GRUB 2.06 is a pretty big change over 2.04.  I'd like to hold this in
unstable for a while longer to let things shake out before we allow it
to move to testing.

Hi Colin,

grub2 showed up in my out-of-sync tracking script output. Do you think
it's about time you could let grub2 into testing? I'm not trying to
hurry you, take your time, but I was just wondering if you forgot about
this bug.

Paul

Hold your horses.

win32-loader is blocked behind grub2 now. I'm not aware of progress with
bug #1001057 (in CC).

Paul

Control: retitle -1 grub2: CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded

CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be
loaded
6.7/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

The GRUB2's shim_lock verifier allows non-kernel files to be loaded on
shim-powered
secure boot systems. Allowing such files to be loaded may lead to
unverified
code and modules to be loaded in GRUB2 breaking the secure boot
trust-chain.

https://lists.gnu.org/archive/html/grub-devel/2022-06/msg00035.html

That's why we wanted to keep it ouf of testing to not expose our testing
users to that.

Planning to have updates ready in the next couple days.

We believe that the bug you reported is fixed in the latest version of
grub2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1001057@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated grub2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 10 Jun 2022 11:15:11 +0200
Source: grub2
Architecture: source
Version: 2.06-3
Distribution: unstable
Urgency: medium
Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
Changed-By: Julian Andres Klode <jak@debian.org>
Closes: 952815 1001057 1007706
Changes:
 grub2 (2.06-3) unstable; urgency=medium
 .
   [ Colin Watson ]
   * Update a few leftover uses of "which" to use "command -v" instead.
   * Remove some old Lintian overrides.
   * Trim trailing whitespace.
   * debian/copyright: use spaces rather than tabs to start continuation lines.
   * Add missing ${misc:Depends} to Depends for grub-efi-ia32-signed-template,
     grub-efi-amd64-signed-template, grub-efi-arm64-signed-template.
   * Bump debhelper from old 10 to 13.
   * Set upstream metadata fields: Bug-Submit (from ./configure), Repository,
     Repository-Browse.
   * Drop now-unnecessary sparc PIE workaround from debian/rules (thanks,
     John Paul Adrian Glaubitz; closes: #952815).
 .
   [ Debconf translations ]
   * [id] Indonesian (Andika Triwidada; closes: #1007706).
 .
   [ Julian Andres Klode ]
   * Add Julian Andres Klode to uploaders
   * Disable building with LTO, as used in Ubuntu and possibly other
     downstreams (maybe Debian one day), as that breaks the build.
   * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
     write in heap.
     - 0070-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
       video/readers/png: Drop greyscale support to fix heap out-of-bounds write
     - CVE-2021-3695
   * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
     huffman table handling.
     - 0071-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
       video/readers/png: Avoid heap OOB R/W inserting huff table items
     - CVE-2021-3696
   * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
     the heap.
     - 0076-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
       video/readers/jpeg: Block int underflow -> wild pointer write
     - CVE-2021-3697
   * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
     - 0079-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
       maths safely
     - CVE-2022-28733
   * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
     - 0085-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
       OOB write for split http headers
     - CVE-2022-28734
   * SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
     - 0066-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
       kern/efi/sb: Reject non-kernel files in the shim_lock verifier
     - CVE-2022-28735
     - Closes: #1001057
   * SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
     - 0063-loader-efi-chainloader-Simplify-the-loader-state.patch:
       loader/efi/chainloader: simplify the loader state
     - 0064-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
       Add API to pass context to loader
     - 0065-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
