Ubuntu):
status: Invalid → Fix Released
Changed in grub2-unsigned (Ubuntu):
status: Invalid → Fix Released
tags: removed: regresion-update-xenial
Revision history for this message
Steve Langasek (vorlon) wrote :

When a developer marks a bug task as invalid, Mathew, you do not need to be changing it to fix released.

Changed in grub2 (Ubuntu):
status: Fix Released → Invalid
Changed in grub2-signed (Ubuntu):
status: Fix Released → Invalid
Changed in grub2-unsigned (Ubuntu):
status: Fix Released → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.8 KiB)

This bug was fixed in the package grub2-unsigned - 2.06-2ubuntu10

---------------
grub2-unsigned (2.06-2ubuntu10) jammy; urgency=medium

  [ Chris Coulson ]
  * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
    write in heap.
    - 0139-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
      video/readers/png: Drop greyscale support to fix heap out-of-bounds write
    - CVE-2021-3695
  * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
    huffman table handling.
    - 0140-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
      video/readers/png: Avoid heap OOB R/W inserting huff table items
    - CVE-2021-3696
  * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
    the heap.
    - 0145-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
      video/readers/jpeg: Block int underflow -> wild pointer write
    - CVE-2021-3697
  * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
    - 0148-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
      maths safely
    - CVE-2022-28733
  * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
    - 0154-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
      OOB write for split http headers
    - CVE-2022-28734
  * SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
    - 0135-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
      kern/efi/sb: Reject non-kernel files in the shim_lock verifier
    - CVE-2022-28735
  * SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
    - 0130-loader-efi-chainloader-simplify-the-loader-state.patch:
      loader/efi/chainloader: simplify the loader state
    - 0131-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
      Add API to pass context to loader
    - 0132-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
      loader/efi/chainloader: Use grub_loader_set_ex
    - 0133-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
      loader/i386/efi/linux: Use grub_loader_set_ex
  * Various fixes as a result of fuzzing and static analysis:
    - 0129-loader-efi-chainloader-grub_load_and_start_image-doe.patch:
      loader/efi/chainloader: grub_load_and_start_image doesn't load and start
    - 0134-loader-i386-efi-linux-Fix-a-memory-leak-in-the-initr.patch:
      loader/i386/efi/linux: Fix a memory leak in the initrd command
    - 0136-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
      kern/file: Do not leak device_name on error in grub_file_open()
    - 0137-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
      video/readers/png: Abort sooner if a read operation fails
    - 0138-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
      video/readers/png: Refuse to handle multiple image headers
    - 0141-video-readers-png-Sanity-check-some-huffman-codes.patch:
      video/readers/png: Sanity check some huffman codes
    - 0142-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
      video/readers/jpeg: Abort sooner if a read operation fails
    - 0143-video-readers-jpeg-Do-not-reallocate-a-given-huff-...

Read more...

Changed in grub2-unsigned (Ubuntu):
status: Invalid → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.8 KiB)

This bug was fixed in the package grub2 - 2.06-2ubuntu10

---------------
grub2 (2.06-2ubuntu10) kinetic; urgency=medium

  [ Chris Coulson ]
  * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
    write in heap.
    - 0139-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
      video/readers/png: Drop greyscale support to fix heap out-of-bounds write
    - CVE-2021-3695
  * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
    huffman table handling.
    - 0140-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
      video/readers/png: Avoid heap OOB R/W inserting huff table items
    - CVE-2021-3696
  * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
    the heap.
    - 0145-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
      video/readers/jpeg: Block int underflow -> wild pointer write
    - CVE-2021-3697
  * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
    - 0148-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
      maths safely
    - CVE-2022-28733
  * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
    - 0154-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
      OOB write for split http headers
    - CVE-2022-28734
  * SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
    - 0135-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
      kern/efi/sb: Reject non-kernel files in the shim_lock verifier
    - CVE-2022-28735
  * SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
    - 0130-loader-efi-chainloader-simplify-the-loader-state.patch:
      loader/efi/chainloader: simplify the loader state
    - 0131-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
      Add API to pass context to loader
    - 0132-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
      loader/efi/chainloader: Use grub_loader_set_ex
    - 0133-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
      loader/i386/efi/linux: Use grub_loader_set_ex
  * Various fixes as a result of fuzzing and static analysis:
    - 0129-loader-efi-chainloader-grub_load_and_start_image-doe.patch:
      loader/efi/chainloader: grub_load_and_start_image doesn't load and start
    - 0134-loader-i386-efi-linux-Fix-a-memory-leak-in-the-initr.patch:
      loader/i386/efi/linux: Fix a memory leak in the initrd command
    - 0136-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
      kern/file: Do not leak device_name on error in grub_file_open()
    - 0137-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
      video/readers/png: Abort sooner if a read operation fails
    - 0138-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
      video/readers/png: Refuse to handle multiple image headers
    - 0141-video-readers-png-Sanity-check-some-huffman-codes.patch:
      video/readers/png: Sanity check some huffman codes
    - 0142-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
      video/readers/jpeg: Abort sooner if a read operation fails
    - 0143-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch:
      ...

Read more...

