grub2: CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded

Debian Bug report logs - #1001057
grub2: CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: grub2: hold 2.06 in unstable for now

Date: Fri, 3 Dec 2021 11:17:26 +0000

Package: grub2
Version: 2.06-2
Severity: serious
Justification: maintainer says so

GRUB 2.06 is a pretty big change over 2.04.  I'd like to hold this in
unstable for a while longer to let things shake out before we allow it
to move to testing.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Message #10 received at 1001057@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 1001057@bugs.debian.org

Subject: Re: grub2: hold 2.06 in unstable for now

Date: Fri, 28 Jan 2022 19:52:35 +0100

[Message part 1 (text/plain, inline)]

Hi Colin,

On Fri, 3 Dec 2021 11:17:26 +0000 Colin Watson <cjwatson@debian.org> wrote:
> GRUB 2.06 is a pretty big change over 2.04.  I'd like to hold this in
> unstable for a while longer to let things shake out before we allow it
> to move to testing.

grub2 showed up in my out-of-sync tracking script output. Do you think 
it's about time you could let grub2 into testing? I'm not trying to 
hurry you, take your time, but I was just wondering if you forgot about 
this bug.

Paul

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #17 received at 1001057@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: Holger Wansing <hwansing@mailbox.org>, Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Cc: 998353@bugs.debian.org, 1001057@bugs.debian.org

Subject: Re: wi32-loader migration [was: Re: Bug#998353: Bug#1007707: Update Indonesian translation]

Date: Wed, 23 Mar 2022 17:38:49 +0100

[Message part 1 (text/plain, inline)]

Hold your horses.

On 23-03-2022 07:44, Paul Gevers wrote:
> Last time [1], I just CC'ed ftpmaster and the magic happened, so dear 
> ftpmasters, can you do "that" again?

win32-loader is blocked behind grub2 now. I'm not aware of progress with 
bug #1001057 (in CC).

Paul

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #22 received at 1001057@bugs.debian.org (full text, mbox, reply):

From: Julian Andres Klode <jak@debian.org>

To: Colin Watson <cjwatson@debian.org>, 1001057@bugs.debian.org

Subject: Re: Bug#1001057: grub2: hold 2.06 in unstable for now

Date: Wed, 8 Jun 2022 09:22:05 +0200

Control: retitle -1 grub2: CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded

On Fri, Dec 03, 2021 at 11:17:26AM +0000, Colin Watson wrote:
> Package: grub2
> Version: 2.06-2
> Severity: serious
> Justification: maintainer says so
> 
> GRUB 2.06 is a pretty big change over 2.04.  I'd like to hold this in
> unstable for a while longer to let things shake out before we allow it
> to move to testing.

Now that it's public, we can say that here's the real reason for this:

CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be
loaded
6.7/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

The GRUB2's shim_lock verifier allows non-kernel files to be loaded on 
shim-powered
secure boot systems. Allowing such files to be loaded may lead to
unverified
code and modules to be loaded in GRUB2 breaking the secure boot
trust-chain.

https://lists.gnu.org/archive/html/grub-devel/2022-06/msg00035.html

That's why we wanted to keep it ouf of testing to not expose our testing
users to that.

Planning to have updates ready in the next couple days.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

Message #29 received at 1001057-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1001057-close@bugs.debian.org

