grub2: fix CVE-2020-15707
Avoid to the heap-based buffer overflow. Upgrade to the below package to fix the CVE issue: grub2-2.02-0.86.el7.centos.src.rpm At the same time adjust the context and drop 0004-grub2-remove-32b-requirements.patch since it already had been included in the new version. Story: 2008532 Task: 41664 Change-Id: I7943127323ee28457ffe0a4ece54764633f86d9f Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
This commit is contained in:
Zhixiong Chi
parent
d6a07b92eb
commit
a0b2acecaa
|
|
@ -3,7 +3,7 @@ cloud-init-0.7.9-24.el7.centos.1.src.rpm
|
|||
dhcp-4.2.5-68.el7.centos.1.src.rpm
|
||||
dnsmasq-2.76-7.el7.src.rpm
|
||||
facter-2.4.4-4.el7.src.rpm
|
||||
grub2-2.02-0.76.el7.centos.src.rpm
|
||||
grub2-2.02-0.86.el7.centos.src.rpm
|
||||
grubby-8.28-25.el7.src.rpm
|
||||
haproxy-1.5.18-8.el7.src.rpm
|
||||
initscripts-9.49.46-1.el7.src.rpm
|
||||
|
|
|
|||
|
|
@ -15,8 +15,8 @@ index 12d34ad..88c6c09 100644
|
|||
Name: grub2
|
||||
Epoch: 1
|
||||
Version: 2.02
|
||||
-Release: 0.76%{?dist}%{?buildid}
|
||||
+Release: 0.76.el7.centos%{?_tis_dist}.%{tis_patch_ver}
|
||||
-Release: 0.86%{?dist}%{?buildid}
|
||||
+Release: 0.86.el7.centos%{?_tis_dist}.%{tis_patch_ver}
|
||||
Summary: Bootloader with support for Linux, Multiboot and more
|
||||
Group: System Environment/Base
|
||||
License: GPLv3+
|
||||
|
|
|
|||
|
|
@ -1,16 +0,0 @@
|
|||
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
|
||||
index 11f6b0e..613f2e1 100644
|
||||
--- a/SPECS/grub2.spec
|
||||
+++ b/SPECS/grub2.spec
|
||||
@@ -49,11 +49,6 @@ BuildRequires: /usr/lib64/crt1.o glibc-static glibc-devel
|
||||
BuildRequires: /usr/lib64/crt1.o glibc-static(x86-64) glibc-devel(x86-64)
|
||||
# glibc32 is what will be in the buildroots, but glibc-static(x86-32) is what
|
||||
# will be in an epel-7 (i.e. centos) mock root. I think.
|
||||
-%if 0%{?centos}%{?mock}
|
||||
-BuildRequires: /usr/lib/crt1.o glibc-static(x86-32) glibc-devel(x86-32)
|
||||
-%else
|
||||
-BuildRequires: /usr/lib/crt1.o glibc32
|
||||
-%endif
|
||||
%else
|
||||
# ppc64 builds need the ppc crt1.o
|
||||
BuildRequires: /usr/lib/crt1.o glibc-static glibc-devel
|
||||
|
|
@ -11,10 +11,10 @@ diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
|
|||
index bac4594..d7475f0 100644
|
||||
--- a/SOURCES/grub.patches
|
||||
+++ b/SOURCES/grub.patches
|
||||
@@ -286,3 +286,4 @@ Patch0285: 0285-editenv-handle-relative-symlinks.patch
|
||||
Patch0286: 0286-efinet-also-use-the-firmware-acceleration-for-http.patch
|
||||
Patch0287: 0287-Make-root_url-reflect-the-protocol-hostname-of-our-b.patch
|
||||
Patch0289: 0288-efi-uga-Fix-PCIe-LER-when-GRUB2-accesses-non-enabled.patch
|
||||
@@ -332,3 +332,4 @@ Patch0285: 0285-editenv-handle-relative-symlinks.patch
|
||||
Patch0332: 0332-linux-loader-avoid-overflow-on-initrd-size-calculati.patch
|
||||
Patch0333: 0333-linuxefi-fail-kernel-validation-without-shim-protoco.patch
|
||||
Patch0334: 0334-linux-Fix-integer-overflows-in-initrd-size-handling.patch
|
||||
+Patch1000: 1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch
|
||||
--
|
||||
2.7.4
|
||||
|
|
|
|||
|
|
@ -16,10 +16,10 @@ index 075727c..5581deb 100644
|
|||
%{desc} \
|
||||
This subpackage provides optional components of grub used with removeable media on %{1} systems.\
|
||||
+ \
|
||||
+%package %{1}-unsigned \
|
||||
+%{expand:%%package %{1}-unsigned} \
|
||||
+Summary: Unsigned versions of GRUB EFI binaries \
|
||||
+ \
|
||||
+%description %{1}-unsigned \
|
||||
+%{expand:%%description %{1}-unsigned} \
|
||||
+This package contains unsigned version of GRUB EFI binaries. \
|
||||
+ \
|
||||
%{nil}
|
||||
|
|
@ -31,9 +31,9 @@ index 075727c..5581deb 100644
|
|||
-p /EFI/BOOT -d grub-core ${GRUB_MODULES} \
|
||||
+cp %{2}.orig %{2}.unsigned \
|
||||
+cp %{3}.orig %{3}.unsigned \
|
||||
%{expand:%%{pesign -s -i %{2}.orig -o %{2} -a %{5} -c %{6} -n %{7}}} \
|
||||
%{expand:%%{pesign -s -i %{3}.orig -o %{3} -a %{5} -c %{6} -n %{7}}} \
|
||||
%{nil}
|
||||
%{expand:%%{pesign -s -i %{2}.orig -o %{2}.one -a %{5} -c %{6} -n %{7}}} \
|
||||
