From a0b2acecaac080345c1cd42c3ad7fc05d75ac96a Mon Sep 17 00:00:00 2001 From: Zhixiong Chi Date: Mon, 25 Jan 2021 03:49:38 -0500 Subject: [PATCH] grub2: fix CVE-2020-15707 Avoid to the heap-based buffer overflow. Upgrade to the below package to fix the CVE issue: grub2-2.02-0.86.el7.centos.src.rpm At the same time adjust the context and drop 0004-grub2-remove-32b-requirements.patch since it already had been included in the new version. Story: 2008532 Task: 41664 Change-Id: I7943127323ee28457ffe0a4ece54764633f86d9f Signed-off-by: Zhixiong Chi --- centos_srpms_centos.lst | 2 +- ...pdate-package-versioning-for-TIS-format.patch | 4 ++-- .../0004-grub2-remove-32b-requirements.patch | 16 ---------------- ...inux-mktitle-de-brand-the-grub.cfg-menu.patch | 8 ++++---- .../0008-grub2-Build-unsigned-package.patch | 14 +++++++------- .../0009-grub2-Build-pxeboot-package.patch | 6 +++--- .../meta_patches/0010-grub2-add-tboot.patch | 8 ++++---- .../0011-grub2-fix-str-for-6B-macs.patch | 4 ++-- grub/grub2/centos/meta_patches/PATCH_ORDER | 1 - grub/grub2/centos/srpm_path | 2 +- 10 files changed, 24 insertions(+), 41 deletions(-) delete mode 100644 grub/grub2/centos/meta_patches/0004-grub2-remove-32b-requirements.patch diff --git a/centos_srpms_centos.lst b/centos_srpms_centos.lst index 477ef81e0..66f99751e 100644 --- a/centos_srpms_centos.lst +++ b/centos_srpms_centos.lst @@ -3,7 +3,7 @@ cloud-init-0.7.9-24.el7.centos.1.src.rpm dhcp-4.2.5-68.el7.centos.1.src.rpm dnsmasq-2.76-7.el7.src.rpm facter-2.4.4-4.el7.src.rpm -grub2-2.02-0.76.el7.centos.src.rpm +grub2-2.02-0.86.el7.centos.src.rpm grubby-8.28-25.el7.src.rpm haproxy-1.5.18-8.el7.src.rpm initscripts-9.49.46-1.el7.src.rpm diff --git a/grub/grub2/centos/meta_patches/0001-grub2-Update-package-versioning-for-TIS-format.patch b/grub/grub2/centos/meta_patches/0001-grub2-Update-package-versioning-for-TIS-format.patch index e8cd15056..b6bd8f444 100644 --- a/grub/grub2/centos/meta_patches/0001-grub2-Update-package-versioning-for-TIS-format.patch +++ b/grub/grub2/centos/meta_patches/0001-grub2-Update-package-versioning-for-TIS-format.patch @@ -15,8 +15,8 @@ index 12d34ad..88c6c09 100644 Name: grub2 Epoch: 1 Version: 2.02 --Release: 0.76%{?dist}%{?buildid} -+Release: 0.76.el7.centos%{?_tis_dist}.%{tis_patch_ver} +-Release: 0.86%{?dist}%{?buildid} ++Release: 0.86.el7.centos%{?_tis_dist}.%{tis_patch_ver} Summary: Bootloader with support for Linux, Multiboot and more Group: System Environment/Base License: GPLv3+ diff --git a/grub/grub2/centos/meta_patches/0004-grub2-remove-32b-requirements.patch b/grub/grub2/centos/meta_patches/0004-grub2-remove-32b-requirements.patch deleted file mode 100644 index bfdbfd219..000000000 --- a/grub/grub2/centos/meta_patches/0004-grub2-remove-32b-requirements.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec -index 11f6b0e..613f2e1 100644 ---- a/SPECS/grub2.spec -+++ b/SPECS/grub2.spec -@@ -49,11 +49,6 @@ BuildRequires: /usr/lib64/crt1.o glibc-static glibc-devel - BuildRequires: /usr/lib64/crt1.o glibc-static(x86-64) glibc-devel(x86-64) - # glibc32 is what will be in the buildroots, but glibc-static(x86-32) is what - # will be in an epel-7 (i.e. centos) mock root. I think. --%if 0%{?centos}%{?mock} --BuildRequires: /usr/lib/crt1.o glibc-static(x86-32) glibc-devel(x86-32) --%else --BuildRequires: /usr/lib/crt1.o glibc32 --%endif - %else - # ppc64 builds need the ppc crt1.o - BuildRequires: /usr/lib/crt1.o glibc-static glibc-devel diff --git a/grub/grub2/centos/meta_patches/0007-1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch