Hello!

The upcoming 2.06 release contains a fix to set -no-PIE in TARGET_CCASFLAGS [1]
such that the current workaround in debian/rules will no longer be necessary.

The following patch should be applied to debian/rules once 2.06-1 is uploaded
to the archive:
--- debian/rules.orig   2019-12-16 16:48:45.000000000 +0100
+++ debian/rules        2020-02-29 19:40:17.759252139 +0100
@@ -23,10 +23,6 @@
 export TARGET_CPPFLAGS := -Wno-unused-but-set-variable
 export TARGET_LDFLAGS := -no-pie

---
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Ack; thanks for letting us know.

Hi Colin!

Just a reminder that this patch can be applied now and the extra TARGET_CCASFLAGS
for sparc64 can be dropped. I have verified that grub2 still builds and boots fine
on sparc64 with the TARGET_CCASFLAGS setting removed.

So, please apply this patch for the next upload:

--- debian/rules.orig   2019-12-16 16:48:45.000000000 +0100
+++ debian/rules        2020-02-29 19:40:17.759252139 +0100
@@ -23,10 +23,6 @@
 export TARGET_CPPFLAGS := -Wno-unused-but-set-variable
 export TARGET_LDFLAGS := -no-pie

Ah right, sorry, I forgot about this.  Applying to git now.

Hello,

Bug #952815 in grub2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/grub-team/grub/-/commit/adb3ce1baba3690eb1889a6a36ad5f6b0b69fcdc
------------------------------------------------------------------------
Drop now-unnecessary sparc PIE workaround from debian/rules

Thanks, John Paul Adrian Glaubitz.

