Change log for grub2-unsigned package in Ubuntu

grub2-unsigned (2.12~rc1-10ubuntu4) mantic; urgency=high

  * SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
    and may leak sensitive information into the GRUB pager.
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-
      label.patch:
      fs/ntfs: Fix an OOB read when parsing a volume label
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for-
      index-at.patch:
      fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory-
      entries-fr.patch:
      fs/ntfs: Fix an OOB read when parsing directory entries from resident and
      non-resident index attributes
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe-
      reside.patch:
      fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
      attribute
    - CVE-2023-4693
  * SECURITY UPDATE: Crafted file system images can cause heap-based buffer
    overflow and may allow arbitrary code execution and secure boot bypass.
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-
      ATTRIBUTE_LIST-.patch:
      fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
      the $MFT file
    - d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch
      fs/ntfs: Make code more readable
    - CVE-2023-4692
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Mate Kukri <email address hidden>  Mon, 02 Oct 2023 15:23:58 +0100

Available diffs

• diff from 2.12~rc1-4ubuntu1 (in ~ubuntu-uefi-team/ubuntu/ppa) to 2.12~rc1-10ubuntu4 (18.0 KiB)
• diff from 2.12~rc1-10ubuntu2 (in ~ubuntu-uefi-team/ubuntu/ppa) to 2.12~rc1-10ubuntu4 (5.2 KiB)
• diff from 2.12~rc1-10ubuntu3 to 2.12~rc1-10ubuntu4 (858 bytes)

grub2-unsigned (2.06-2ubuntu17.2) lunar; urgency=high

  * SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
    and may leak sensitive information into the GRUB pager.
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-
      label.patch:
      fs/ntfs: Fix an OOB read when parsing a volume label
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for-
      index-at.patch:
      fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory-
      entries-fr.patch:
      fs/ntfs: Fix an OOB read when parsing directory entries from resident and
      non-resident index attributes
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe-
      reside.patch:
      fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
      attribute
    - CVE-2023-4693
  * SECURITY UPDATE: Crafted file system images can cause heap-based buffer
    overflow and may allow arbitrary code execution and secure boot bypass.
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-
      ATTRIBUTE_LIST-.patch:
      fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
      the $MFT file
    - d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch
      fs/ntfs: Make code more readable
    - CVE-2023-4692
  * efi/fdt: Apply device tree fixups directly after loading
    - add debian/patches/fdt-fixup-after-load.patch
    - LP: #2028931
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Mate Kukri <email address hidden>  Mon, 02 Oct 2023 15:25:43 +0100

Available diffs

• diff from 2.06-2ubuntu17 (in ~ubuntu-uefi-team/ubuntu/ppa) to 2.06-2ubuntu17.2 (6.0 KiB)
• diff from 2.06-2ubuntu17.1 to 2.06-2ubuntu17.2 (899 bytes)

grub2-unsigned (2.06-2ubuntu14.4) jammy; urgency=high

  * SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
    and may leak sensitive information into the GRUB pager.
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-
      label.patch:
      fs/ntfs: Fix an OOB read when parsing a volume label
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for-
      index-at.patch:
      fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory-
      entries-fr.patch:
      fs/ntfs: Fix an OOB read when parsing directory entries from resident and
      non-resident index attributes
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe-
      reside.patch:
      fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
      attribute
    - CVE-2023-4693
  * SECURITY UPDATE: Crafted file system images can cause heap-based buffer
    overflow and may allow arbitrary code execution and secure boot bypass.
    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-
      ATTRIBUTE_LIST-.patch:
      fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
      the $MFT file
    - d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch
      fs/ntfs: Make code more readable
    - CVE-2023-4692
  * efi/fdt: Apply device tree fixups directly after loading
    - add debian/patches/fdt-fixup-after-load.patch
    - LP: #2028931
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Mate Kukri <email address hidden>  Mon, 02 Oct 2023 15:26:59 +0100

Available diffs

• diff from 2.06-2ubuntu14.1 (in ~ubuntu-uefi-team/ubuntu/ppa) to 2.06-2ubuntu14.4 (8.9 KiB)
• diff from 2.06-2ubuntu14.2 (in ~ubuntu-uefi-team/ubuntu/ppa) to 2.06-2ubuntu14.4 (6.0 KiB)
• diff from 2.04-1ubuntu47.5 to 2.06-2ubuntu14.4 (2.4 MiB)
• diff from 2.06-2ubuntu14.3 to 2.06-2ubuntu14.4 (907 bytes)

grub2-unsigned (2.12~rc1-10ubuntu2) mantic; urgency=medium

  * Merge from Debian unstable to pick up fixes (LP: #2028947); remaining changes:
    - Add Ubuntu sbat data
    - build-efi-images: do not produce -installer.efi.signed. LP: 1863994
    - grub-common: Install canonical-uefi-ca.crt
    - Check signatures
    - Support installing to multiple ESP (LP: 1871821)
    - Disable various bits on i386
    - Split out unsigned artefacts into grub2-unsigned
    - Vcs-Git: Point to ubuntu packaging branch
    - Relax dependencies on grub-common and grub2-common
    - grub-pc: Avoid the possibility of breaking grub on SRU update due
      to ABI change
    - UBUNTU: Default timeout changes
    - Revert "Add jfs module to signed UEFI images. Closes: #950959"
    - Revert "Add f2fs module to signed UEFI images"
    - Install grub-initrd-fallback.service again
    - Build using -O1 on s390x to avoid misoptimization
    - grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
    - grub-multi-install: Reset partition type between partitions (LP: #1997795)
    - Drop i386 from grub-efi-amd64* (LP: #2020907)
    - Turn depends on grub-efi-amd64/arm64 unversioned
    - forward port fix for LP: #1926748
    - Make the grub2/no_efi_extra_removable setting work correctly
    - Forward port the fix for LP: #1930742 and make it conditional (xenial/bionic only)
    - Build grub2-unsigned packages with xz compression
    - Replaced patches:
      - installe-signed.patched
      - grub-install-extra-removable.patch
      - grub-install-removable-shim.patch
    - Added patches:
      + rhboot-f34-dont-use-int-for-efi-status.patch
      + rhboot-f34-make-exit-take-a-return-code.patch
      + suse-grub.texi-add-net_bootp6-document.patch
      + ubuntu-add-devicetree-command-support.patch
      + ubuntu-add-initrd-less-boot-fallback.patch
      + ubuntu-add-initrd-less-boot-messages.patch
      + ubuntu-boot-from-multipath-dependent-symlink.patch
      + ubuntu-dont-verify-loopback-images.patch
      + ubuntu-fix-lzma-decompressor-objcopy.patch
      + ubuntu-grub-install-extra-removable.patch
      + ubuntu-install-signed.patch
      + ubuntu-mkconfig-leave-breadcrumbs.patch
      + ubuntu-os-prober-auto.patch
      + ubuntu-recovery-dis_ucode_ldr.patch
      + ubuntu-resilient-boot-boot-order.patch
      + ubuntu-resilient-boot-ignore-alternative-esps.patch
      + ubuntu-shorter-version-info.patch
      + ubuntu-speed-zsys-history.patch
      + ubuntu-support-initrd-less-boot.patch
      + ubuntu-verifiers-last.patch
      + ubuntu-zfs-enhance-support.patch
      + ubuntu-zfs-gfxpayload-dynamic.patch
      + ubuntu-zfs-gfxpayload-keep-default.patch
      + ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
      + ubuntu-zfs-mkconfig-recovery-title.patch
      + ubuntu-zfs-mkconfig-signed-kernel.patch
      + ubuntu-zfs-mkconfig-ubuntu-distributor.patch
      + ubuntu-zfs-mkconfig-ubuntu-recovery.patch
      + ubuntu-zfs-vt-handoff.patch
  * Dropped Ubuntu changes:
    - Temporarily rmmod peimage for os-prober chainloader entries (LP: #2030810)
  * Revert: "Have -bin packages Break pre-2.12 -signed packages.", this is not
    compatible with our versioning schemes.
  * Install a /usr/lib/grub/grub-sort-version and use that to sort versions as
    it respects GRUB_FLAVOUR_ORDER. Depend on python3 to do so.
  * rules: Add DPKG_BUILDPACKAGE_OPTIONS to generate-grub2-unsigned
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

