Ubuntu
grub2 package

one grub

Bug #1915536 reported by Dimitri John Ledkov
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Groovy
Fix Released
Undecided
Unassigned
Hirsute
Fix Released
Undecided
Unassigned
grub2-signed (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Groovy
Fix Released
Undecided
Unassigned
Hirsute
Fix Released
Undecided
Unassigned
grub2-unsigned (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Groovy
Fix Released
Undecided
Unassigned
Hirsute
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

The proposal is to split src:grub2 into two source packages.

src:grub2 will continue to build most things, apart from bin|dbg|signing-tempate binary packages for platforms that get signed.

src:grub2-unsigned source package is source-full copy of src:grub2 that only builds bin|dbg|signing-tempate binary packages for platforms that get signed and submits monolithic binaries for signing.

src:grub2-signed is built as before, but its maintainer scripts should be compatible across grub2-common from precise and up.

Stable series will receive grub2 update that drops building bin|dbg|signing-template.

Stable series will receive binary-copy of grub2-unsigned & grub2-signed, thus on signed platforms EFI apps and modules will be the same across all series.

[Caveats]

* In devel series, always upload grub2 with matching src:grub2-unsigned and src:grub2-signed. The unsigned package can be build with ./debian/rules generate-grub2-unsigned command from src:grub2.

* In stable series, only upload src:grub2 when fixes needed in update-grub / grub.cfg / grub-install / etc, but not in the efi modules & apps.

* As needed, binary copy grub2-unsigned & grub2-signed from later series to stable series.

[Test Case]

 * Upgrade to new packages

 * Observe that system boots, one can use grub-mkimage / grub-mkrescue without issues.

[Where problems could occur]

 * There might be regression on the EFI platforms with grub 2.04 that have not so far been caught on Focal / Groovy / Hirsute.

See original description
Dimitri John Ledkov (xnox)
description: updated
Revision history for this message
Dimitri John Ledkov (xnox) wrote :
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Horum, grub2-signed has typpos in -dbg packages.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Dimitri John Ledkov (xnox)
description: updated
description: updated
Dimitri John Ledkov (xnox)
description: updated
Dimitri John Ledkov (xnox)
description: updated
Dimitri John Ledkov (xnox)
description: updated
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.163

---------------
grub2-signed (1.163) hirsute; urgency=medium

  * Make maintainer scripts compatible with any grub2-common since
    precise. LP: #1915536
  * Drop unused config_item function.
  * Only download signed binaries once.

 -- Dimitri John Ledkov <email address hidden> Tue, 23 Feb 2021 14:40:19 +0000

Changed in grub2-signed (Ubuntu):
status: New → Fix Released
Dimitri John Ledkov (xnox)
Changed in grub2-signed (Ubuntu):
status: Fix Released → New
Dimitri John Ledkov (xnox)
Changed in grub2 (Ubuntu Xenial):
status: New → Fix Committed
Changed in grub2 (Ubuntu Bionic):
status: New → Fix Committed
Changed in grub2 (Ubuntu Focal):
status: New → Fix Committed
Changed in grub2 (Ubuntu Groovy):
status: New → Fix Committed
Changed in grub2 (Ubuntu Hirsute):
status: New → Fix Committed
Changed in grub2-signed (Ubuntu Xenial):
status: New → Fix Committed
Changed in grub2-signed (Ubuntu Bionic):
status: New → Fix Committed
Changed in grub2-signed (Ubuntu Focal):
status: New → Fix Committed
Changed in grub2-signed (Ubuntu Groovy):
status: New → Fix Committed
Changed in grub2-signed (Ubuntu Hirsute):
status: New → Fix Committed
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (grub2/2.04-1ubuntu35.6)

All autopkgtests for the newly accepted grub2 (2.04-1ubuntu35.6) for groovy have finished running.
The following regressions have been reported in tests triggered by the package:

ubuntu-image/unknown (amd64)
grml2usb/unknown (amd64)
ubiquity/unknown (amd64)
grubzfs-testsuite/unknown (amd64)
zsys/unknown (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/groovy/update_excuses.html#grub2

