[Buildroot] [git commit branch/2023.05.x] boot/grub2: backport fixes for numerous CVEs
Peter Korsgaard
peter at korsgaard.com
Wed Sep 13 20:22:33 UTC 2023
commit: https://git.buildroot.net/buildroot/commit/?id=4c6f56ebbc0778bb8014a54efe884f7c88a9ef13
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2023.05.x
Grub 2.06 is affected by a number of CVEs, which have been fixed in
the master branch of Grub, but are not yet part of any release (there
is a 2.12-rc1 release, but nothing else between 2.06 and 2.12-rc1).
So this patch backports the relevant fixes for CVE-2022-28736,
CVE-2022-28735, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697,
CVE-2022-28733, CVE-2022-28734, CVE-2022-2601 and CVE-2022-3775.
It should be noted that CVE-2021-3695, CVE-2021-3696, CVE-2021-3697
are not reported as affecting Grub by our CVE matching logic because
the NVD database uses an incorrect CPE ID in those CVEs: it uses
"grub" as the product instead of "grub2" like all other CVEs for
grub. This issue has been reported to the NVD maintainers.
This requires backporting a lot of patches, but jumping from 2.06 to
2.12-rc1 implies getting 592 commits, which is quite a lot.
All Grub test cases are working fine:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500585
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500679
Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
[Arnout: fix check-package warning in patch 0002]
Signed-off-by: Arnout Vandecappelle <arnout at mind.be>
(cherry picked from commit 65c99394ff2e6cd52a79366ad693c28daca07fb0)
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
.checkpackageignore | 1 -
...b-mkconfig-Restore-umask-for-the-grub.cfg.patch | 6 +-
...efi-chainloader-Simplify-the-loader-state.patch | 126 ++++
...ds-boot-Add-API-to-pass-context-to-loader.patch | 165 +++++
...er-efi-chainloader-Use-grub_loader_set_ex.patch | 80 +++
...-Reject-non-kernel-files-in-the-shim_lock.patch | 105 ++++
.../0007-video-Remove-trailing-whitespaces.patch | 689 +++++++++++++++++++++
...rs-png-Abort-sooner-if-a-read-operation-f.patch | 204 ++++++
...rs-png-Refuse-to-handle-multiple-image-he.patch | 34 +
...rs-png-Drop-greyscale-support-to-fix-heap.patch | 173 ++++++
...rs-png-Avoid-heap-OOB-R-W-inserting-huff-.patch | 44 ++
...rs-jpeg-Block-int-underflow-wild-pointer-.patch | 78 +++
.../0013-net-ip-Do-IP-fragment-maths-safely.patch | 56 ++
...http-Fix-OOB-write-for-split-http-headers.patch | 50 ++
...p-Error-out-on-headers-with-LF-without-CR.patch | 52 ++
...ze-overflow-in-grub_font_get_glyph_intern.patch | 116 ++++
...veral-integer-overflows-in-grub_font_cons.patch | 83 +++
...ont-Fix-an-integer-underflow-in-blit_comb.patch | 93 +++
boot/grub2/grub2.mk | 19 +
19 files changed, 2170 insertions(+), 4 deletions(-)
Patch is too large, so refusing to show it
More information about the buildroot
mailing list