Available diffs

• diff from 2.12~rc1-4ubuntu1 to 2.12~rc1-10ubuntu2 (13.3 KiB)
• diff from 2.12~rc1-10ubuntu1 to 2.12~rc1-10ubuntu2 (753 bytes)

grub2-unsigned (2.12~rc1-4ubuntu1) mantic; urgency=medium

  * Merge from Debian unstable (LP: #2028947); remaining changes:
    - Add Ubuntu sbat data
    - build-efi-images: do not produce -installer.efi.signed. LP: 1863994
    - grub-common: Install canonical-uefi-ca.crt
    - Check signatures
    - Support installing to multiple ESP (LP: 1871821)
    - Disable various bits on i386
    - Split out unsigned artefacts into grub2-unsigned
    - Vcs-Git: Point to ubuntu packaging branch
    - Relax dependencies on grub-common and grub2-common
    - grub-pc: Avoid the possibility of breaking grub on SRU update due
      to ABI change
    - UBUNTU: Default timeout changes
    - Revert "Add jfs module to signed UEFI images. Closes: #950959"
    - Revert "Add f2fs module to signed UEFI images"
    - Install grub-initrd-fallback.service again
    - Build using -O1 on s390x to avoid misoptimization
    - grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
    - grub-multi-install: Reset partition type between partitions (LP: #1997795)
    - Drop i386 from grub-efi-amd64* (LP: #2020907)
    - Turn depends on grub-efi-amd64/arm64 unversioned
    - forward port fix for LP: #1926748
    - Make the grub2/no_efi_extra_removable setting work correctly
    - Forward port the fix for LP: #1930742 and make it conditional (xenial/bionic only)
    - Build grub2-unsigned packages with xz compression
    - Replaced patches:
      - installe-signed.patched
      - grub-install-extra-removable.patch
      - grub-install-removable-shim.patch
    - Added patches:
      + rhboot-f34-dont-use-int-for-efi-status.patch
      + rhboot-f34-make-exit-take-a-return-code.patch
      + suse-grub.texi-add-net_bootp6-document.patch
      + ubuntu-add-devicetree-command-support.patch
      + ubuntu-add-initrd-less-boot-fallback.patch
      + ubuntu-add-initrd-less-boot-messages.patch
      + ubuntu-boot-from-multipath-dependent-symlink.patch
      + ubuntu-dont-verify-loopback-images.patch
      + ubuntu-fix-lzma-decompressor-objcopy.patch
      + ubuntu-grub-install-extra-removable.patch
      + ubuntu-install-signed.patch
      + ubuntu-mkconfig-leave-breadcrumbs.patch
      + ubuntu-os-prober-auto.patch
      + ubuntu-recovery-dis_ucode_ldr.patch
      + ubuntu-resilient-boot-boot-order.patch
      + ubuntu-resilient-boot-ignore-alternative-esps.patch
      + ubuntu-shorter-version-info.patch
      + ubuntu-speed-zsys-history.patch
      + ubuntu-support-initrd-less-boot.patch
      + ubuntu-verifiers-last.patch
      + ubuntu-zfs-enhance-support.patch
      + ubuntu-zfs-gfxpayload-dynamic.patch
      + ubuntu-zfs-gfxpayload-keep-default.patch
      + ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
      + ubuntu-zfs-mkconfig-recovery-title.patch
      + ubuntu-zfs-mkconfig-signed-kernel.patch
      + ubuntu-zfs-mkconfig-ubuntu-distributor.patch
      + ubuntu-zfs-mkconfig-ubuntu-recovery.patch
      + ubuntu-zfs-vt-handoff.patch
  * Dropped Ubuntu changes:
    - All the rhboot loader patches
    - Temporarily, support for GRUB_FLAVOUR_ORDER
    - RISC-V patches, applied upstream:
      + efi-add-definition-of-LoadFile2-protocol.patch
      + efi-correct-struct-grub_efi_boot_services.patch
      + efi-implemented-LoadFile2-initrd-loading-protocol-fo.patch
      + efi-implement-grub_efi_run_image.patch
      + RISC-V-Update-image-header.patch
      + RISC-V-Use-common-linux-loader.patch
      + riscv-adjust-march-flags-for-binutils-2.38.patch
      + upstream/riscv-handle-r-riscv-call-plt-reloc.patch
      + loader-drop-argv-argument-in-grub_initrd_load.patch
      + loader-Move-arm64-linux-loader-to-common-code.patch
    - Networking patches (rebasing still WIP):
      + cherrypick-efi-grub_efi_close_protocol.patch
      + cherrypick-efinet-correct-closing-snp-protocol.patch
      + efinet-uefi-ipv6-pxe-support.patch
      + suse-add-support-for-UEFI-network-protocols.patch
      + suse-AUDIT-0-http-boot-tracker-bug.patch
    - Red Hat boot loader, replaced by upstream:
      + linuxefi-do-not-validate-kernels-twice.patch
      + linuxefi-Invalidate-i-cache-before-starting-the-kern.patch
      + rhboot-bounce-buffers.patch
      + rhboot-efi-allocate-in-kernel-bounds.patch
      + rhboot-efi-allocate-kernel-as-code-for-real.patch
      + rhboot-efi-allocate-kernel-as-code.patch
      + rhboot-efi-enumerated-array-for-allocation-choice.patch
      + rhboot-efi-fix-incorrect-array-size.patch
      + rhboot-efi-initrd-above-4gb.patch
      + rhboot-efi-kernel-allocator.patch
      + rhboot-efi-rearrange-grub-cmd-linux.patch
      + rhboot-efi-split-allocation-policy.patch
      + rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch
      + rhboot-f34-make-pmtimer-tsc-calibration-fast.patch
      + rhboot-try-to-pick-better-locations-for-kernel-and-initrd.patch
      + ubuntu-linuxefi-arm64.patch
      + ubuntu-linuxefi-arm64-set-base-addr.patch
      + ubuntu-linuxefi.patch
      + ubuntu-rhboot-cast-fixups.patch
      + ubuntu-efi-allow-loopmount-chainload.patch
      + ubuntu-efi-loader-code.patch
    - Security patches, applied upstream:
      + {0076...0161} security patches, applied upstream
      + font-*.patchi - security patches applied upstream
      + commands-efi-tpm-Use-grub_strcpy-instead-of-grub_memcpy.patch
      + fbutil-Fix-integer-overflow.patch
      + kern-efi-sb-Enforce-verification-of-font-files.patch
      + normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
    - Misc patches, merged in Debian:
      + efi-EFI-Device-Tree-Fixup-Protocol.patch
      + efivar-check-that-efivarfs-is-writeable.patch
      + fat-fix-listing-the-root-directory.patch
      + fdt-add-debug-output-to-devicetree-command.patch
      + zstd-require-8-byte-buffer.patch
      + 0241-Call-hwmatch-only-on-the-grub-pc-platform.patch
    - Misc patches applied upstream:
      + 2.12-mm/* - applied upstream
      + ubuntu-fuse3.patch
      + xfs-fix-v4-superblock.patch
      + tpm-unknown-error-non-fatal.patch
      + commands-efi-tpm-Refine-the-status-of-log-event.patch
      + efi-tpm-Add-EFI_CC_MEASUREMENT_PROTOCOL-support.patch
      + linux_xen-Properly-load-multiple-initrd-files.patch
      + linux_xen-Properly-order-multiple-initrd-files.patch
      + linux-ignore-FDT-unless-we-need-to-modify-it.patch
      + mkrescue-efi-modules.patch
      + tests-ahci-update-qemu-device-name.patch
    - No longer relevant:
      + ubuntu-disable-LOAD-FILE2-protocol-for-initrd-on-ARM.patch
      + ubuntu-temp-keep-auto-nvram.patch: was temporary in 2019 lol
      + ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch
      + no-devicetree-if-secure-boot.patch
      + no-insmod-on-sb.patch
    - To be rewritten later in this cycle:
      + ubuntu-flavour-order.patch
    - Coalesced into some other patches:
      + ubuntu-zfs-maybe-quiet.patch
      + ubuntu-zfs-quick-boot.patch
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Julian Andres Klode <email address hidden>  Fri, 28 Jul 2023 15:34:32 +0200