Changed in grub2 (Ubuntu):
status: Invalid → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Dimitri, or anyone else affected,

Accepted grub2-unsigned into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-unsigned/2.06-2ubuntu10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2-unsigned (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed verification-needed-jammy
removed: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.8 KiB)

This bug was fixed in the package grub2-unsigned - 2.06-2ubuntu10

---------------
grub2-unsigned (2.06-2ubuntu10) jammy; urgency=medium

  [ Chris Coulson ]
  * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
    write in heap.
    - 0139-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
      video/readers/png: Drop greyscale support to fix heap out-of-bounds write
    - CVE-2021-3695
  * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
    huffman table handling.
    - 0140-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
      video/readers/png: Avoid heap OOB R/W inserting huff table items
    - CVE-2021-3696
  * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
    the heap.
    - 0145-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
      video/readers/jpeg: Block int underflow -> wild pointer write
    - CVE-2021-3697
  * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
    - 0148-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
      maths safely
    - CVE-2022-28733
  * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
    - 0154-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
      OOB write for split http headers
    - CVE-2022-28734
  * SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
    - 0135-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
      kern/efi/sb: Reject non-kernel files in the shim_lock verifier
    - CVE-2022-28735
  * SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
    - 0130-loader-efi-chainloader-simplify-the-loader-state.patch:
      loader/efi/chainloader: simplify the loader state
    - 0131-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
      Add API to pass context to loader
    - 0132-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
      loader/efi/chainloader: Use grub_loader_set_ex
    - 0133-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
      loader/i386/efi/linux: Use grub_loader_set_ex
  * Various fixes as a result of fuzzing and static analysis:
    - 0129-loader-efi-chainloader-grub_load_and_start_image-doe.patch:
      loader/efi/chainloader: grub_load_and_start_image doesn't load and start
    - 0134-loader-i386-efi-linux-Fix-a-memory-leak-in-the-initr.patch:
      loader/i386/efi/linux: Fix a memory leak in the initrd command
    - 0136-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
      kern/file: Do not leak device_name on error in grub_file_open()
    - 0137-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
      video/readers/png: Abort sooner if a read operation fails
    - 0138-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
      video/readers/png: Refuse to handle multiple image headers
    - 0141-video-readers-png-Sanity-check-some-huffman-codes.patch:
      video/readers/png: Sanity check some huffman codes
    - 0142-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
      video/readers/jpeg: Abort sooner if a read operation fails
    - 0143-video-readers-jpeg-Do-not-reallocate-a-given-huff-...

Read more...

Changed in grub2-unsigned (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Dan Bungert (dbungert) wrote :

Do we still anticipate SRUs for Trusty for this?

Revision history for this message
Steve Langasek (vorlon) wrote :

This has been rolled back to jammy-proposed due to LP: #1990684.

Changed in grub2-unsigned (Ubuntu Jammy):
status: Fix Released → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2 (Ubuntu Trusty):
status: New → Confirmed
Changed in grub2-signed (Ubuntu Trusty):
status: New → Confirmed
Changed in grub2-unsigned (Ubuntu Trusty):
status: New → Confirmed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

@vorlon Should we put block-proposed on this SRU then?

Revision history for this message
Julian Andres Klode (juliank) wrote :

This should go out again since a week or so, the issue was resolved two weeks ago or three even if I look at the dates now, whoa.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.8 KiB)

This bug was fixed in the package grub2-unsigned - 2.06-2ubuntu10

---------------
grub2-unsigned (2.06-2ubuntu10) jammy; urgency=medium

  [ Chris Coulson ]
  * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
    write in heap.
    - 0139-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
      video/readers/png: Drop greyscale support to fix heap out-of-bounds write
    - CVE-2021-3695
  * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
    huffman table handling.
    - 0140-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
      video/readers/png: Avoid heap OOB R/W inserting huff table items
    - CVE-2021-3696
  * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
    the heap.
    - 0145-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
      video/readers/jpeg: Block int underflow -> wild pointer write
    - CVE-2021-3697
  * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
    - 0148-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
      maths safely
    - CVE-2022-28733
  * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
    - 0154-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
      OOB write for split http headers
    - CVE-2022-28734
  * SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
    - 0135-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
      kern/efi/sb: Reject non-kernel files in the shim_lock verifier
    - CVE-2022-28735
  * SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
    - 0130-loader-efi-chainloader-simplify-the-loader-state.patch:
      loader/efi/chainloader: simplify the loader state
    - 0131-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
      Add API to pass context to loader
    - 0132-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
      loader/efi/chainloader: Use grub_loader_set_ex
    - 0133-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
      loader/i386/efi/linux: Use grub_loader_set_ex
  * Various fixes as a result of fuzzing and static analysis:
    - 0129-loader-efi-chainloader-grub_load_and_start_image-doe.patch:
      loader/efi/chainloader: grub_load_and_start_image doesn't load and start
    - 0134-loader-i386-efi-linux-Fix-a-memory-leak-in-the-initr.patch:
      loader/i386/efi/linux: Fix a memory leak in the initrd command
    - 0136-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
      kern/file: Do not leak device_name on error in grub_file_open()
    - 0137-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
      video/readers/png: Abort sooner if a read operation fails
    - 0138-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
      video/readers/png: Refuse to handle multiple image headers
    - 0141-video-readers-png-Sanity-check-some-huffman-codes.patch:
      video/readers/png: Sanity check some huffman codes
    - 0142-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
      video/readers/jpeg: Abort sooner if a read operation fails
    - 0143-video-readers-jpeg-Do-not-reallocate-a-given-huff-...

Read more...

Changed in grub2-unsigned (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.