grub2: CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded

Related Vulnerabilities: CVE-2022-28735   CVE-2021-3695   CVE-2021-3696   CVE-2021-3697   CVE-2022-28733   CVE-2022-28734  

Debian Bug report logs - #1001057
grub2: CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded

version graph

Reported by: Colin Watson <cjwatson@debian.org>

Date: Fri, 3 Dec 2021 11:21:02 UTC

Severity: serious

Tags: security

Found in version grub2/2.06-2

Fixed in version grub2/2.06-3

Done: Julian Andres Klode <jak@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>:
Bug#1001057; Package grub2. (Fri, 03 Dec 2021 11:21:04 GMT) (full text, mbox, link).


Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
New Bug report received and forwarded. Copy sent to GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>. (Fri, 03 Dec 2021 11:21:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: grub2: hold 2.06 in unstable for now
Date: Fri, 3 Dec 2021 11:17:26 +0000
Package: grub2
Version: 2.06-2
Severity: serious
Justification: maintainer says so

GRUB 2.06 is a pretty big change over 2.04.  I'd like to hold this in
unstable for a while longer to let things shake out before we allow it
to move to testing.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]



Information forwarded to debian-bugs-dist@lists.debian.org, GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>:
Bug#1001057; Package grub2. (Fri, 28 Jan 2022 18:57:03 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Gevers <elbrus@debian.org>:
Extra info received and forwarded to list. Copy sent to GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>. (Fri, 28 Jan 2022 18:57:03 GMT) (full text, mbox, link).


Message #10 received at 1001057@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>
To: 1001057@bugs.debian.org
Subject: Re: grub2: hold 2.06 in unstable for now
Date: Fri, 28 Jan 2022 19:52:35 +0100
[Message part 1 (text/plain, inline)]
Hi Colin,

On Fri, 3 Dec 2021 11:17:26 +0000 Colin Watson <cjwatson@debian.org> wrote:
> GRUB 2.06 is a pretty big change over 2.04.  I'd like to hold this in
> unstable for a while longer to let things shake out before we allow it
> to move to testing.

grub2 showed up in my out-of-sync tracking script output. Do you think 
it's about time you could let grub2 into testing? I'm not trying to 
hurry you, take your time, but I was just wondering if you forgot about 
this bug.

Paul
[OpenPGP_signature (application/pgp-signature, attachment)]

Added indication that bug 1001057 blocks 1005834 Request was from Paul Gevers <elbrus@debian.org> to submit@bugs.debian.org. (Tue, 15 Feb 2022 18:57:05 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>:
Bug#1001057; Package grub2. (Wed, 23 Mar 2022 16:42:03 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Gevers <elbrus@debian.org>:
Extra info received and forwarded to list. Copy sent to GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>. (Wed, 23 Mar 2022 16:42:03 GMT) (full text, mbox, link).


Message #17 received at 1001057@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>
To: Holger Wansing <hwansing@mailbox.org>, Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Cc: 998353@bugs.debian.org, 1001057@bugs.debian.org
Subject: Re: wi32-loader migration [was: Re: Bug#998353: Bug#1007707: Update Indonesian translation]
Date: Wed, 23 Mar 2022 17:38:49 +0100
[Message part 1 (text/plain, inline)]
Hold your horses.

On 23-03-2022 07:44, Paul Gevers wrote:
> Last time [1], I just CC'ed ftpmaster and the magic happened, so dear 
> ftpmasters, can you do "that" again?

win32-loader is blocked behind grub2 now. I'm not aware of progress with 
bug #1001057 (in CC).

Paul
[OpenPGP_signature (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>:
Bug#1001057; Package grub2. (Wed, 08 Jun 2022 07:30:02 GMT) (full text, mbox, link).


Acknowledgement sent to Julian Andres Klode <jak@debian.org>:
Extra info received and forwarded to list. Copy sent to GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>. (Wed, 08 Jun 2022 07:30:02 GMT) (full text, mbox, link).


Message #22 received at 1001057@bugs.debian.org (full text, mbox, reply):

From: Julian Andres Klode <jak@debian.org>
To: Colin Watson <cjwatson@debian.org>, 1001057@bugs.debian.org
Subject: Re: Bug#1001057: grub2: hold 2.06 in unstable for now
Date: Wed, 8 Jun 2022 09:22:05 +0200
Control: retitle -1 grub2: CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded

On Fri, Dec 03, 2021 at 11:17:26AM +0000, Colin Watson wrote:
> Package: grub2
> Version: 2.06-2
> Severity: serious
> Justification: maintainer says so
> 
> GRUB 2.06 is a pretty big change over 2.04.  I'd like to hold this in
> unstable for a while longer to let things shake out before we allow it
> to move to testing.