Available diffs

• diff from 2.06-2ubuntu17 to 2.12~rc1-4ubuntu1 (3.8 MiB)
• diff from 2.12~rc1-4~ubuntu1~ppa1 to 2.12~rc1-4ubuntu1 (16.7 KiB)

grub2-unsigned (2.06-2ubuntu14.2) kinetic; urgency=medium

  * Cherry-pick more upstream memory patches (LP: #2004643)
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Julian Andres Klode <email address hidden>  Mon, 20 Feb 2023 17:29:00 +0100

Available diffs

• diff from 2.06-2ubuntu14 (in ~ubuntu-security-embargoed-shared/ubuntu/grub2) to 2.06-2ubuntu14.2 (31.1 KiB)
• diff from 2.06-2ubuntu14.1 to 2.06-2ubuntu14.2 (3.6 KiB)

grub2-unsigned (2.06-2ubuntu17) lunar; urgency=medium

  * Cherry-pick more upstream memory patches (LP: #2004643)
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Julian Andres Klode <email address hidden>  Mon, 20 Feb 2023 17:24:10 +0100

Available diffs

• diff from 2.06-2ubuntu16 (in Ubuntu) to 2.06-2ubuntu17 (3.6 KiB)

grub2-unsigned (2.06-2ubuntu14.1) kinetic; urgency=medium

  * Cherry-pick all memory patches from rhboot
    - Allocate initrd > 4 GB (LP: #1842320)
    - Allocate kernels as code, not data (needed for newer firmware)
  * ubuntu: Fix casts on i386-efi target
  * Cherry-pick all the 2.12 memory management changes (LP: #1842320)
  * Allocate executables as CODE, not DATA in chainloader and arm64
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Julian Andres Klode <email address hidden>  Mon, 30 Jan 2023 11:51:57 +0100

Available diffs

• diff from 2.04-1ubuntu47.4 (in ~ubuntu-security-embargoed-shared/ubuntu/grub2) to 2.06-2ubuntu14.1 (2.4 MiB)
• diff from 2.06-2ubuntu10 (in ~ubuntu-security-embargoed-shared/ubuntu/grub2) to 2.06-2ubuntu14.1 (55.2 KiB)
• diff from 2.06-2ubuntu14 (in ~ubuntu-security-embargoed-shared/ubuntu/grub2) to 2.06-2ubuntu14.1 (28.6 KiB)

grub2-unsigned (2.06-2ubuntu16) lunar; urgency=medium

  * Cherry-pick all memory patches from rhboot
    - Allocate initrd > 4 GB (LP: #1842320)
    - Allocate kernels as code, not data (needed for newer firmware)
  * ubuntu: Fix casts on i386-efi target
  * Cherry-pick all the 2.12 memory management changes (LP: #1842320)
  * Allocate executables as CODE, not DATA in chainloader and arm64
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Julian Andres Klode <email address hidden>  Fri, 09 Dec 2022 17:11:44 +0100

Available diffs

• diff from 2.06-2ubuntu16~ppa2 (in ~ubuntu-uefi-team/ubuntu/ppa) to 2.06-2ubuntu16 (450 bytes)
• diff from 2.06-2ubuntu15 to 2.06-2ubuntu16 (28.6 KiB)

grub2-unsigned (2.06-2ubuntu15) lunar; urgency=medium

  * grub-multi-install: Reset partition type between partitions (LP: #1997795)
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

Available diffs

• diff from 2.06-2ubuntu13 to 2.06-2ubuntu15 (16.4 KiB)

grub2-unsigned (2.04-1ubuntu47.5) focal; urgency=medium

  [ Chris Coulson ]
  * SECURITY UPDATE: Fix out of bounds writes due specially crafted fonts.
    - add debian/patches/font-Fix-several-integer-overflows-in-grub_font_construct.patch
    - add debian/patches/font-Fix-an-integer-underflow-in-blit_comb.patch
    - CVE-2022-2601, CVE-2022-3775
    - LP: #1996950
  * Fix various issues as a result of fuzzing, static analysis and code
    review:
    - add debian/patches/font-Reject-glyphs-exceeds-font-max_glyph_width-or-font-m.patch
    - add debian/patches/font-Fix-size-overflow-in-grub_font_get_glyph_internal.patch
    - add debian/patchces/font-Remove-grub_font_dup_glyph.patch
    - add debian/patches/font-Fix-integer-overflow-in-ensure_comb_space.patch
    - add debian/patches/font-Fix-integer-overflow-in-BMP-index.patch
    - add debian/patches/font-Fix-integer-underflow-in-binary-search-of-char-index.patch
    - add debian/patches/fbutil-Fix-integer-overflow.patch
    - add debian/patches/font-Harden-grub_font_blit_glyph-and-grub_font_blit_glyph.patch
    - add debian/patches/font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
    - add debian/patches/normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
  * Forbid loading of external fonts when secure boot is enabled:
    - add debian/patches/font-Forbid-loading-of-font-files-when-secure-boot-is-ena.patch
  * Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary
    - update debian/control
    - update debian/build-efi-image
    - add debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch
  * Fix the squashfs tests during the build
    - remove debian/patches/ubuntu-fix-reproducible-squashfs-test.patch
    - add debian/patches/tests-Explicitly-unset-SOURCE_DATE_EPOCH-before-running-f.patch
  * Bump SBAT generation:
    - update debian/sbat.ubuntu.csv.in
  * Make grub-efi-{amd64,arm64} depend on grub2-common 2.02~beta2-36ubuntu3.33
    in xenial and 2.02-2ubuntu8.25 in bionic to fix LP: #1995751 (thanks
    Julian Klode for the base-files hack to make a single binary be able to
    depend on 2 different versions of the same package)