b/grub/grub2/centos/meta_patches/0007-1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch index f92f90958..62caa378c 100644 --- a/grub/grub2/centos/meta_patches/0007-1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch +++ b/grub/grub2/centos/meta_patches/0007-1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch @@ -11,10 +11,10 @@ diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index bac4594..d7475f0 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches -@@ -286,3 +286,4 @@ Patch0285: 0285-editenv-handle-relative-symlinks.patch - Patch0286: 0286-efinet-also-use-the-firmware-acceleration-for-http.patch - Patch0287: 0287-Make-root_url-reflect-the-protocol-hostname-of-our-b.patch - Patch0289: 0288-efi-uga-Fix-PCIe-LER-when-GRUB2-accesses-non-enabled.patch +@@ -332,3 +332,4 @@ Patch0285: 0285-editenv-handle-relative-symlinks.patch + Patch0332: 0332-linux-loader-avoid-overflow-on-initrd-size-calculati.patch + Patch0333: 0333-linuxefi-fail-kernel-validation-without-shim-protoco.patch + Patch0334: 0334-linux-Fix-integer-overflows-in-initrd-size-handling.patch +Patch1000: 1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch -- 2.7.4 diff --git a/grub/grub2/centos/meta_patches/0008-grub2-Build-unsigned-package.patch b/grub/grub2/centos/meta_patches/0008-grub2-Build-unsigned-package.patch index 019da45cb..94a15b035 100644 --- a/grub/grub2/centos/meta_patches/0008-grub2-Build-unsigned-package.patch +++ b/grub/grub2/centos/meta_patches/0008-grub2-Build-unsigned-package.patch @@ -16,10 +16,10 @@ index 075727c..5581deb 100644 %{desc} \ This subpackage provides optional components of grub used with removeable media on %{1} systems.\ + \ -+%package %{1}-unsigned \ ++%{expand:%%package %{1}-unsigned} \ +Summary: Unsigned versions of GRUB EFI binaries \ + \ -+%description %{1}-unsigned \ ++%{expand:%%description %{1}-unsigned} \ +This package contains unsigned version of GRUB EFI binaries. \ + \ %{nil} @@ -31,9 +31,9 @@ index 075727c..5581deb 100644 -p /EFI/BOOT -d grub-core ${GRUB_MODULES} \ +cp %{2}.orig %{2}.unsigned \ +cp %{3}.orig %{3}.unsigned \ - %{expand:%%{pesign -s -i %{2}.orig -o %{2} -a %{5} -c %{6} -n %{7}}} \ - %{expand:%%{pesign -s -i %{3}.orig -o %{3} -a %{5} -c %{6} -n %{7}}} \ - %{nil} + %{expand:%%{pesign -s -i %{2}.orig -o %{2}.one -a %{5} -c %{6} -n %{7}}} \ + %{expand:%%{pesign -s -i %{3}.orig -o %{3}.one -a %{5} -c %{6} -n %{7}}} \ + %{expand:%%{pesign -s -i %{2}.one -o %{2} -a %{8} -c %{9} -n %{10}}} \ @@ -403,6 +412,8 @@ find $RPM_BUILD_ROOT -iname "*.module" -exec chmod a-x {} '\;' \ touch $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/grub.cfg \ ln -sf ../boot/efi/EFI/%{efidir}/grub.cfg \\\ @@ -45,8 +45,8 @@ index 075727c..5581deb 100644 install -D -m 700 unicode.pf2 \\\ @@ -490,4 +501,8 @@ cd .. \ %defattr(-,root,root,-) \ - %attr(0700,root,root)/boot/efi/EFI/%{efidir}/%{3} \ - %attr(0700,root,root)/boot/efi/EFI/%{efidir}/fonts \ + %verify(not mtime) %attr(0700,root,root)/boot/efi/EFI/%{efidir}/%{3} \ + %verify(not mtime) %attr(0700,root,root)/boot/efi/EFI/%{efidir}/fonts \ + \ +%{expand:%%files %{1}-unsigned} \ +/boot/efi/EFI/%{efidir}/%{grubefiname}.unsigned \ diff --git a/grub/grub2/centos/meta_patches/0009-grub2-Build-pxeboot-package.patch b/grub/grub2/centos/meta_patches/0009-grub2-Build-pxeboot-package.patch index 5e9e3cbd6..98055a752 100644 --- a/grub/grub2/centos/meta_patches/0009-grub2-Build-pxeboot-package.patch +++ b/grub/grub2/centos/meta_patches/0009-grub2-Build-pxeboot-package.patch @@ -12,13 +12,13 @@ index 5581deb..9ef91d6 100644 --- a/SOURCES/grub.macros +++ b/SOURCES/grub.macros @@ -242,6 +242,13 @@ Summary: