[ Chris Coulson ]
* SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
write in heap.
- 0139-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
video/readers/png: Drop greyscale support to fix heap out-of-bounds write
- CVE-2021-3695
* SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
huffman table handling.
- 0140-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
video/readers/png: Avoid heap OOB R/W inserting huff table items
- CVE-2021-3696
* SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
the heap.
- 0145-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
video/readers/jpeg: Block int underflow -> wild pointer write
- CVE-2021-3697
* SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
- 0148-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
maths safely
- CVE-2022-28733
* SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
- 0154-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
OOB write for split http headers
- CVE-2022-28734
* SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
- 0135-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
kern/efi/sb: Reject non-kernel files in the shim_lock verifier
- CVE-2022-28735
* SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
- 0130-loader-efi-chainloader-simplify-the-loader-state.patch:
loader/efi/chainloader: simplify the loader state
- 0131-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
Add API to pass context to loader
- 0132-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
loader/efi/chainloader: Use grub_loader_set_ex
- 0133-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
loader/i386/efi/linux: Use grub_loader_set_ex
* Various fixes as a result of fuzzing and static analysis:
- 0129-loader-efi-chainloader-grub_load_and_start_image-doe.patch:
loader/efi/chainloader: grub_load_and_start_image doesn't load and start
- 0134-loader-i386-efi-linux-Fix-a-memory-leak-in-the-initr.patch:
loader/i386/efi/linux: Fix a memory leak in the initrd command
- 0136-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
kern/file: Do not leak device_name on error in grub_file_open()
- 0137-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
video/readers/png: Abort sooner if a read operation fails
- 0138-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
video/readers/png: Refuse to handle multiple image headers
- 0141-video-readers-png-Sanity-check-some-huffman-codes.patch:
video/readers/png: Sanity check some huffman codes
- 0142-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
video/readers/jpeg: Abort sooner if a read operation fails
- 0143-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch:
video/readers/jpeg: Do not reallocate a given huff table
- 0144-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch:
video/readers/jpeg: Refuse to handle multiple start of streams
- 0146-normal-charset-Fix-array-out-of-bounds-formatting-un.patch:
normal/charset: Fix array out-of-bounds formatting unicode for display
- 0147-net-netbuff-Block-overly-large-netbuff-allocs.patch:
net/netbuff: Block overly large netbuff allocs
- 0149-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch:
net/dns: Fix double-free addresses on corrupt DNS response
- 0150-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch:
net/dns: Don't read past the end of the string we're checking against
- 0151-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch:
net/tftp: Prevent a UAF and double-free from a failed seek
- 0152-net-tftp-Avoid-a-trivial-UAF.patch: net/tftp: Avoid a trivial UAF
- 0153-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch:
net/http: Do not tear down socket if it's already been torn down
- 0155-net-http-Error-out-on-headers-with-LF-without-CR.patch:
net/http: Error out on headers with LF without CR
- 0156-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch:
fs/f2fs: Do not read past the end of nat journal entries
- 0157-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch:
fs/f2fs: Do not read past the end of nat bitmap
- 0158-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch:
fs/f2fs: Do not copy file names that are too long
- 0159-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch:
fs/btrfs: Fix several fuzz issues with invalid dir item sizing
- 0160-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch:
fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
- 0161-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch:
fs/btrfs: Fix more fuzz issues related to chunks
* Bump SBAT generation:
- update debian/sbat.ubuntu.csv.in
* Make the grub2/no_efi_extra_removable setting work correctly
- update debian/postinst.in
* Build grub2-unsigned packages with xz compression for compatibility
with xenial dpkg
- update debian/rules
[ Steve Langasek ]
* Bump versioned dependency on grub2-common to 2.02~beta2-36ubuntu3.32 for
necessary arm relocation support. LP: #1926748.
* debian/postinst.in: Unconditionally call grub-install with
--force-extra-removable on xenial and bionic, so that the \EFI\BOOT
removable path as used in cloud images receives the updates. LP: #1930742.