  [ dann frazier ]
  * linuxefi: Invalidate i-cache before starting the kernel (LP: #1987924)
    - d/p/linuxefi-Invalidate-i-cache-before-starting-the-kern.patch

  [ Chris Coulson ]
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Chris Coulson <email address hidden>  Thu, 17 Nov 2022 13:27:15 +0000

Available diffs

• diff from 2.04-1ubuntu47.4 to 2.04-1ubuntu47.5 (14.3 KiB)
• diff from 2.04-1ubuntu47.5~ppa4 to 2.04-1ubuntu47.5 (1.2 KiB)

grub2-unsigned (2.06-2ubuntu14) kinetic; urgency=medium

  * SECURITY UPDATE: Fix out of bounds writes due specially crafted fonts.
    - add debian/patches/font-Fix-several-integer-overflows-in-grub_font_construct.patch
    - add debian/patches/font-Fix-an-integer-underflow-in-blit_comb.patch
    - CVE-2022-2601, CVE-2022-3775
    - LP: #1996950
  * Fix various issues as a result of fuzzing, static analysis and code
    review:
    - add debian/patches/font-Reject-glyphs-exceeds-font-max_glyph_width-or-font-m.patch
    - add debian/patches/font-Fix-size-overflow-in-grub_font_get_glyph_internal.patch
    - add debian/patchces/font-Remove-grub_font_dup_glyph.patch
    - add debian/patches/font-Fix-integer-overflow-in-ensure_comb_space.patch
    - add debian/patches/font-Fix-integer-overflow-in-BMP-index.patch
    - add debian/patches/font-Fix-integer-underflow-in-binary-search-of-char-index.patch
    - add debian/patches/fbutil-Fix-integer-overflow.patch
    - add debian/patches/font-Harden-grub_font_blit_glyph-and-grub_font_blit_glyph.patch
    - add debian/patches/font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
    - add debian/patches/normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
  * Enforce verification of fonts when secure boot is enabled:
    - add debian/patches/kern-efi-sb-Enforce-verification-of-font-files.patch
  * Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary
    - update debian/control
    - update debian/build-efi-image
    - add debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch
  * Fix LP: #1997006 - add support for performing measurements to RTMRs
    - add debian/patches/commands-efi-tpm-Refine-the-status-of-log-event.patch
    - add debian/patches/commands-efi-tpm-Use-grub_strcpy-instead-of-grub_memcpy.patch
    - add debian/patches/efi-tpm-Add-EFI_CC_MEASUREMENT_PROTOCOL-support.patch
  * Fix the squashfs tests during the build
    - remove debian/patches/ubuntu-fix-reproducible-squashfs-test.patch
    - add debian/patches/tests-Explicitly-unset-SOURCE_DATE_EPOCH-before-running-f.patch
  * Bump SBAT generation:
    - update debian/sbat.ubuntu.csv.in
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Chris Coulson <email address hidden>  Wed, 16 Nov 2022 14:40:42 +0000

Available diffs

• diff from 2.04-1ubuntu44.2 (in Ubuntu) to 2.06-2ubuntu14 (2.4 MiB)
• diff from 2.04-1ubuntu47.4 to 2.06-2ubuntu14 (2.4 MiB)
• diff from 2.04-1ubuntu47.5 to 2.06-2ubuntu14 (2.4 MiB)
• diff from 2.06-2ubuntu13 (in Ubuntu) to 2.06-2ubuntu14 (16.1 KiB)
• diff from 2.06-2ubuntu5~uefi16 (in ~ubuntu-uefi-team/ubuntu/ppa) to 2.06-2ubuntu14 (pending)
• diff from 2.06-2ubuntu10 to 2.06-2ubuntu14 (27.5 KiB)
• diff from 2.06-2ubuntu14~ppa4 to 2.06-2ubuntu14 (741 bytes)

grub2-unsigned (2.06-2ubuntu13) kinetic; urgency=medium

  * Try to pick better locations for kernel and initrd (LP: #1989446)
  * x86-efi: Use bounce buffers for reading to addresses > 4GB (enhances
    firmware compatibility of previous change)
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Julian Andres Klode <email address hidden>  Thu, 20 Oct 2022 21:18:25 +0200

Available diffs

• diff from 2.06-2ubuntu12 to 2.06-2ubuntu13 (3.9 KiB)

grub2-unsigned (2.06-2ubuntu12) kinetic; urgency=medium

  * ubuntu-zfs-enhance-support.patch: Fix missing lines (LP: #1990143)
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Julian Andres Klode <email address hidden>  Mon, 19 Sep 2022 16:00:47 +0200

Available diffs

• diff from 2.06-2ubuntu10 (in ~ubuntu-security-embargoed-shared/ubuntu/grub2) to 2.06-2ubuntu12 (8.9 KiB)
• diff from 2.06-2ubuntu11 to 2.06-2ubuntu12 (1.9 KiB)

grub2-unsigned (2.06-2ubuntu11) kinetic; urgency=medium

  [ Mauricio Faria de Oliveira ]
  * linux_xen: Properly handle multiple initrd files (LP: #1987567)
    - d/p/linux_xen-Properly-load-multiple-initrd-files.patch
    - d/p/linux_xen-Properly-order-multiple-initrd-files.patch
  * Fix for ZFS snapshots without etc directory.
    Thanks to Adam R Bell <email address hidden> (LP: #1965983)

  [ Heinrich Schuchardt ]
  * efi/peimage: fix typos in code comments

  [ dann frazier ]
  * linuxefi: Invalidate i-cache before starting the kernel (LP: #1987924)
    - d/p/linuxefi-Invalidate-i-cache-before-starting-the-kern.patch
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- dann frazier <email address hidden>  Wed, 14 Sep 2022 12:35:29 -0600

