Ubuntu
grub2-unsigned package

grub2-unsigned 2.04-1ubuntu42 source package in Ubuntu

Changelog

grub2-unsigned (2.04-1ubuntu42) hirsute; urgency=medium

  * SECURITY UPDATE: acpi command allows privilleged user to load crafted
    ACPI tables when secure boot is enabled.
    - 0126-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch: Don't
      register the acpi command when secure boot is enabled.
    - CVE-2020-14372
  * SECURITY UPDATE: use-after-free in rmmod command
    - 0128-dl-Only-allow-unloading-modules-that-are-not-depende.patch: Don't
      allow rmmod to unload modules that are dependencies of other modules.
    - CVE-2020-25632
  * SECURITY UPDATE: out-of-bound write in grub_usb_device_initialize()
    - 0129-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
    - CVE-2020-25647
  * SECURITY UPDATE: Stack buffer overflow in grub_parser_split_cmdline
    - 0206-kern-parser-Introduce-process_char-helper.patch,
      0207-kern-parser-Introduce-terminate_arg-helper.patch,
      0208-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch,
      0209-kern-buffer-Add-variable-sized-heap-buffer.patch,
      0210-kern-parser-Fix-a-stack-buffer-overflow.patch: Add a variable
      sized heap buffer type and use this.
    - CVE-2020-27749
  * SECURITY UPDATE: cutmem command allows privileged user to remove memory
    regions when Secure Boot is enabled.
    - 0127-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch:
      Don't register cutmem and badram commands when secure boot is enabled.
    - CVE-2020-27779
  * SECURITY UPDATE: heap out-of-bounds write in short form option parser.
    - 0173-lib-arg-Block-repeated-short-options-that-require-an.patch:
      Block repeated short options that require an argument.
    - CVE-2021-20225
  * SECURITY UPDATE: heap out-of-bound write due to mis-calculation of space
    required for quoting.
    - 0175-commands-menuentry-Fix-quoting-in-setparams_prefix.patch: Fix
      quoting in setparams_prefix()
    - CVE-2021-20233
  * Partially backport the lockdown framework to restrict certain features
    when secure boot is enabled.
  * Backport various fixes for Coverity defects.
  * Add SBAT metadata to the grub EFI binary.
    - Backport patches to support adding SBAT metadata with grub-mkimage:
      + 0212-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
      + 0213-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
      + 0214-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
      + 0215-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
      + 0216-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
      + 0217-util-mkimage-Improve-data_size-value-calculation.patch
      + 0218-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
      + 0219-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
    - Add debian/sbat.csv.in
    - Update debian/build-efi-image and debian/rules

  [ Dimitri John Ledkov & Steve Langasek LP: #1915536 ]
  * Allow grub-efi-amd64|arm64 & -bin & -dbg be built by
    src:grub2-unsigned (potentially of a higher version number).
  * Add debian/rules generate-grub2-unsigned target to quickly build
    src:grub2-unsigned for binary-copy backports.
  * postinst: allow postinst to with with or without grub-multi-install
    binary.
  * postinst: allow using various grub-install options to achieve
    --no-extra-removable.
  * postinst: only call grub-check-signatures if it exists.
  * control: relax dependency on grub2-common, as maintainer script got
    fixed up to work with grub2-common/grub-common as far back as trusty.
  * control: allow higher version depdencies from grub-efi package.
  * dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar) as
    postinst script uses that directory, and yet relies on grub-common to
    create/ship it, which is not true in older releases. Also make sure
    dh_installdirs runs after the .dirs files are generated.

  [ Dimitri John Ledkov ]
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Dimitri John Ledkov <email address hidden>  Tue, 23 Feb 2021 16:23:39 +0000

Upload details

Uploaded by:
Dimitri John Ledkov
Uploaded to:
Hirsute
Original maintainer:
Ubuntu Developers
Architectures:
any-amd64 any-arm64 i386 kopensolaris-i386
Section:
admin
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section

Downloads

File Size SHA-256 Checksum
grub2-unsigned_2.04.orig.tar.xz 6.1 MiB e5292496995ad42dabe843a0192cf2a2c502e7ffcc7479398232b10a472df77d
grub2-unsigned_2.04-1ubuntu42.debian.tar.xz 1.2 MiB 691d596ef47ac0a02167d06eda36c37fc1249f388b255af1c5fdcb9f24ddf6a5
grub2-unsigned_2.04-1ubuntu42.dsc 3.6 KiB 4719f8cbddea8e88aa3a04d6d1168e3e69baa1e9481e2c48cc50adf7f526572f

View changes file

Binary packages built by this source

grub-efi-amd64: No summary available for grub-efi-amd64 in ubuntu groovy.

No description available for grub-efi-amd64 in ubuntu groovy.

grub-efi-amd64-bin: GRand Unified Bootloader, version 2 (EFI-AMD64 modules)

 GRUB is a portable, powerful bootloader. This version of GRUB is based on a
 cleaner design than its predecessors, and provides the following new features:
 .
  - Scripting in grub.cfg using BASH-like syntax.
  - Support for modern partition maps such as GPT.
  - Modular generation of grub.cfg via update-grub. Packages providing GRUB
    add-ons can plug in their own script rules and trigger updates by invoking
    update-grub.
 .
 This package contains GRUB modules that have been built for use with the
 EFI-AMD64 architecture, as used by Intel Macs (unless a BIOS interface has
 been activated). It can be installed in parallel with other flavours, but
 will not automatically install GRUB as the active boot loader nor
 automatically update grub.cfg on upgrade unless grub-efi-amd64 is also
 installed.

grub-efi-amd64-dbg: GRand Unified Bootloader, version 2 (EFI-AMD64 debug files)

 This package contains debugging files for grub-efi-amd64-bin. You only
 need these if you are trying to debug GRUB using its GDB stub.

grub-efi-arm64: GRand Unified Bootloader, version 2 (ARM64 UEFI version)

 GRUB is a portable, powerful bootloader. This version of GRUB is based on a
 cleaner design than its predecessors, and provides the following new features:
 .
  - Scripting in grub.cfg using BASH-like syntax.
  - Support for modern partition maps such as GPT.
  - Modular generation of grub.cfg via update-grub. Packages providing GRUB
    add-ons can plug in their own script rules and trigger updates by invoking
    update-grub.
 .
 This is a dependency package for a version of GRUB that has been built for
 use on ARM64 systems with UEFI. Installing this package indicates that
 this version of GRUB should be the active boot loader.

grub-efi-arm64-bin: GRand Unified Bootloader, version 2 (ARM64 UEFI modules)

 GRUB is a portable, powerful bootloader. This version of GRUB is based on a
 cleaner design than its predecessors, and provides the following new features:
 .
  - Scripting in grub.cfg using BASH-like syntax.
  - Support for modern partition maps such as GPT.
  - Modular generation of grub.cfg via update-grub. Packages providing GRUB
    add-ons can plug in their own script rules and trigger updates by invoking
    update-grub.
 .
 This package contains GRUB modules that have been built for use on ARM64
 systems with UEFI. It can be installed in parallel with other flavours,
 but will not automatically install GRUB as the active boot loader nor
 automatically update grub.cfg on upgrade unless grub-efi-arm64 is also
 installed.

grub-efi-arm64-dbg: GRand Unified Bootloader, version 2 (ARM64 UEFI debug files)

 This package contains debugging files for grub-efi-arm64-bin. You only
 need these if you are trying to debug GRUB using its GDB stub.