       loader/efi/chainloader: Use grub_loader_set_ex
     - 0066-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
       loader/i386/efi/linux: Use grub_loader_set_ex
   * Various fixes as a result of fuzzing and static analysis:
     - 0067-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
       kern/file: Do not leak device_name on error in grub_file_open()
     - 0068-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
       video/readers/png: Abort sooner if a read operation fails
     - 0069-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
       video/readers/png: Refuse to handle multiple image headers
     - 0072-video-readers-png-Sanity-check-some-huffman-codes.patch:
       video/readers/png: Sanity check some huffman codes
     - 0073-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
       video/readers/jpeg: Abort sooner if a read operation fails
     - 0074-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch:
       video/readers/jpeg: Do not reallocate a given huff table
     - 0075-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch:
       video/readers/jpeg: Refuse to handle multiple start of streams
     - 0077-normal-charset-Fix-array-out-of-bounds-formatting-un.patch:
       normal/charset: Fix array out-of-bounds formatting unicode for display
     - 0078-net-netbuff-Block-overly-large-netbuff-allocs.patch:
       net/netbuff: Block overly large netbuff allocs
     - 0080-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch:
       net/dns: Fix double-free addresses on corrupt DNS response
     - 0081-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch:
       net/dns: Don't read past the end of the string we're checking against
     - 0082-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch:
       net/tftp: Prevent a UAF and double-free from a failed seek
     - 0083-net-tftp-Avoid-a-trivial-UAF.patch: net/tftp: Avoid a trivial UAF
     - 0084-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch:
       net/http: Do not tear down socket if it's already been torn down
     - 0086-net-http-Error-out-on-headers-with-LF-without-CR.patch:
       net/http: Error out on headers with LF without CR
     - 0087-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch:
       fs/f2fs: Do not read past the end of nat journal entries
     - 0088-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch:
       fs/f2fs: Do not read past the end of nat bitmap
     - 0089-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch:
       fs/f2fs: Do not copy file names that are too long
     - 0090-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch:
       fs/btrfs: Fix several fuzz issues with invalid dir item sizing
     - 0091-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch:
       fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
     - 0092-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch:
       fs/btrfs: Fix more fuzz issues related to chunks
   * Bump SBAT generation:
     - update debian/sbat.debian.csv.in
Checksums-Sha1:
 2f9797dd9c2b2beaeed51cab826cd70a784b826c 7199 grub2_2.06-3.dsc
 2dde9f9e9826902f46fb0496f3a1351f9d0e0c61 1084452 grub2_2.06-3.debian.tar.xz
Checksums-Sha256:
 46b403dbe0e7f24b0ceebeccc397e88a19fd029c3bc5afdb538580bb3fae3ea1 7199 grub2_2.06-3.dsc
 a85896f67cb2ceaf67bf1bcf704223e267e4cc776e002082c27b815ec41acaf7 1084452 grub2_2.06-3.debian.tar.xz
Files:
 4d442e1bbe80e5c3d3e6987b5404470f 7199 admin optional grub2_2.06-3.dsc
 5d35e3a9cf3f4262580ebf6b62e76ef7 1084452 admin optional grub2_2.06-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmKjDvIPHGpha0BkZWJp
YW4ub3JnAAoJEG+kWN0dsD9xi84P/R7GKKw47HnvlhO+XX5T2JKgdY4iz4eyJ6IX
ikeyQE+If9f9Fihtys34LusTWZf05n3LJrutUPDWB/ukFSu7+2Pn9I+13e8niaEU
XAUj5X0FVNKKw9a3mTo+xHBtZglYFQBIkr2PsqK8B5nhXHP8rHC1poqX/pl+J2SP
jMxlyehjZVypJDqO/Om06+hxaHLOSfJZK+7mMgIz3KN2TcQgyK/CWwkEFlWEQuwn
RUIWVkaGZMQ2H9SIPvvhAKWzei/qC/1xtgBT/JDvQAtDbcpadiLIq3PXTYLce0Ea
VgqC24myr6iYPfVrLWNhLQ/54jHmi4RuHhwPhFzkQwR8neIFvE/7WXTLXydu2PUU
htNIkVad4xXAIKAiZcn3we0SEK1XPucBqs9IptwazGLZ4xufMFJ8f7idwUiZICcM
lSyKrKSRRbrVDI6NfvPBNxCK5s/OiwvJFvBZTgwczTUfoJpri/hRU3xcrU/hlJtS
7LwhAT4+ykaC+CoZChkliGQtlCit0jvchj1/2uRUTJ4wHIuBdjfU9GvFsXffzOZK
DbhPG+bKm9mxMx8cb2lXhg166Xe1gOuxHn3b4cQrXtt5ng5L9obaq9kbdNF9c5AY
GgMJAkTNf/0rLQB8masnwO4D6j1U9eROkItldh2Ja/W+PGobWdBBImz35EEp90j1
3f4/kqSE
=w5AF
-----END PGP SIGNATURE-----