Available diffs

• diff from 2.06-2ubuntu10 (in ~ubuntu-security-embargoed-shared/ubuntu/grub2) to 2.06-2ubuntu11 (8.8 KiB)

grub2-unsigned (2.04-1ubuntu47.4) impish; urgency=medium

  [ Chris Coulson ]
  * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
    write in heap.
    - 0248-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
      video/readers/png: Drop greyscale support to fix heap out-of-bounds write
    - CVE-2021-3695
  * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
    huffman table handling.
    - 0249-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
      video/readers/png: Avoid heap OOB R/W inserting huff table items
    - CVE-2021-3696
  * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
    the heap.
    - 0254-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
      video/readers/jpeg: Block int underflow -> wild pointer write
    - CVE-2021-3697
  * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
    - 0257-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
      maths safely
    - CVE-2022-28733
  * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
    - 0263-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
      OOB write for split http headers
    - CVE-2022-28734
  * SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
    - 0240-loader-efi-chainloader-simplify-the-loader-state.patch:
      loader/efi/chainloader: simplify the loader state
    - 0241-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
      Add API to pass context to loader
    - 0242-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
      loader/efi/chainloader: Use grub_loader_set_ex
    - 0243-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
      loader/i386/efi/linux: Use grub_loader_set_ex
  * Various fixes as a result of fuzzing and static analysis:
    - 0240-misc-Format-string-for-grub_error-should-be-a-litera.patch:
      misc: Format string for grub_error() should be a literal
    - 0239-loader-efi-chainloader-grub_load_and_start_image-doe.patch:
      loader/efi/chainloader: grub_load_and_start_image doesn't load and start
    - 0244-loader-i386-efi-linux-Fix-a-memory-leak-in-the-initr.patch:
      loader/i386/efi/linux: Fix a memory leak in the initrd command
    - 0245-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
      kern/file: Do not leak device_name on error in grub_file_open()
    - 0246-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
      video/readers/png: Abort sooner if a read operation fails
    - 0247-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
      video/readers/png: Refuse to handle multiple image headers
    - 0250-video-readers-png-Sanity-check-some-huffman-codes.patch:
      video/readers/png: Sanity check some huffman codes
    - 0251-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
      video/readers/jpeg: Abort sooner if a read operation fails
    - 0252-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch:
      video/readers/jpeg: Do not reallocate a given huff table
    - 0253-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch:
      video/readers/jpeg: Refuse to handle multiple start of streams
    - 0255-normal-charset-Fix-array-out-of-bounds-formatting-un.patch:
      normal/charset: Fix array out-of-bounds formatting unicode for display
    - 0256-net-netbuff-Block-overly-large-netbuff-allocs.patch:
      net/netbuff: Block overly large netbuff allocs
    - 0258-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch:
      net/dns: Fix double-free addresses on corrupt DNS response
    - 0259-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch:
      net/dns: Don't read past the end of the string we're checking against
    - 0260-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch:
      net/tftp: Prevent a UAF and double-free from a failed seek
    - 0261-net-tftp-Avoid-a-trivial-UAF.patch: net/tftp: Avoid a trivial UAF
    - 0262-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch:
      net/http: Do not tear down socket if it's already been torn down
    - 0264-net-http-Error-out-on-headers-with-LF-without-CR.patch:
      net/http: Error out on headers with LF without CR
    - 0265-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch:
      fs/f2fs: Do not read past the end of nat journal entries
    - 0266-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch:
      fs/f2fs: Do not read past the end of nat bitmap
    - 0267-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch:
      fs/f2fs: Do not copy file names that are too long
    - 0268-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch:
      fs/btrfs: Fix several fuzz issues with invalid dir item sizing
    - 0269-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch:
      fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
    - 0270-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch:
      fs/btrfs: Fix more fuzz issues related to chunks
  * Bump SBAT generation:
    - update debian/sbat.csv.in
  * Make the grub2/no_efi_extra_removable setting work correctly
    - update debian/postinst.in
  * Build grub2-unsigned packages with xz compression for compatibility
    with xenial dpkg
    - update debian/rules

  [ Steve Langasek ]
  * Bump versioned dependency on grub2-common to 2.02~beta2-36ubuntu3.32 for
    necessary arm relocation support.  LP: #1926748.
  * debian/postinst.in: Unconditionally call grub-install with
    --force-extra-removable on xenial and bionic, so that the \EFI\BOOT
    removable path as used in cloud images receives the updates.  LP: #1930742.

  [ Chris Coulson ]
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Chris Coulson <email address hidden>  Tue, 07 Jun 2022 17:36:27 +0100

Available diffs

• diff from 2.04-1ubuntu44.1.2 (in Ubuntu) to 2.04-1ubuntu47.4 (109.4 KiB)
• diff from 2.04-1ubuntu44.2 (in Ubuntu) to 2.04-1ubuntu47.4 (109.5 KiB)
• diff from 2.04-1ubuntu47.3 to 2.04-1ubuntu47.4 (829 bytes)

grub2-unsigned (2.06-2ubuntu10) jammy; urgency=medium

  [ Chris Coulson ]
  * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
    write in heap.
    - 0139-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
      video/readers/png: Drop greyscale support to fix heap out-of-bounds write
    - CVE-2021-3695
  * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
    huffman table handling.
    - 0140-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
      video/readers/png: Avoid heap OOB R/W inserting huff table items
    - CVE-2021-3696
  * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
    the heap.
    - 0145-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
      video/readers/jpeg: Block int underflow -> wild pointer write
    - CVE-2021-3697
  * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
    - 0148-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
      maths safely
    - CVE-2022-28733
  * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
    - 0154-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
      OOB write for split http headers
    - CVE-2022-28734
  * SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
    - 0135-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
      kern/efi/sb: Reject non-kernel files in the shim_lock verifier
    - CVE-2022-28735
  * SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
    - 0130-loader-efi-chainloader-simplify-the-loader-state.patch:
      loader/efi/chainloader: simplify the loader state
    - 0131-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
      Add API to pass context to loader
    - 0132-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
      loader/efi/chainloader: Use grub_loader_set_ex
    - 0133-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
      loader/i386/efi/linux: Use grub_loader_set_ex
  * Various fixes as a result of fuzzing and static analysis:
    - 0129-loader-efi-chainloader-grub_load_and_start_image-doe.patch:
      loader/efi/chainloader: grub_load_and_start_image doesn't load and start
    - 0134-loader-i386-efi-linux-Fix-a-memory-leak-in-the-initr.patch:
      loader/i386/efi/linux: Fix a memory leak in the initrd command
    - 0136-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
      kern/file: Do not leak device_name on error in grub_file_open()
    - 0137-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
      video/readers/png: Abort sooner if a read operation fails
    - 0138-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
      video/readers/png: Refuse to handle multiple image headers
    - 0141-video-readers-png-Sanity-check-some-huffman-codes.patch:
      video/readers/png: Sanity check some huffman codes
    - 0142-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
      video/readers/jpeg: Abort sooner if a read operation fails
    - 0143-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch:
      video/readers/jpeg: Do not reallocate a given huff table
    - 0144-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch:
      video/readers/jpeg: Refuse to handle multiple start of streams
    - 0146-normal-charset-Fix-array-out-of-bounds-formatting-un.patch:
      normal/charset: Fix array out-of-bounds formatting unicode for display
    - 0147-net-netbuff-Block-overly-large-netbuff-allocs.patch:
      net/netbuff: Block overly large netbuff allocs
    - 0149-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch:
      net/dns: Fix double-free addresses on corrupt DNS response
    - 0150-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch:
      net/dns: Don't read past the end of the string we're checking against
    - 0151-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch:
      net/tftp: Prevent a UAF and double-free from a failed seek
    - 0152-net-tftp-Avoid-a-trivial-UAF.patch: net/tftp: Avoid a trivial UAF
    - 0153-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch:
      net/http: Do not tear down socket if it's already been torn down
    - 0155-net-http-Error-out-on-headers-with-LF-without-CR.patch:
      net/http: Error out on headers with LF without CR
    - 0156-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch:
      fs/f2fs: Do not read past the end of nat journal entries
    - 0157-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch:
      fs/f2fs: Do not read past the end of nat bitmap
    - 0158-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch:
      fs/f2fs: Do not copy file names that are too long
    - 0159-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch:
      fs/btrfs: Fix several fuzz issues with invalid dir item sizing
    - 0160-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch:
      fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
    - 0161-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch:
      fs/btrfs: Fix more fuzz issues related to chunks
  * Bump SBAT generation:
    - update debian/sbat.ubuntu.csv.in
  * Make the grub2/no_efi_extra_removable setting work correctly
    - update debian/postinst.in
  * Build grub2-unsigned packages with xz compression for compatibility
    with xenial dpkg
    - update debian/rules