Now that it's public, we can say that here's the real reason for this:

CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be
loaded
6.7/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

The GRUB2's shim_lock verifier allows non-kernel files to be loaded on 
shim-powered
secure boot systems. Allowing such files to be loaded may lead to
unverified
code and modules to be loaded in GRUB2 breaking the secure boot
trust-chain.

https://lists.gnu.org/archive/html/grub-devel/2022-06/msg00035.html

That's why we wanted to keep it ouf of testing to not expose our testing
users to that.

Planning to have updates ready in the next couple days.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en



Changed Bug title to 'grub2: CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded' from 'grub2: hold 2.06 in unstable for now'. Request was from Julian Andres Klode <jak@debian.org> to 1001057-submit@bugs.debian.org. (Wed, 08 Jun 2022 07:30:02 GMT) (full text, mbox, link).


Reply sent to Julian Andres Klode <jak@debian.org>:
You have taken responsibility. (Fri, 10 Jun 2022 09:51:06 GMT) (full text, mbox, link).


Notification sent to Colin Watson <cjwatson@debian.org>:
Bug acknowledged by developer. (Fri, 10 Jun 2022 09:51:06 GMT) (full text, mbox, link).


Message #29 received at 1001057-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1001057-close@bugs.debian.org
Subject: Bug#1001057: fixed in grub2 2.06-3
Date: Fri, 10 Jun 2022 09:49:22 +0000
Source: grub2
Source-Version: 2.06-3
Done: Julian Andres Klode <jak@debian.org>