-- Chris Coulson <email address hidden> Tue, 07 Jun 2022 17:36:27 +0100
This bug was fixed in the package grub2-unsigned - 2.06-2ubuntu10
---------------
grub2-unsigned (2.06-2ubuntu10) jammy; urgency=medium
[ Chris Coulson ] readers- png-Drop- greyscale- support- to-fix- heap.patch: readers/ png: Drop greyscale support to fix heap out-of-bounds write readers- png-Avoid- heap-OOB- R-W-inserting- huff-.patch: readers/ png: Avoid heap OOB R/W inserting huff table items readers- jpeg-Block- int-underflow- wild-pointer- .patch: readers/ jpeg: Block int underflow -> wild pointer write recv_ip4_ packets ip-Do-IP- fragment- maths-safely. patch: net/ip: Do IP fragment http-Fix- OOB-write- for-split- http-headers. patch: net/http: Fix efi-sb- Reject- non-kernel- files-in- the-shim_ lock.patch: chainloader( ) efi-chainloader -simplify- the-loader- state.patch: efi/chainloader : simplify the loader state boot-Add- API-to- pass-context- to-loader. patch: commands/boot: efi-chainloader -Use-grub_ loader_ set_ex. patch: efi/chainloader : Use grub_loader_set_ex i386-efi- linux-Use- grub_loader_ set_ex. patch: i386/efi/ linux: Use grub_loader_set_ex efi-chainloader -grub_load_ and_start_ image-doe. patch: efi/chainloader : grub_load_ and_start_ image doesn't load and start i386-efi- linux-Fix- a-memory- leak-in- the-initr. patch: i386/efi/ linux: Fix a memory leak in the initrd command file-Do- not-leak- device_ name-on- error-in- grub_f. patch: readers- png-Abort- sooner- if-a-read- operation- f.patch: readers/ png: Abort sooner if a read operation fails readers- png-Refuse- to-handle- multiple- image-he. patch: readers/ png: Refuse to handle multiple image headers readers- png-Sanity- check-some- huffman- codes.patch: readers/ png: Sanity check some huffman codes readers- jpeg-Abort- sooner- if-a-read- operation- .patch: readers/ jpeg: Abort sooner if a read operation fails readers- jpeg-Do- not-reallocate- a-given- huff-ta. patch: readers/ jpeg: Do not reallocate a given huff table readers- jpeg-Refuse- to-handle- multiple- start-o. patch: readers/ jpeg: Refuse to handle multiple start of streams charset- Fix-array- out-of- bounds- formatting- un.patch: charset: Fix array out-of-bounds formatting unicode for display netbuff- Block-overly- large-netbuff- allocs. patch: dns-Fix- double- free-addresses- on-corrupt- DNS-res. patch: dns-Don- t-read- past-the- end-of- the-string- we-re-. patch: tftp-Prevent- a-UAF-and- double- free-from- a-failed. patch: tftp-Avoid- a-trivial- UAF.patch: net/tftp: Avoid a trivial UAF http-Do- not-tear- down-socket- if-it-s- already- bee.patch: http-Error- out-on- headers- with-LF- without- CR.patch: f2fs-Do- not-read- past-the- end-of- nat-journal- entr.patch: f2fs-Do- not-read- past-the- end-of- nat-bitmap. patch: f2fs-Do- not-copy- file-names- that-are- too-long. patch: btrfs-Fix- several- fuzz-issues- with-invalid- dir-it. patch: btrfs-Fix- more-ASAN- and-SEGV- issues- found-with- fu.patch: btrfs-Fix- more-fuzz- issues- related- to-chunks. patch: sbat.ubuntu. csv.in efi_extra_ removable setting work correctly
* SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
write in heap.
- 0139-video-
video/
- CVE-2021-3695
* SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
huffman table handling.
- 0140-video-
video/
- CVE-2021-3696
* SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
the heap.
- 0145-video-
video/
- CVE-2021-3697
* SECURITY UPDATE: Integer underflow in grub_net_
- 0148-net-
maths safely
- CVE-2022-28733
* SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
- 0154-net-
OOB write for split http headers
- CVE-2022-28734
* SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
- 0135-kern-
kern/efi/sb: Reject non-kernel files in the shim_lock verifier
- CVE-2022-28735
* SECURITY UPDATE: use-after-free in grub_cmd_
- 0130-loader-
loader/
- 0131-commands-
Add API to pass context to loader
- 0132-loader-
loader/
- 0133-loader-
loader/
* Various fixes as a result of fuzzing and static analysis:
- 0129-loader-
loader/
- 0134-loader-
loader/
- 0136-kern-
kern/file: Do not leak device_name on error in grub_file_open()
- 0137-video-
video/
- 0138-video-
video/
- 0141-video-
video/
- 0142-video-
video/
- 0143-video-
video/
- 0144-video-
video/
- 0146-normal-
normal/
- 0147-net-
net/netbuff: Block overly large netbuff allocs
- 0149-net-
net/dns: Fix double-free addresses on corrupt DNS response
- 0150-net-
net/dns: Don't read past the end of the string we're checking against
- 0151-net-
net/tftp: Prevent a UAF and double-free from a failed seek
- 0152-net-
- 0153-net-
net/http: Do not tear down socket if it's already been torn down
- 0155-net-
net/http: Error out on headers with LF without CR
- 0156-fs-
fs/f2fs: Do not read past the end of nat journal entries
- 0157-fs-
fs/f2fs: Do not read past the end of nat bitmap
- 0158-fs-
fs/f2fs: Do not copy file names that are too long
- 0159-fs-
fs/btrfs: Fix several fuzz issues with invalid dir item sizing
- 0160-fs-
fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
- 0161-fs-
fs/btrfs: Fix more fuzz issues related to chunks
* Bump SBAT generation:
- update debian/
* Make the grub2/no_
- update debian/postinst.in
* Build grub2-unsigned packages with xz compression for compatibility
with xenial dpkg
- update debian/rules
[ Steve Langasek ] 36ubuntu3. 32 for extra-removable on xenial and bionic, so that the \EFI\BOOT
* Bump versioned dependency on grub2-common to 2.02~beta2-
necessary arm relocation support. LP: #1926748.
* debian/postinst.in: Unconditionally call grub-install with
--force-
removable path as used in cloud images receives the updates. LP: #1930742.
-- Chris Coulson <email address hidden> Tue, 07 Jun 2022 17:36:27 +0100