Subject: Bug#1001057: fixed in grub2 2.06-3

Date: Fri, 10 Jun 2022 09:49:22 +0000

Source: grub2
Source-Version: 2.06-3
Done: Julian Andres Klode <jak@debian.org>

We believe that the bug you reported is fixed in the latest version of
grub2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1001057@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated grub2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 10 Jun 2022 11:15:11 +0200
Source: grub2
Architecture: source
Version: 2.06-3
Distribution: unstable
Urgency: medium
Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
Changed-By: Julian Andres Klode <jak@debian.org>
Closes: 952815 1001057 1007706
Changes:
 grub2 (2.06-3) unstable; urgency=medium
 .
   [ Colin Watson ]
   * Update a few leftover uses of "which" to use "command -v" instead.
   * Remove some old Lintian overrides.
   * Trim trailing whitespace.
   * debian/copyright: use spaces rather than tabs to start continuation lines.
   * Add missing ${misc:Depends} to Depends for grub-efi-ia32-signed-template,
     grub-efi-amd64-signed-template, grub-efi-arm64-signed-template.
   * Bump debhelper from old 10 to 13.
   * Set upstream metadata fields: Bug-Submit (from ./configure), Repository,
     Repository-Browse.
   * Drop now-unnecessary sparc PIE workaround from debian/rules (thanks,
     John Paul Adrian Glaubitz; closes: #952815).
 .
   [ Debconf translations ]
   * [id] Indonesian (Andika Triwidada; closes: #1007706).
 .
   [ Julian Andres Klode ]
   * Add Julian Andres Klode to uploaders
   * Disable building with LTO, as used in Ubuntu and possibly other
     downstreams (maybe Debian one day), as that breaks the build.
   * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
     write in heap.
     - 0070-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
       video/readers/png: Drop greyscale support to fix heap out-of-bounds write
     - CVE-2021-3695
   * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
     huffman table handling.
     - 0071-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
       video/readers/png: Avoid heap OOB R/W inserting huff table items
     - CVE-2021-3696
   * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
     the heap.
     - 0076-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
       video/readers/jpeg: Block int underflow -> wild pointer write
     - CVE-2021-3697
   * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
     - 0079-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
       maths safely
     - CVE-2022-28733
   * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
     - 0085-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
       OOB write for split http headers
     - CVE-2022-28734
   * SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
     - 0066-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
       kern/efi/sb: Reject non-kernel files in the shim_lock verifier
     - CVE-2022-28735
     - Closes: #1001057
   * SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
     - 0063-loader-efi-chainloader-Simplify-the-loader-state.patch:
       loader/efi/chainloader: simplify the loader state
     - 0064-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
       Add API to pass context to loader
     - 0065-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
       loader/efi/chainloader: Use grub_loader_set_ex
     - 0066-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
       loader/i386/efi/linux: Use grub_loader_set_ex
   * Various fixes as a result of fuzzing and static analysis:
     - 0067-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
       kern/file: Do not leak device_name on error in grub_file_open()
     - 0068-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
       video/readers/png: Abort sooner if a read operation fails
     - 0069-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
       video/readers/png: Refuse to handle multiple image headers
     - 0072-video-readers-png-Sanity-check-some-huffman-codes.patch:
       video/readers/png: Sanity check some huffman codes
     - 0073-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
       video/readers/jpeg: Abort sooner if a read operation fails
     - 0074-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch:
       video/readers/jpeg: Do not reallocate a given huff table
     - 0075-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch:
       video/readers/jpeg: Refuse to handle multiple start of streams
     - 0077-normal-charset-Fix-array-out-of-bounds-formatting-un.patch:
       normal/charset: Fix array out-of-bounds formatting unicode for display
     - 0078-net-netbuff-Block-overly-large-netbuff-allocs.patch:
       net/netbuff: Block overly large netbuff allocs
     - 0080-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch:
       net/dns: Fix double-free addresses on corrupt DNS response
     - 0081-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch:
       net/dns: Don't read past the end of the string we're checking against
     - 0082-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch:
       net/tftp: Prevent a UAF and double-free from a failed seek
     - 0083-net-tftp-Avoid-a-trivial-UAF.patch: net/tftp: Avoid a trivial UAF
     - 0084-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch:
       net/http: Do not tear down socket if it's already been torn down
     - 0086-net-http-Error-out-on-headers-with-LF-without-CR.patch:
       net/http: Error out on headers with LF without CR
     - 0087-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch:
       fs/f2fs: Do not read past the end of nat journal entries
     - 0088-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch:
       fs/f2fs: Do not read past the end of nat bitmap
     - 0089-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch:
       fs/f2fs: Do not copy file names that are too long
     - 0090-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch:
       fs/btrfs: Fix several fuzz issues with invalid dir item sizing
     - 0091-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch:
       fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
     - 0092-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch:
       fs/btrfs: Fix more fuzz issues related to chunks
   * Bump SBAT generation:
     - update debian/sbat.debian.csv.in
Checksums-Sha1:
 2f9797dd9c2b2beaeed51cab826cd70a784b826c 7199 grub2_2.06-3.dsc
 2dde9f9e9826902f46fb0496f3a1351f9d0e0c61 1084452 grub2_2.06-3.debian.tar.xz
Checksums-Sha256:
 46b403dbe0e7f24b0ceebeccc397e88a19fd029c3bc5afdb538580bb3fae3ea1 7199 grub2_2.06-3.dsc
 a85896f67cb2ceaf67bf1bcf704223e267e4cc776e002082c27b815ec41acaf7 1084452 grub2_2.06-3.debian.tar.xz
Files:
 4d442e1bbe80e5c3d3e6987b5404470f 7199 admin optional grub2_2.06-3.dsc
 5d35e3a9cf3f4262580ebf6b62e76ef7 1084452 admin optional grub2_2.06-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmKjDvIPHGpha0BkZWJp
YW4ub3JnAAoJEG+kWN0dsD9xi84P/R7GKKw47HnvlhO+XX5T2JKgdY4iz4eyJ6IX
ikeyQE+If9f9Fihtys34LusTWZf05n3LJrutUPDWB/ukFSu7+2Pn9I+13e8niaEU
XAUj5X0FVNKKw9a3mTo+xHBtZglYFQBIkr2PsqK8B5nhXHP8rHC1poqX/pl+J2SP
jMxlyehjZVypJDqO/Om06+hxaHLOSfJZK+7mMgIz3KN2TcQgyK/CWwkEFlWEQuwn
RUIWVkaGZMQ2H9SIPvvhAKWzei/qC/1xtgBT/JDvQAtDbcpadiLIq3PXTYLce0Ea
VgqC24myr6iYPfVrLWNhLQ/54jHmi4RuHhwPhFzkQwR8neIFvE/7WXTLXydu2PUU
htNIkVad4xXAIKAiZcn3we0SEK1XPucBqs9IptwazGLZ4xufMFJ8f7idwUiZICcM
lSyKrKSRRbrVDI6NfvPBNxCK5s/OiwvJFvBZTgwczTUfoJpri/hRU3xcrU/hlJtS
7LwhAT4+ykaC+CoZChkliGQtlCit0jvchj1/2uRUTJ4wHIuBdjfU9GvFsXffzOZK
DbhPG+bKm9mxMx8cb2lXhg166Xe1gOuxHn3b4cQrXtt5ng5L9obaq9kbdNF9c5AY
GgMJAkTNf/0rLQB8masnwO4D6j1U9eROkItldh4Ja/W+PGobWdBBImz35EEp90j1
3f4/kqSE
=w5AF
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.