44f318a38d
Porting patches from grub2_2.06-3~deb11u1 to fix below CVEs: CVE-2021-3695 CVE-2021-3696 CVE-2021-3697 CVE-2022-28733 CVE-2022-28734 The source code of grub2_2.06-3~deb11u1 is from: https://snapshot.debian.org/archive/debian/20220807T030023Z/pool /main/g/grub2/grub2_2.06-3~deb11u1.debian.tar.xz The relationship between commits and CVEs is as below: (1)CVE-2021-3695 commit <video/readers/png: Drop greyscale support to fix heap out-of-bounds write> (2)CVE-2021-3696 commit <video/readers/png: Avoid heap OOB R/W inserting huff table items> (3)CVE-2021-3697 commit <video/readers/jpeg: Block int underflow -> wild pointer write> (4)CVE-2022-28733 commit <net/ip: Do IP fragment maths safely> (5)CVE-2022-28734 commit <net/http: Fix OOB write for split http headers> commit <net/http: Error out on headers with LF without CR> Test plan: - PASS: build grub2/grub-efi. - PASS: build-image and install and boot up on lab/qemu. - PASS: check that the "stx.N" version number is right for both bios(grub2 ver) and uefi(grub-efi ver) boot. Partial-Bug: #2034119 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: Ia27b1ee225f13e9c4ad08a0828f93ea37f8d3dfb |
||
|---|---|---|
| .. | ||
| debian | ||