%{expand:%%{pesign -s -i %{3}.orig -o %{3}.one -a %{5} -c %{6} -n %{7}}} \
|
||||
%{expand:%%{pesign -s -i %{2}.one -o %{2} -a %{8} -c %{9} -n %{10}}} \
|
||||
@@ -403,6 +412,8 @@ find $RPM_BUILD_ROOT -iname "*.module" -exec chmod a-x {} '\;' \
|
||||
touch $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/grub.cfg \
|
||||
ln -sf ../boot/efi/EFI/%{efidir}/grub.cfg \\\
|
||||
|
|
@ -45,8 +45,8 @@ index 075727c..5581deb 100644
|
|||
install -D -m 700 unicode.pf2 \\\
|
||||
@@ -490,4 +501,8 @@ cd .. \
|
||||
%defattr(-,root,root,-) \
|
||||
%attr(0700,root,root)/boot/efi/EFI/%{efidir}/%{3} \
|
||||
%attr(0700,root,root)/boot/efi/EFI/%{efidir}/fonts \
|
||||
%verify(not mtime) %attr(0700,root,root)/boot/efi/EFI/%{efidir}/%{3} \
|
||||
%verify(not mtime) %attr(0700,root,root)/boot/efi/EFI/%{efidir}/fonts \
|
||||
+ \
|
||||
+%{expand:%%files %{1}-unsigned} \
|
||||
+/boot/efi/EFI/%{efidir}/%{grubefiname}.unsigned \
|
||||
|
|
|
|||
|
|
@ -12,13 +12,13 @@ index 5581deb..9ef91d6 100644
|
|||
--- a/SOURCES/grub.macros
|
||||
+++ b/SOURCES/grub.macros
|
||||
@@ -242,6 +242,13 @@ Summary: Unsigned versions of GRUB EFI binaries \
|
||||
%description %{1}-unsigned \
|
||||
%{expand:%%description %{1}-unsigned} \
|
||||
This package contains unsigned version of GRUB EFI binaries. \
|
||||
\
|
||||
+%package %{1}-pxeboot \
|
||||
+%{expand:%%package %{1}-pxeboot} \
|
||||
+Summary: PXE bootable GRUB EFI binaries \
|
||||
+ \
|
||||
+%description %{1}-pxeboot \
|
||||
+%{expand:%%description %{1}-pxeboot} \
|
||||
+This package contains the version of EFI GRUB that is served by the pxeboot \
|
||||
+server \
|
||||
+ \
|
||||
|
|
|
|||
|
|
@ -28,16 +28,16 @@ index 9ef91d6..ffdd23c 100644
|
|||
video xfs" \
|
||||
GRUB_MODULES+=%{efi_modules} \
|
||||
+GRUB_MODULES+=%{wrs_modules} \
|
||||
%{expand:%%{mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7}}} \
|
||||
%{expand:%%{mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}} \
|
||||
%{nil}
|
||||
|
||||
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
|
||||
index d7475f0..e24bd8c 100644
|
||||
--- a/SOURCES/grub.patches
|
||||
+++ b/SOURCES/grub.patches
|
||||
@@ -287,3 +287,4 @@ Patch0286: 0286-efinet-also-use-the-firmware-acceleration-for-http.patch
|
||||
Patch0287: 0287-Make-root_url-reflect-the-protocol-hostname-of-our-b.patch
|
||||
Patch0289: 0288-efi-uga-Fix-PCIe-LER-when-GRUB2-accesses-non-enabled.patch
|
||||
@@ -333,3 +334,4 @@ Patch0286: 0286-efinet-also-use-the-firmware-acceleration-for-http.patch
|
||||
Patch0333: 0333-linuxefi-fail-kernel-validation-without-shim-protoco.patch
|
||||
Patch0334: 0334-linux-Fix-integer-overflows-in-initrd-size-handling.patch
|
||||
Patch1000: 1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch
|
||||
+Patch1001: 1001-add-tboot.patch
|
||||
--
|
||||
|
|
|
|||
|
|
@ -29,8 +29,8 @@ diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
|
|||
index e24bd8c..73ccdee 100644
|
||||
--- a/SOURCES/grub.patches
|
||||
+++ b/SOURCES/grub.patches
|
||||
@@ -288,3 +288,5 @@ Patch0287: 0287-Make-root_url-reflect-the-protocol-hostname-of-our-b.patch
|
||||
Patch0289: 0288-efi-uga-Fix-PCIe-LER-when-GRUB2-accesses-non-enabled.patch
|
||||
@@ -334,3 +334,5 @@ Patch0287: 0287-Make-root_url-reflect-the-protocol-hostname-of-our-b.patch
|
||||
Patch0334: 0334-linux-Fix-integer-overflows-in-initrd-size-handling.patch
|
||||
Patch1000: 1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch
|
||||
Patch1001: 1001-add-tboot.patch
|
||||
+Patch1002: 1002-Don-t-write-trailing-colon-when-populating-MAC-strin.patch
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
0001-grub2-Update-package-versioning-for-TIS-format.patch
|
||||
0002-grub2-fix-cflags.patch
|
||||
0003-grub2-remove-debug-pkgs.patch
|
||||
0004-grub2-remove-32b-requirements.patch
|
||||
0005-grub2-remove-32b-build.patch
|
||||
0006-grub2-ship-lst-files.patch
|
||||
0007-1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
mirror:Source/grub2-2.02-0.76.el7.centos.src.rpm
|
||||
mirror:Source/grub2-2.02-0.86.el7.centos.src.rpm
|
||||
|
|
|
|||
Loading…
Reference in New Issue