* [Buildroot] [git commit] boot/grub2: backport fixes for numerous CVEs
@ 2023-08-30 19:54 Arnout Vandecappelle via buildroot
0 siblings, 0 replies; only message in thread
From: Arnout Vandecappelle via buildroot @ 2023-08-30 19:54 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=65c99394ff2e6cd52a79366ad693c28daca07fb0
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Grub 2.06 is affected by a number of CVEs, which have been fixed in
the master branch of Grub, but are not yet part of any release (there
is a 2.12-rc1 release, but nothing else between 2.06 and 2.12-rc1).
So this patch backports the relevant fixes for CVE-2022-28736,
CVE-2022-28735, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697,
CVE-2022-28733, CVE-2022-28734, CVE-2022-2601 and CVE-2022-3775.
It should be noted that CVE-2021-3695, CVE-2021-3696, CVE-2021-3697
are not reported as affecting Grub by our CVE matching logic because
the NVD database uses an incorrect CPE ID in those CVEs: it uses
"grub" as the product instead of "grub2" like all other CVEs for
grub. This issue has been reported to the NVD maintainers.
This requires backporting a lot of patches, but jumping from 2.06 to
2.12-rc1 implies getting 592 commits, which is quite a lot.
All Grub test cases are working fine:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500585
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500679
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Arnout: fix check-package warning in patch 0002]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
---
.checkpackageignore | 1 -
...b-mkconfig-Restore-umask-for-the-grub.cfg.patch | 6 +-
...efi-chainloader-Simplify-the-loader-state.patch | 126 ++++
...ds-boot-Add-API-to-pass-context-to-loader.patch | 165 +++++
...er-efi-chainloader-Use-grub_loader_set_ex.patch | 80 +++
...-Reject-non-kernel-files-in-the-shim_lock.patch | 105 ++++
.../0007-video-Remove-trailing-whitespaces.patch | 689 +++++++++++++++++++++
...rs-png-Abort-sooner-if-a-read-operation-f.patch | 204 ++++++
...rs-png-Refuse-to-handle-multiple-image-he.patch | 34 +
...rs-png-Drop-greyscale-support-to-fix-heap.patch | 173 ++++++
...rs-png-Avoid-heap-OOB-R-W-inserting-huff-.patch | 44 ++
...rs-jpeg-Block-int-underflow-wild-pointer-.patch | 78 +++
.../0013-net-ip-Do-IP-fragment-maths-safely.patch | 56 ++
...http-Fix-OOB-write-for-split-http-headers.patch | 50 ++
...p-Error-out-on-headers-with-LF-without-CR.patch | 52 ++
...ze-overflow-in-grub_font_get_glyph_intern.patch | 116 ++++
...veral-integer-overflows-in-grub_font_cons.patch | 83 +++
...ont-Fix-an-integer-underflow-in-blit_comb.patch | 93 +++
boot/grub2/grub2.mk | 19 +
19 files changed, 2170 insertions(+), 4 deletions(-)
Patch is too large, so refusing to show it
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-08-30 19:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-30 19:54 [Buildroot] [git commit] boot/grub2: backport fixes for numerous CVEs Arnout Vandecappelle via buildroot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).