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.9 KiB)

This bug was fixed in the package grub2 - 2.04-1ubuntu42

---------------
grub2 (2.04-1ubuntu42) hirsute; urgency=medium

  * SECURITY UPDATE: acpi command allows privilleged user to load crafted
    ACPI tables when secure boot is enabled.
    - 0126-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch: Don't
      register the acpi command when secure boot is enabled.
    - CVE-2020-14372
  * SECURITY UPDATE: use-after-free in rmmod command
    - 0128-dl-Only-allow-unloading-modules-that-are-not-depende.patch: Don't
      allow rmmod to unload modules that are dependencies of other modules.
    - CVE-2020-25632
  * SECURITY UPDATE: out-of-bound write in grub_usb_device_initialize()
    - 0129-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
    - CVE-2020-25647
  * SECURITY UPDATE: Stack buffer overflow in grub_parser_split_cmdline
    - 0206-kern-parser-Introduce-process_char-helper.patch,
      0207-kern-parser-Introduce-terminate_arg-helper.patch,
      0208-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch,
      0209-kern-buffer-Add-variable-sized-heap-buffer.patch,
      0210-kern-parser-Fix-a-stack-buffer-overflow.patch: Add a variable
      sized heap buffer type and use this.
    - CVE-2020-27749
  * SECURITY UPDATE: cutmem command allows privileged user to remove memory
    regions when Secure Boot is enabled.
    - 0127-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch:
      Don't register cutmem and badram commands when secure boot is enabled.
    - CVE-2020-27779
  * SECURITY UPDATE: heap out-of-bounds write in short form option parser.
    - 0173-lib-arg-Block-repeated-short-options-that-require-an.patch:
      Block repeated short options that require an argument.
    - CVE-2021-20225
  * SECURITY UPDATE: heap out-of-bound write due to mis-calculation of space
    required for quoting.
    - 0175-commands-menuentry-Fix-quoting-in-setparams_prefix.patch: Fix
      quoting in setparams_prefix()
    - CVE-2021-20233
  * Partially backport the lockdown framework to restrict certain features
    when secure boot is enabled.
  * Backport various fixes for Coverity defects.
  * Add SBAT metadata to the grub EFI binary.
    - Backport patches to support adding SBAT metadata with grub-mkimage:
      + 0212-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
      + 0213-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
      + 0214-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
      + 0215-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
      + 0216-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
      + 0217-util-mkimage-Improve-data_size-value-calculation.patch
      + 0218-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
      + 0219-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
    - Add debian/sbat.csv.in
    - Update debian/build-efi-image and debian/rules

  [ Dimitri John Ledkov & Steve Langasek LP: #1915536 ]
  * Allow grub-efi-amd64|arm64 & -bin & -dbg be built by
    src:grub2-unsigned (potentially of a higher version number).
  * Add debian/rules generate-grub2-unsigned target to quickly build
    src:grub2-unsigned fo...

Read more...

Changed in grub2 (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.164

---------------
grub2-signed (1.164) hirsute; urgency=medium

  * Rebuild against grub2 2.04-1ubuntu42. LP: #1915536

 -- Dimitri John Ledkov <email address hidden> Mon, 01 Mar 2021 13:19:26 +0000

Changed in grub2-signed (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Dimitri John Ledkov (xnox)
tags: added: block-proposed block-proposed-hirsute
Dimitri John Ledkov (xnox)
Changed in grub2 (Ubuntu Hirsute):
status: Fix Released → In Progress
Changed in grub2-signed (Ubuntu Hirsute):
status: Fix Released → In Progress
Dimitri John Ledkov (xnox)
tags: removed: block-proposed block-proposed-hirsute patch
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.04-1ubuntu44

---------------
grub2 (2.04-1ubuntu44) hirsute; urgency=medium

  * Compile grub-efi-amd64 installable i386 platform on hirsute, to make
    it available in bionic and earlier as part of onegrub builds.