We believe that the bug you reported is fixed in the latest version of
grub2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1001057@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated grub2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 10 Jun 2022 11:15:11 +0200
Source: grub2
Architecture: source
Version: 2.06-3
Distribution: unstable
Urgency: medium
Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
Changed-By: Julian Andres Klode <jak@debian.org>
Closes: 952815 1001057 1007706
Changes:
 grub2 (2.06-3) unstable; urgency=medium
 .
   [ Colin Watson ]
   * Update a few leftover uses of "which" to use "command -v" instead.
   * Remove some old Lintian overrides.
   * Trim trailing whitespace.
   * debian/copyright: use spaces rather than tabs to start continuation lines.
   * Add missing ${misc:Depends} to Depends for grub-efi-ia32-signed-template,
     grub-efi-amd64-signed-template, grub-efi-arm64-signed-template.
   * Bump debhelper from old 10 to 13.
   * Set upstream metadata fields: Bug-Submit (from ./configure), Repository,
     Repository-Browse.
   * Drop now-unnecessary sparc PIE workaround from debian/rules (thanks,
     John Paul Adrian Glaubitz; closes: #952815).
 .
   [ Debconf translations ]
   * [id] Indonesian (Andika Triwidada; closes: #1007706).
 .
   [ Julian Andres Klode ]
   * Add Julian Andres Klode to uploaders
   * Disable building with LTO, as used in Ubuntu and possibly other
     downstreams (maybe Debian one day), as that breaks the build.
   * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
     write in heap.
     - 0070-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
       video/readers/png: Drop greyscale support to fix heap out-of-bounds write
     - CVE-2021-3695
   * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
     huffman table handling.
     - 0071-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
       video/readers/png: Avoid heap OOB R/W inserting huff table items
     - CVE-2021-3696
   * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
     the heap.
     - 0076-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
       video/readers/jpeg: Block int underflow -> wild pointer write
     - CVE-2021-3697
   * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
     - 0079-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
       maths safely
     - CVE-2022-28733
   * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
     - 0085-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
       OOB write for split http headers
     - CVE-2022-28734
   * SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
     - 0066-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
       kern/efi/sb: Reject non-kernel files in the shim_lock verifier
     - CVE-2022-28735
     - Closes: #1001057
   * SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
     - 0063-loader-efi-chainloader-Simplify-the-loader-state.patch:
       loader/efi/chainloader: simplify the loader state
     - 0064-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
       Add API to pass context to loader
     - 0065-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
       loader/efi/chainloader: Use grub_loader_set_ex
     - 0066-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
       loader/i386/efi/linux: Use grub_loader_set_ex
   * Various fixes as a result of fuzzing and static analysis:
     - 0067-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
       kern/file: Do not leak device_name on error in grub_file_open()
     - 0068-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
       video/readers/png: Abort sooner if a read operation fails
     - 0069-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
       video/readers/png: Refuse to handle multiple image headers
     - 0072-video-readers-png-Sanity-check-some-huffman-codes.patch:
       video/readers/png: Sanity check some huffman codes
     - 0073-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
       video/readers/jpeg: Abort sooner if a read operation fails
     - 0074-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch:
       video/readers/jpeg: Do not reallocate a given huff table
     - 0075-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch:
       video/readers/jpeg: Refuse to handle multiple start of streams
     - 0077-normal-charset-Fix-array-out-of-bounds-formatting-un.patch:
       normal/charset: Fix array out-of-bounds formatting unicode for display
     - 0078-net-netbuff-Block-overly-large-netbuff-allocs.patch:
       net/netbuff: Block overly large netbuff allocs
     - 0080-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch:
       net/dns: Fix double-free addresses on corrupt DNS response
     - 0081-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch:
       net/dns: Don't read past the end of the string we're checking against
     - 0082-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch:
       net/tftp: Prevent a UAF and double-free from a failed seek
     - 0083-net-tftp-Avoid-a-trivial-UAF.patch: net/tftp: Avoid a trivial UAF
     - 0084-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch:
       net/http: Do not tear down socket if it's already been torn down
     - 0086-net-http-Error-out-on-headers-with-LF-without-CR.patch:
       net/http: Error out on headers with LF without CR
     - 0087-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch:
       fs/f2fs: Do not read past the end of nat journal entries
     - 0088-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch:
       fs/f2fs: Do not read past the end of nat bitmap
     - 0089-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch:
       fs/f2fs: Do not copy file names that are too long
     - 0090-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch:
       fs/btrfs: Fix several fuzz issues with invalid dir item sizing
     - 0091-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch:
       fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
     - 0092-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch:
       fs/btrfs: Fix more fuzz issues related to chunks
   * Bump SBAT generation:
     - update debian/sbat.debian.csv.in
Checksums-Sha1:
 2f9797dd9c2b2beaeed51cab826cd70a784b826c 7199 grub2_2.06-3.dsc
 2dde9f9e9826902f46fb0496f3a1351f9d0e0c61 1084452 grub2_2.06-3.debian.tar.xz
Checksums-Sha256:
 46b403dbe0e7f24b0ceebeccc397e88a19fd029c3bc5afdb538580bb3fae3ea1 7199 grub2_2.06-3.dsc
 a85896f67cb2ceaf67bf1bcf704223e267e4cc776e002082c27b815ec41acaf7 1084452 grub2_2.06-3.debian.tar.xz
Files:
 4d442e1bbe80e5c3d3e6987b5404470f 7199 admin optional grub2_2.06-3.dsc
 5d35e3a9cf3f4262580ebf6b62e76ef7 1084452 admin optional grub2_2.06-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmKjDvIPHGpha0BkZWJp
YW4ub3JnAAoJEG+kWN0dsD9xi84P/R7GKKw47HnvlhO+XX5T2JKgdY4iz4eyJ6IX
ikeyQE+If9f9Fihtys34LusTWZf05n3LJrutUPDWB/ukFSu7+2Pn9I+13e8niaEU
XAUj5X0FVNKKw9a3mTo+xHBtZglYFQBIkr2PsqK8B5nhXHP8rHC1poqX/pl+J2SP
jMxlyehjZVypJDqO/Om06+hxaHLOSfJZK+7mMgIz3KN2TcQgyK/CWwkEFlWEQuwn
RUIWVkaGZMQ2H9SIPvvhAKWzei/qC/1xtgBT/JDvQAtDbcpadiLIq3PXTYLce0Ea
VgqC24myr6iYPfVrLWNhLQ/54jHmi4RuHhwPhFzkQwR8neIFvE/7WXTLXydu2PUU
htNIkVad4xXAIKAiZcn3we0SEK1XPucBqs9IptwazGLZ4xufMFJ8f7idwUiZICcM
lSyKrKSRRbrVDI6NfvPBNxCK5s/OiwvJFvBZTgwczTUfoJpri/hRU3xcrU/hlJtS
7LwhAT4+ykaC+CoZChkliGQtlCit0jvchj1/2uRUTJ4wHIuBdjfU9GvFsXffzOZK
DbhPG+bKm9mxMx8cb2lXhg166Xe1gOuxHn3b4cQrXtt5ng5L9obaq9kbdNF9c5AY
GgMJAkTNf/0rLQB8masnwO4D6j1U9eROkItldh4Ja/W+PGobWdBBImz35EEp90j1
3f4/kqSE
=w5AF
-----END PGP SIGNATURE-----




Added tag(s) security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 10 Jun 2022 13:48:02 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jun 11 13:13:47 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.