  [ Steve Langasek ]
  * Bump versioned dependency on grub2-common to 2.02~beta2-36ubuntu3.32 for
    necessary arm relocation support.  LP: #1926748.
  * debian/postinst.in: Unconditionally call grub-install with
    --force-extra-removable on xenial and bionic, so that the \EFI\BOOT
    removable path as used in cloud images receives the updates.  LP: #1930742.

 -- Chris Coulson <email address hidden>  Tue, 07 Jun 2022 17:36:27 +0100

Available diffs

• diff from 2.06-2ubuntu7 (in Ubuntu) to 2.06-2ubuntu10 (30.3 KiB)
• diff from 2.06-2ubuntu9 to 2.06-2ubuntu10 (837 bytes)

grub2-unsigned (2.06-2ubuntu7) jammy; urgency=medium

  [ Heinrich Schuchardt ]
  * Disable LOAD FILE2 protocol for initrd on ARM (LP: #1967562)

  [ dann frazier ]
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- dann frazier <email address hidden>  Fri, 15 Apr 2022 15:50:11 -0600

Available diffs

• diff from 2.06-2ubuntu6 to 2.06-2ubuntu7 (1.4 KiB)

grub2-unsigned (2.06-2ubuntu6) jammy; urgency=medium

  [ Heinrich Schuchardt ]
  * efivar: check that efivarfs is writeable (LP: #1965288)

  [ Dimitri John Ledkov ]
  * Do not validate kernels twice. (LP: #1964943)

  [ Heinrich Schuchardt ]
  * efi: EFI Device Tree Fixup Protocol (LP: #1965796)
  * fdt: add debug output to devicetree command

  [ Julian Andres Klode ]
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Julian Andres Klode <email address hidden>  Fri, 25 Mar 2022 16:03:11 +0100

Available diffs

• diff from 2.06-2ubuntu4 to 2.06-2ubuntu6 (39.7 KiB)
• diff from 2.06-2ubuntu5 to 2.06-2ubuntu6 (5.8 KiB)

grub2-unsigned (2.06-2ubuntu5) jammy; urgency=medium

  [ Julian Andres Klode ]
  * Free correct size when freeing params, rather than 16 Ki (LP: #1958623)
  * Build with FUSE3 (LP: #1935659)
  * Only run os-prober on first run and if it previously found other OS
    (LP: #1955109)

  [ Heinrich Schuchardt ]
  * Rename grub-core/loader/efi/linux.c
  * Add patches for GRUB on RISC-V
  * fat: fix listing the root directory
  * Enable building for RISC-V (LP: #1876620)

  [ Julian Andres Klode ]
  * Re-enable peimage code on other archs outside secure boot; this
    fixes LP: #1947046 when not booting in secure boot mode (secure
    boot pending security review of the code)
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Julian Andres Klode <email address hidden>  Fri, 18 Feb 2022 17:21:16 +0100

Available diffs

• diff from 2.06-2ubuntu4 to 2.06-2ubuntu5 (35.2 KiB)

grub2-unsigned (2.06-2ubuntu4) jammy; urgency=medium

  * UBUNTU: Move verifiers after decompressors (LP: #1954683)
  * grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Julian Andres Klode <email address hidden>  Mon, 10 Jan 2022 14:52:04 +0100

Available diffs

• diff from 2.06-2ubuntu3 to 2.06-2ubuntu4 (1.9 KiB)

grub2-unsigned (2.06-2ubuntu3) jammy; urgency=medium

  * Cherry-pick the missing hunk back that changes parameter loading
    in grub-core/loader/i386/linux.c, this should fix booting on
    BIOS systems.
  * Fix the fallback for kernel addresses on amd64 EFI, if the kernel
    could not be allocated at the preferred address, reset errno such
    that if the 2nd allocation succeeds, we do not fail erroneously.
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Julian Andres Klode <email address hidden>  Mon, 13 Dec 2021 14:27:53 +0100

Available diffs

• diff from 2.04-1ubuntu48 to 2.06-2ubuntu3 (2.3 MiB)
• diff from 2.06-2ubuntu2 to 2.06-2ubuntu3 (3.1 KiB)

grub2-unsigned (2.06-2ubuntu2) jammy; urgency=medium

  * Restore still relevant patches lost in rebase.
    They got lost in a first rebase, when we did not include
    ubuntu-linuxefi.patch as they modify code in there.
    - no-devicetree-if-secure-boot.patch
    - 0077-ubuntu-Update-the-linux-boot-protocol-version-check.patch
    - 0096-linuxefi-fail-kernel-validation-without-shim-protoco.patch
    - 0099-chainloader-Avoid-a-double-free-when-validation-fail.patch
    - 0105-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Julian Andres Klode <email address hidden>  Wed, 08 Dec 2021 17:14:50 +0100