 -- Dimitri John Ledkov <email address hidden> Wed, 03 Mar 2021 11:42:28 +0000

Changed in grub2 (Ubuntu Hirsute):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.166

---------------
grub2-signed (1.166) hirsute; urgency=medium

  * Rebuild against grub2 2.04-1ubuntu44.

 -- Dimitri John Ledkov <email address hidden> Thu, 04 Mar 2021 14:26:28 +0000

Changed in grub2-signed (Ubuntu Hirsute):
status: In Progress → Fix Released
Revision history for this message
Mathew Hodson (mhodson) wrote :

grub2-unsigned (2.04-1ubuntu44) hirsute; urgency=medium

  * Compile grub-efi-amd64 installable i386 platform on hirsute, to make
    it available in bionic and earlier as part of onegrub builds.
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Dimitri John Ledkov <email address hidden> Wed, 03 Mar 2021 11:42:28 +0000

Changed in grub2-unsigned (Ubuntu Hirsute):
status: New → Fix Released
Dimitri John Ledkov (xnox)
Changed in grub2-unsigned (Ubuntu Groovy):
status: New → Fix Committed
Changed in grub2-unsigned (Ubuntu Focal):
status: New → Fix Committed
Changed in grub2-unsigned (Ubuntu Bionic):
status: New → Fix Committed
Changed in grub2-unsigned (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-done verification-done-bionic verification-done-focal verification-done-groovy verification-done-xenial
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

For SRU release - all three source packages must be released / copied together. It is best to monitor that copies are successful, as previously src:grub2-unsigned failed to copy.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.04-1ubuntu35.6

---------------
grub2 (2.04-1ubuntu35.6) groovy; urgency=medium

  [ Dimitri John Ledkov & Steve Langasek ]
  * Relax dependencies to allow grub-efi be installed with later versions
    of grub-efi-amd64. Stop building grub-efi-amd64|arm64{-bin,dbg}
    packages, now provided by src:grub2-unsigned. LP: #1915536

 -- Dimitri John Ledkov <email address hidden> Wed, 24 Feb 2021 14:55:25 +0000

Changed in grub2 (Ubuntu Groovy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.167

---------------
grub2-signed (1.167) hirsute; urgency=medium

  * grub-efi-amd64-signed: add depends on grub2-common with support for
    R_X86_64_PLT32 relocations. LP: #1920008

 -- Dimitri John Ledkov <email address hidden> Thu, 18 Mar 2021 11:17:14 +0000

Changed in grub2-signed (Ubuntu Groovy):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for grub2 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Dimitri John Ledkov (xnox)
Changed in grub2-unsigned (Ubuntu Groovy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.04-1ubuntu26.11

---------------
grub2 (2.04-1ubuntu26.11) focal; urgency=medium

  [ Dimitri John Ledkov & Steve Langasek ]
  * Relax dependencies to allow grub-efi be installed with later versions
    of grub-efi-amd64. Stop building grub-efi-amd64|arm64{-bin,dbg}
    packages, now provided by src:grub2-unsigned. LP: #1915536

 -- Dimitri John Ledkov <email address hidden> Wed, 24 Feb 2021 19:33:38 +0000

Changed in grub2 (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.167

---------------
grub2-signed (1.167) hirsute; urgency=medium

  * grub-efi-amd64-signed: add depends on grub2-common with support for
    R_X86_64_PLT32 relocations. LP: #1920008

 -- Dimitri John Ledkov <email address hidden> Thu, 18 Mar 2021 11:17:14 +0000

Changed in grub2-signed (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu3.31

---------------
grub2 (2.02~beta2-36ubuntu3.31) xenial; urgency=medium

  [ Dimitri John Ledkov & Steve Langasek ]
  * Relax dependencies to allow grub-efi be installed with later versions
    of grub-efi-amd64. Stop building grub-efi-amd64|arm64{-bin,dbg}
    packages, now provided by src:grub2-unsigned. LP: #1915536

  [ Dimitri John Ledkov ]
  * Cherrypick 2.02+dfsg1-5 patch for x86-64: Treat R_X86_64_PLT32 as
    R_X86_64_PC32 to allow processing 2.04 grub modules built with newer
    binutils.