Unsigned versions of GRUB EFI binaries \ - %description %{1}-unsigned \ + %{expand:%%description %{1}-unsigned} \ This package contains unsigned version of GRUB EFI binaries. \ \ -+%package %{1}-pxeboot \ ++%{expand:%%package %{1}-pxeboot} \ +Summary: PXE bootable GRUB EFI binaries \ + \ -+%description %{1}-pxeboot \ ++%{expand:%%description %{1}-pxeboot} \ +This package contains the version of EFI GRUB that is served by the pxeboot \ +server \ + \ diff --git a/grub/grub2/centos/meta_patches/0010-grub2-add-tboot.patch b/grub/grub2/centos/meta_patches/0010-grub2-add-tboot.patch index 242514cf2..4acfc617f 100644 --- a/grub/grub2/centos/meta_patches/0010-grub2-add-tboot.patch +++ b/grub/grub2/centos/meta_patches/0010-grub2-add-tboot.patch @@ -28,16 +28,16 @@ index 9ef91d6..ffdd23c 100644 video xfs" \ GRUB_MODULES+=%{efi_modules} \ +GRUB_MODULES+=%{wrs_modules} \ - %{expand:%%{mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7}}} \ + %{expand:%%{mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}} \ %{nil} diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index d7475f0..e24bd8c 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches -@@ -287,3 +287,4 @@ Patch0286: 0286-efinet-also-use-the-firmware-acceleration-for-http.patch - Patch0287: 0287-Make-root_url-reflect-the-protocol-hostname-of-our-b.patch - Patch0289: 0288-efi-uga-Fix-PCIe-LER-when-GRUB2-accesses-non-enabled.patch +@@ -333,3 +334,4 @@ Patch0286: 0286-efinet-also-use-the-firmware-acceleration-for-http.patch + Patch0333: 0333-linuxefi-fail-kernel-validation-without-shim-protoco.patch + Patch0334: 0334-linux-Fix-integer-overflows-in-initrd-size-handling.patch Patch1000: 1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch +Patch1001: 1001-add-tboot.patch -- diff --git a/grub/grub2/centos/meta_patches/0011-grub2-fix-str-for-6B-macs.patch b/grub/grub2/centos/meta_patches/0011-grub2-fix-str-for-6B-macs.patch index 27d00e42f..fa91487ef 100644 --- a/grub/grub2/centos/meta_patches/0011-grub2-fix-str-for-6B-macs.patch +++ b/grub/grub2/centos/meta_patches/0011-grub2-fix-str-for-6B-macs.patch @@ -29,8 +29,8 @@ diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index e24bd8c..73ccdee 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches -@@ -288,3 +288,5 @@ Patch0287: 0287-Make-root_url-reflect-the-protocol-hostname-of-our-b.patch - Patch0289: 0288-efi-uga-Fix-PCIe-LER-when-GRUB2-accesses-non-enabled.patch +@@ -334,3 +334,5 @@ Patch0287: 0287-Make-root_url-reflect-the-protocol-hostname-of-our-b.patch + Patch0334: 0334-linux-Fix-integer-overflows-in-initrd-size-handling.patch Patch1000: 1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch Patch1001: 1001-add-tboot.patch +Patch1002: 1002-Don-t-write-trailing-colon-when-populating-MAC-strin.patch diff --git a/grub/grub2/centos/meta_patches/PATCH_ORDER b/grub/grub2/centos/meta_patches/PATCH_ORDER index f11838a64..db291d19a 100644 --- a/grub/grub2/centos/meta_patches/PATCH_ORDER +++ b/grub/grub2/centos/meta_patches/PATCH_ORDER @@ -1,7 +1,6 @@ 0001-grub2-Update-package-versioning-for-TIS-format.patch 0002-grub2-fix-cflags.patch 0003-grub2-remove-debug-pkgs.patch -0004-grub2-remove-32b-requirements.patch 0005-grub2-remove-32b-build.patch 0006-grub2-ship-lst-files.patch 0007-1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch diff --git a/grub/grub2/centos/srpm_path b/grub/grub2/centos/srpm_path index 996afa187..95baf014a 100644 --- a/grub/grub2/centos/srpm_path +++ b/grub/grub2/centos/srpm_path @@ -1 +1 @@ -mirror:Source/grub2-2.02-0.76.el7.centos.src.rpm +mirror:Source/grub2-2.02-0.86.el7.centos.src.rpm