Available diffs

• diff from 2.06-2ubuntu1 to 2.06-2ubuntu2 (3.4 KiB)

grub2-unsigned (2.06-2ubuntu1) jammy; urgency=medium

  * Merge from Debian unstable; remaining changes:
    - Build without lto
    - Add Ubuntu sbat data
    - Make prebuilt netboot image look for MAAS grub.cfg
    - build-efi-images: add smbios module to the prebuilt signed EFI images
      (LP: 1856424)
    - build-efi-images: do not produce -installer.efi.signed. LP: 1863994
    - build-efi-images: Add http to netboot images
    - grub-common: Install canonical-uefi-ca.crt
    - Check signatures
    - minilzo: built using the distribution's minilzo
    - Support installing to multiple ESP (LP: 1871821)
    - Disable various bits on i386
    - Split out unsigned artefacts into grub2-unsigned
    - Vcs-Git: Point to ubuntu packaging branch
    - Relax dependencies on grub-common and grub2-common
    - grub-pc: Avoid the possibility of breaking grub on SRU update due
      to ABI change
    - UBUNTU: Default timeout changes
    - Disable os-prober for ppc64el on the PowerNV platform (for Petitboot)
    - dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar)
    - Link grub-efi-{amd64,arm64}-bin docs directory
    - grub-common.service: port init.d script to systemd unit. Add warning
      message, when initrdless boot fails triggering fallback. LP: 1901553
    - Removed patches:
      - grub-install-extra-removable.patch
      - grub-install-removable-shim.patch
    - Added patches:
      + ubuntu-grub-install-extra-removable.patch
      + ubuntu-zfs-enhance-support.patch
      + ubuntu-zfs-gfxpayload-keep-default.patch
      + ubuntu-zfs-mkconfig-ubuntu-distributor.patch
      + ubuntu-zfs-mkconfig-signed-kernel.patch
      + ubuntu-zfs-maybe-quiet.patch
      + ubuntu-zfs-quick-boot.patch
      + ubuntu-zfs-gfxpayload-dynamic.patch
      + ubuntu-zfs-vt-handoff.patch
      + ubuntu-zfs-mkconfig-recovery-title.patch
      + ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
      + ubuntu-support-initrd-less-boot.patch
      + ubuntu-shorter-version-info.patch
      + ubuntu-add-initrd-less-boot-fallback.patch
      + ubuntu-mkconfig-leave-breadcrumbs.patch
      + ubuntu-fix-lzma-decompressor-objcopy.patch
      + ubuntu-temp-keep-auto-nvram.patch
      + ubuntu-add-devicetree-command-support.patch
      + ubuntu-boot-from-multipath-dependent-symlink.patch
      + ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch
      + ubuntu-efi-allow-loopmount-chainload.patch
      + 0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
      + ubuntu-resilient-boot-ignore-alternative-esps.patch
      + ubuntu-resilient-boot-boot-order.patch
      + ubuntu-speed-zsys-history.patch
      + ubuntu-flavour-order.patch
      + ubuntu-dont-verify-loopback-images.patch
      + ubuntu-recovery-dis_ucode_ldr.patch
      + ubuntu-linuxefi-arm64.patch
      + ubuntu-add-initrd-less-boot-messages.patch
      + ubuntu-fix-reproducible-squashfs-test.patch
      + rhboot-f34-make-exit-take-a-return-code.patch
      + rhboot-f34-dont-use-int-for-efi-status.patch
      + rhboot-f34-make-pmtimer-tsc-calibration-fast.patch
      + suse-add-support-for-UEFI-network-protocols.patch
      + suse-AUDIT-0-http-boot-tracker-bug.patch
      + rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch
      + 0241-Call-hwmatch-only-on-the-grub-pc-platform.patch
  * Dropped changes:
    - Remove obsolete dependencies on dh-autoreconf and automake
    - Remove explicit --with systemd in debhelper invocation
    - Remove debian/gettext-patches; they do not seem to be necessary anymore
    - Remove inadvertent change to debian/signing-template.json.in, we do not
      use that file anyway.
    - Merged upstream:
      + merged: 0074-uefi-firmware-rename-fwsetup-menuentry-to-UEFI-Firmw.patch
      + merged: 0075-smbios-Add-a-linux-argument-to-apply-linux-modalias-.patch
      + merged security patches 0081-0105, and 0128-0240
      + various cherry picks: cherry-* and cherrypick-*.patch
      + grub-install-backup-and-restore.patch
      + uefi-firmware-setup.patch
      + sleep-shift.patch
      + vsnprintf-upper-case-hex.patch
      + rhboot-f34-update-info-with-grub.cfg-netboot-selection-order.patch
      + suse-search-for-specific-config-files-for-netboot.patch
      + tftp-rollover-block-counter.patch
      + ubuntu-efi-console-set-text-mode-as-needed.patch
    - Merged in Debian:
      + install-efi-ubuntu-flavours.patch
      + ubuntu-dejavu-font-path.patch
      + ubuntu-tpm-unknown-error-non-fatal.patch
    - Not applicable:
      + 0077-ubuntu-Update-the-linux-boot-protocol-version-check.patch: The
        check has been removed.
  * Fix zstd build on s390x
  * Cherry-pick two upstream fixes to fix closing of SNP protocol in EFI
    networking stack
  * Build with -O1 on s390x to avoid build failure due to gcc optimization
    failure causing it to wrongly assume variables as uninitialized.
  * Revert integration of jfs and f2fs modules into signed images, we do not
    support these file systems on /boot.
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Julian Andres Klode <email address hidden>  Tue, 07 Dec 2021 13:40:32 +0100

Available diffs

• diff from 2.04-1ubuntu48 to 2.06-2ubuntu1 (2.3 MiB)

grub2-unsigned (2.04-1ubuntu48) jammy; urgency=medium

  [ Mauricio Faria de Oliveira ]
  * d/p/0241-Call-hwmatch-only-on-the-grub-pc-platform.patch:
    Fix "error: can't find command `hwmatch'." on non-i386/pc
    platforms such as x86_64/efi. (LP: #1840560)

  [ Julian Andres Klode ]
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Mauricio Faria de Oliveira <email address hidden>  Thu, 04 Nov 2021 10:48:06 -0300

Available diffs

• diff from 2.04-1ubuntu47 to 2.04-1ubuntu48 (1.2 KiB)

grub2-unsigned (2.04-1ubuntu47) impish; urgency=medium

  * Drop grub.cfg-400.patch (LP: #1933826)
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Julian Andres Klode <email address hidden>  Thu, 02 Sep 2021 14:37:43 +0200

Available diffs

• diff from 2.04-1ubuntu46 to 2.04-1ubuntu47 (1.7 KiB)

grub2-unsigned (2.04-1ubuntu46) impish; urgency=medium

  * debian/grub-common.service: change type to oneshot, add wantedby
    sleep.target, after sleep.target. The service will now start after
    resume from hybernation. LP: #1929860
  * grub-initrd-fallback.service: add wantedby sleep.target, after
    sleep.target. The service will now start after resume from
    hybernation. LP: #1929860
  * cherrypick upstream fix to make armhf efi boot work. LP: #1788940
  * debian/rules: disable LTO. LP: #1922005
  * grub-initrd-fallback.service, debian/grub-common.service: only start
    units when booted with grub. Use presence of /boot/grub/grub.cfg as
    proxy. LP: #1925507
  * tests: patch qemu command to use ide-hd instead of the removed
    ide-drive.
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Dimitri John Ledkov <email address hidden>  Fri, 16 Jul 2021 14:01:31 +0100

Available diffs

• diff from 2.04-1ubuntu45 to 2.04-1ubuntu46 (2.8 KiB)

grub2-unsigned (2.04-1ubuntu44.1.2) bionic; urgency=medium

  * Bump versioned dependency on grub2-common to 2.02~beta2-36ubuntu3.32 for
    necessary arm relocation support.  LP: #1926748.