 -- Dimitri John Ledkov <email address hidden> Wed, 24 Feb 2021 19:59:33 +0000

Changed in grub2 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.167~16.04.1

---------------
grub2-signed (1.167~16.04.1) xenial; urgency=medium

  * Use debhelper-compat 9 for ease of SRUs to Bionic and earlier. LP:
    #1920008

grub2-signed (1.167~16.04.0) xenial; urgency=medium

  * grub-efi-amd64-signed: add depends on grub2-common with support for
    R_X86_64_PLT32 relocations. LP: #1920008

 -- Dimitri John Ledkov <email address hidden> Tue, 23 Mar 2021 11:01:58 +0000

Changed in grub2-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Dimitri, or anyone else affected,

Accepted grub2 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-36ubuntu3.32 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2 (Ubuntu Xenial):
status: Fix Released → Fix Committed
tags: added: verification-needed verification-needed-xenial
removed: verification-done verification-done-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02-2ubuntu8.23

---------------
grub2 (2.02-2ubuntu8.23) bionic; urgency=medium

  [ Dimitri John Ledkov & Steve Langasek ]
  * Relax dependencies to allow grub-efi be installed with later versions
    of grub-efi-amd64. Stop building grub-efi-amd64|arm64{-bin,dbg}
    packages, now provided by src:grub2-unsigned. LP: #1915536

  [ Dimitri John Ledkov ]
  * Cherrypick 2.02+dfsg1-5 patch for x86-64: Treat R_X86_64_PLT32 as
    R_X86_64_PC32 to allow processing 2.04 grub modules built with newer
    binutils.

 -- Dimitri John Ledkov <email address hidden> Wed, 24 Feb 2021 19:47:47 +0000

Changed in grub2 (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.167~18.04.1

---------------
grub2-signed (1.167~18.04.1) bionic; urgency=medium

  * Use debhelper-compat 9 for ease of SRUs to Bionic and earlier. LP:
    #1920008

grub2-signed (1.167~18.04.0) bionic; urgency=medium

  * grub-efi-amd64-signed: add depends on grub2-common with support for
    R_X86_64_PLT32 relocations. LP: #1920008

 -- Dimitri John Ledkov <email address hidden> Tue, 23 Mar 2021 11:01:58 +0000

Changed in grub2-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Julian Andres Klode (juliank) wrote :

Going to mark this as verified again for xenial, as .32 was a regression fix for the relocation, but did not affect validation of this bug.

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu3.32

---------------
grub2 (2.02~beta2-36ubuntu3.32) xenial; urgency=medium

  * Cherrypick upstream commit to add support for
    R_AARCH64_ADR_PREL_PG_HI21, R_AARCH64_ADD_ABS_LO12_NC,
    R_AARCH64_LDST64_ABS_LO12_NC relocations in grub-install / mkimage to
    allow generating and installing grub.efi from one-grub modules. LP:
    #1926748

grub2 (2.02~beta2-36ubuntu3.31) xenial; urgency=medium

  [ Dimitri John Ledkov & Steve Langasek ]
  * Relax dependencies to allow grub-efi be installed with later versions
    of grub-efi-amd64. Stop building grub-efi-amd64|arm64{-bin,dbg}
    packages, now provided by src:grub2-unsigned. LP: #1915536

  [ Dimitri John Ledkov ]
  * Cherrypick 2.02+dfsg1-5 patch for x86-64: Treat R_X86_64_PLT32 as
    R_X86_64_PC32 to allow processing 2.04 grub modules built with newer
    binutils.

 -- Dimitri John Ledkov <email address hidden> Fri, 30 Apr 2021 13:33:21 +0100

Changed in grub2 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Steve Langasek (vorlon)
Changed in grub2-unsigned (Ubuntu Xenial):
status: Fix Committed → Fix Released
Changed in grub2-unsigned (Ubuntu Bionic):
status: Fix Committed → Fix Released
Changed in grub2-unsigned (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.