starlingx
/
integ
Code Issues Proposed changes
integ/grub/grub-efi/debian/patches
History
Li Zhou 44f318a38d grub2/grub-efi: fix CVEs 
Porting patches from grub2_2.06-3~deb11u1 to fix below CVEs:
CVE-2021-3695
CVE-2021-3696
CVE-2021-3697
CVE-2022-28733
CVE-2022-28734

The source code of grub2_2.06-3~deb11u1 is from:
https://snapshot.debian.org/archive/debian/20220807T030023Z/pool
/main/g/grub2/grub2_2.06-3~deb11u1.debian.tar.xz

The relationship between commits and CVEs is as below:
(1)CVE-2021-3695
commit <video/readers/png: Drop greyscale support to fix heap
out-of-bounds write>
(2)CVE-2021-3696
commit <video/readers/png: Avoid heap OOB R/W inserting huff table items>
(3)CVE-2021-3697
commit <video/readers/jpeg: Block int underflow -> wild pointer write>
(4)CVE-2022-28733
commit <net/ip: Do IP fragment maths safely>
(5)CVE-2022-28734
commit <net/http: Fix OOB write for split http headers>
commit <net/http: Error out on headers with LF without CR>

Test plan:
 - PASS: build grub2/grub-efi.
 - PASS: build-image and install and boot up on lab/qemu.
 - PASS: check that the "stx.N" version number is right for both
         bios(grub2 ver) and uefi(grub-efi ver) boot.

Partial-Bug: #2034119

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ia27b1ee225f13e9c4ad08a0828f93ea37f8d3dfb
 		2023-09-07 01:42:31 -04:00
..
0001-grub2-add-tboot.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0002-grub2-checking-if-loop-devices-are-available.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0003-Make-UEFI-watchdog-behaviour-configurable.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0004-correct-grub_errno.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0005-grub-verify-Add-skip_check_cfg-variable.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0006-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0007-shim-add-needed-data-structures.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0008-efi-chainloader-implement-an-UEFI-Exit-service.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0009-efi-chainloader-port-shim-to-grub.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0010-efi-chainloader-use-shim-to-load-and-verify-an-image.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0011-efi-chainloader-boot-the-image-using-shim.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0012-efi-chainloader-take-care-of-unload-undershim.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0013-chainloader-handle-the-unauthenticated-image-by-shim.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0014-chainloader-Don-t-check-empty-section-in-file-like-..patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0015-chainloader-find-the-relocations-correctly.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0016-Add-a-module-for-reading-EFI-global-variables.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0017-grub-shim-verify-Report-that-the-loaded-object-is-ve.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0018-grub-verify-Add-strict_security-variable.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0019-Disable-inside-lockdown-and-shim_lock-verifiers.patch Debian: grub-efi: porting from LAT 2022-10-08 21:50:14 -04:00
0020-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775 2023-06-01 06:08:44 -04:00
0021-video-readers-Add-artificial-limit-to-image-dimensio.patch grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775 2023-06-01 06:08:44 -04:00
0022-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775 2023-06-01 06:08:44 -04:00
0023-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775 2023-06-01 06:08:44 -04:00
0024-font-Fix-several-integer-overflows-in-grub_font_cons.patch grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775 2023-06-01 06:08:44 -04:00
0025-font-Remove-grub_font_dup_glyph.patch grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775 2023-06-01 06:08:44 -04:00
0026-font-Fix-integer-overflow-in-ensure_comb_space.patch grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775 2023-06-01 06:08:44 -04:00
0027-font-Fix-integer-overflow-in-BMP-index.patch grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775 2023-06-01 06:08:44 -04:00
0028-font-Fix-integer-underflow-in-binary-search-of-char-.patch grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775 2023-06-01 06:08:44 -04:00
0029-kern-efi-sb-Enforce-verification-of-font-files.patch grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775 2023-06-01 06:08:44 -04:00
0030-fbutil-Fix-integer-overflow.patch grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775 2023-06-01 06:08:44 -04:00
0031-font-Fix-an-integer-underflow-in-blit_comb.patch grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775 2023-06-01 06:08:44 -04:00
0032-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775 2023-06-01 06:08:44 -04:00
0033-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775 2023-06-01 06:08:44 -04:00
0034-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775 2023-06-01 06:08:44 -04:00
0035-video-readers-png-Drop-greyscale-support-to-fix-heap.patch grub2/grub-efi: fix CVEs 2023-09-07 01:42:31 -04:00
0036-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch grub2/grub-efi: fix CVEs 2023-09-07 01:42:31 -04:00
0037-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch grub2/grub-efi: fix CVEs 2023-09-07 01:42:31 -04:00
0038-net-ip-Do-IP-fragment-maths-safely.patch grub2/grub-efi: fix CVEs 2023-09-07 01:42:31 -04:00
0039-net-http-Fix-OOB-write-for-split-http-headers.patch grub2/grub-efi: fix CVEs 2023-09-07 01:42:31 -04:00
0040-net-http-Error-out-on-headers-with-LF-without-CR.patch grub2/grub-efi: fix CVEs 2023-09-07 01:42:31 -04:00
series grub2/grub-efi: fix CVEs 2023-09-07 01:42:31 -04:00