Available diffs

• diff from 2.04-1ubuntu44.1 to 2.04-1ubuntu44.1.2 (951 bytes)
• diff from 2.04-1ubuntu44.1.1 to 2.04-1ubuntu44.1.2 (677 bytes)

grub2-unsigned (2.04-1ubuntu44.1.1) bionic; urgency=medium

  * debian/postinst.in: Unconditionally call grub-install with
    --force-extra-removable, so that the \EFI\BOOT removable path as used in
    cloud images receives the updates.  LP: #1930742.

 -- Steve Langasek <email address hidden>  Thu, 03 Jun 2021 14:29:07 -0700

Available diffs

• diff from 2.04-1ubuntu44.1 to 2.04-1ubuntu44.1.1 (616 bytes)

grub2-unsigned (2.04-1ubuntu44.2) focal; urgency=medium

  * No-change rebuild to ensure clean upgrade from bionic.  LP: #1928674.

 -- Steve Langasek <email address hidden>  Thu, 20 May 2021 00:51:07 +0000

Available diffs

• diff from 2.04-1ubuntu44 to 2.04-1ubuntu44.2 (382 bytes)

grub2-unsigned (2.04-1ubuntu44.1) bionic; urgency=medium

  * debian/install.in: add kernel hooks back to grub-efi-amd64 package since
    grub2-common in older releases does not include it.  LP: #1928674.

 -- Steve Langasek <email address hidden>  Wed, 19 May 2021 16:31:18 -0700

Available diffs

• diff from 2.04-1ubuntu44 to 2.04-1ubuntu44.1 (496 bytes)

grub2-unsigned (2.04-1ubuntu45) hirsute; urgency=medium

  * Unapply all patches.
  * Stop using git-dpm.
  * Start using gbp pq import|export --no-patch-numbers, this brings grub2
    packaging closer to other non-debian distributions.
  * It would be nice to separate patches into topic subdirs -
    i.e. reverts, upstream cherry picks, debian, ubuntu, rhel, security,
    etc.
  * Drop redundant dh-systemd build-dependency.
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Dimitri John Ledkov <email address hidden>  Tue, 30 Mar 2021 11:55:05 +0100

Available diffs

• diff from 2.04-1ubuntu44 to 2.04-1ubuntu45 (78.0 KiB)

grub2-unsigned (2.04-1ubuntu44) hirsute; urgency=medium

  * Compile grub-efi-amd64 installable i386 platform on hirsute, to make
    it available in bionic and earlier as part of onegrub builds.
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Dimitri John Ledkov <email address hidden>  Wed, 03 Mar 2021 11:42:28 +0000

Available diffs

• diff from 2.04-1ubuntu42 (in ~ubuntu-security-embargoed-shared/ubuntu/grub2) to 2.04-1ubuntu44 (1.7 KiB)
• diff from 2.04-1ubuntu43 to 2.04-1ubuntu44 (1.8 KiB)

grub2-unsigned (2.04-1ubuntu43) hirsute; urgency=medium

  * Build without grub-efi-amd64:i386 as that triggers publication issues
    across series.
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Dimitri John Ledkov <email address hidden>  Wed, 03 Mar 2021 11:42:28 +0000

Available diffs

• diff from 2.04-1ubuntu42 (in ~ubuntu-security-embargoed-shared/ubuntu/grub2) to 2.04-1ubuntu43 (991 bytes)

grub2-unsigned (2.04-1ubuntu42) hirsute; urgency=medium

  * SECURITY UPDATE: acpi command allows privilleged user to load crafted
    ACPI tables when secure boot is enabled.
    - 0126-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch: Don't
      register the acpi command when secure boot is enabled.
    - CVE-2020-14372
  * SECURITY UPDATE: use-after-free in rmmod command
    - 0128-dl-Only-allow-unloading-modules-that-are-not-depende.patch: Don't
      allow rmmod to unload modules that are dependencies of other modules.
    - CVE-2020-25632
  * SECURITY UPDATE: out-of-bound write in grub_usb_device_initialize()
    - 0129-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
    - CVE-2020-25647
  * SECURITY UPDATE: Stack buffer overflow in grub_parser_split_cmdline
    - 0206-kern-parser-Introduce-process_char-helper.patch,
      0207-kern-parser-Introduce-terminate_arg-helper.patch,
      0208-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch,
      0209-kern-buffer-Add-variable-sized-heap-buffer.patch,
      0210-kern-parser-Fix-a-stack-buffer-overflow.patch: Add a variable
      sized heap buffer type and use this.
    - CVE-2020-27749
  * SECURITY UPDATE: cutmem command allows privileged user to remove memory
    regions when Secure Boot is enabled.
    - 0127-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch:
      Don't register cutmem and badram commands when secure boot is enabled.
    - CVE-2020-27779
  * SECURITY UPDATE: heap out-of-bounds write in short form option parser.
    - 0173-lib-arg-Block-repeated-short-options-that-require-an.patch:
      Block repeated short options that require an argument.
    - CVE-2021-20225
  * SECURITY UPDATE: heap out-of-bound write due to mis-calculation of space
    required for quoting.
    - 0175-commands-menuentry-Fix-quoting-in-setparams_prefix.patch: Fix
      quoting in setparams_prefix()
    - CVE-2021-20233
  * Partially backport the lockdown framework to restrict certain features
    when secure boot is enabled.
  * Backport various fixes for Coverity defects.
  * Add SBAT metadata to the grub EFI binary.
    - Backport patches to support adding SBAT metadata with grub-mkimage:
      + 0212-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
      + 0213-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
      + 0214-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
      + 0215-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
      + 0216-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
      + 0217-util-mkimage-Improve-data_size-value-calculation.patch
      + 0218-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
      + 0219-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
    - Add debian/sbat.csv.in
    - Update debian/build-efi-image and debian/rules

  [ Dimitri John Ledkov & Steve Langasek LP: #1915536 ]
  * Allow grub-efi-amd64|arm64 & -bin & -dbg be built by
    src:grub2-unsigned (potentially of a higher version number).
  * Add debian/rules generate-grub2-unsigned target to quickly build
    src:grub2-unsigned for binary-copy backports.
  * postinst: allow postinst to with with or without grub-multi-install
    binary.
  * postinst: allow using various grub-install options to achieve
    --no-extra-removable.
  * postinst: only call grub-check-signatures if it exists.
  * control: relax dependency on grub2-common, as maintainer script got
    fixed up to work with grub2-common/grub-common as far back as trusty.
  * control: allow higher version depdencies from grub-efi package.
  * dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar) as
    postinst script uses that directory, and yet relies on grub-common to
    create/ship it, which is not true in older releases. Also make sure
    dh_installdirs runs after the .dirs files are generated.

  [ Dimitri John Ledkov ]
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Dimitri John Ledkov <email address hidden>  Tue, 23 Feb 2021 16:23:39 +0000

Available diffs

• diff from 2.04-1ubuntu42~ppa9 to 2.04-1ubuntu42 (315 bytes)