Closes: #952815
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/952815

We believe that the bug you reported is fixed in the latest version of
grub2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 952815@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated grub2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 10 Jun 2022 11:15:11 +0200
Source: grub2
Architecture: source
Version: 2.06-3
Distribution: unstable
Urgency: medium
Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
Changed-By: Julian Andres Klode <jak@debian.org>
Closes: 952815 1001057 1007706
Changes:
 grub2 (2.06-3) unstable; urgency=medium
 .
   [ Colin Watson ]
   * Update a few leftover uses of "which" to use "command -v" instead.
   * Remove some old Lintian overrides.
   * Trim trailing whitespace.
   * debian/copyright: use spaces rather than tabs to start continuation lines.
   * Add missing ${misc:Depends} to Depends for grub-efi-ia32-signed-template,
     grub-efi-amd64-signed-template, grub-efi-arm64-signed-template.
   * Bump debhelper from old 10 to 13.
   * Set upstream metadata fields: Bug-Submit (from ./configure), Repository,
     Repository-Browse.
   * Drop now-unnecessary sparc PIE workaround from debian/rules (thanks,
     John Paul Adrian Glaubitz; closes: #952815).
 .
   [ Debconf translations ]
   * [id] Indonesian (Andika Triwidada; closes: #1007706).
 .
   [ Julian Andres Klode ]
   * Add Julian Andres Klode to uploaders
   * Disable building with LTO, as used in Ubuntu and possibly other
     downstreams (maybe Debian one day), as that breaks the build.
   * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
     write in heap.
     - 0070-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
       video/readers/png: Drop greyscale support to fix heap out-of-bounds write
     - CVE-2021-3695
   * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
     huffman table handling.
     - 0071-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
       video/readers/png: Avoid heap OOB R/W inserting huff table items
     - CVE-2021-3696
   * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
     the heap.
     - 0076-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
       video/readers/jpeg: Block int underflow -> wild pointer write
     - CVE-2021-3697
   * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
     - 0079-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
       maths safely
     - CVE-2022-28733
   * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
     - 0085-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
       OOB write for split http headers
     - CVE-2022-28734
   * SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
     - 0066-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
       kern/efi/sb: Reject non-kernel files in the shim_lock verifier
     - CVE-2022-28735
     - Closes: #1001057
   * SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
     - 0063-loader-efi-chainloader-Simplify-the-loader-state.patch:
       loader/efi/chainloader: simplify the loader state
     - 0064-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
       Add API to pass context to loader
     - 0065-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
       loader/efi/chainloader: Use grub_loader_set_ex
     - 0066-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
       loader/i386/efi/linux: Use grub_loader_set_ex
   * Various fixes as a result of fuzzing and static analysis:
     - 0067-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
       kern/file: Do not leak device_name on error in grub_file_open()
     - 0068-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
       video/readers/png: Abort sooner if a read operation fails
     - 0069-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
       video/readers/png: Refuse to handle multiple image headers
     - 0072-video-readers-png-Sanity-check-some-huffman-codes.patch:
       video/readers/png: Sanity check some huffman codes
     - 0073-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
       video/readers/jpeg: Abort sooner if a read operation fails
     - 0074-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch:
       video/readers/jpeg: Do not reallocate a given huff table
     - 0075-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch:
       video/readers/jpeg: Refuse to handle multiple start of streams
     - 0077-normal-charset-Fix-array-out-of-bounds-formatting-un.patch:
       normal/charset: Fix array out-of-bounds formatting unicode for display
     - 0078-net-netbuff-Block-overly-large-netbuff-allocs.patch:
       net/netbuff: Block overly large netbuff allocs
     - 0080-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch:
       net/dns: Fix double-free addresses on corrupt DNS response
     - 0081-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch:
       net/dns: Don't read past the end of the string we're checking against
     - 0082-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch:
       net/tftp: Prevent a UAF and double-free from a failed seek
     - 0083-net-tftp-Avoid-a-trivial-UAF.patch: net/tftp: Avoid a trivial UAF
     - 0084-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch:
       net/http: Do not tear down socket if it's already been torn down
     - 0086-net-http-Error-out-on-headers-with-LF-without-CR.patch:
       net/http: Error out on headers with LF without CR
     - 0087-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch:
       fs/f2fs: Do not read past the end of nat journal entries
     - 0088-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch:
       fs/f2fs: Do not read past the end of nat bitmap
     - 0089-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch:
       fs/f2fs: Do not copy file names that are too long
     - 0090-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch:
       fs/btrfs: Fix several fuzz issues with invalid dir item sizing
     - 0091-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch:
       fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
     - 0092-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch:
       fs/btrfs: Fix more fuzz issues related to chunks
   * Bump SBAT generation:
     - update debian/sbat.debian.csv.in
Checksums-Sha1:
 2f9797dd9c2b2beaeed51cab826cd70a784b826c 7199 grub2_2.06-3.dsc
 2dde9f9e9826902f46fb0496f3a1351f9d0e0c61 1084452 grub2_2.06-3.debian.tar.xz
Checksums-Sha256:
 46b403dbe0e7f24b0ceebeccc397e88a19fd029c3bc5afdb538580bb3fae3ea1 7199 grub2_2.06-3.dsc
 a85896f67cb2ceaf67bf1bcf704223e267e4cc776e002082c27b815ec41acaf7 1084452 grub2_2.06-3.debian.tar.xz
Files:
 4d442e1bbe80e5c3d3e6987b5404470f 7199 admin optional grub2_2.06-3.dsc
 5d35e3a9cf3f4262580ebf6b62e76ef7 1084452 admin optional grub2_2.06-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmKjDvIPHGpha0BkZWJp
YW4ub3JnAAoJEG+kWN0dsD9xi84P/R7GKKw47HnvlhO+XX5T2JKgdY4iz4eyJ6IX
ikeyQE+If9f9Fihtys34LusTWZf05n3LJrutUPDWB/ukFSu7+2Pn9I+13e8niaEU
XAUj5X0FVNKKw9a3mTo+xHBtZglYFQBIkr2PsqK8B5nhXHP8rHC1poqX/pl+J2SP
jMxlyehjZVypJDqO/Om06+hxaHLOSfJZK+7mMgIz3KN2TcQgyK/CWwkEFlWEQuwn
RUIWVkaGZMQ2H9SIPvvhAKWzei/qC/1xtgBT/JDvQAtDbcpadiLIq3PXTYLce0Ea
VgqC24myr6iYPfVrLWNhLQ/54jHmi4RuHhwPhFzkQwR8neIFvE/7WXTLXydu2PUU
htNIkVad4xXAIKAiZcn3we0SEK1XPucBqs9IptwazGLZ4xufMFJ8f7idwUiZICcM
lSyKrKSRRbrVDI6NfvPBNxCK5s/OiwvJFvBZTgwczTUfoJpri/hRU3xcrU/hlJtS
7LwhAT4+ykaC+CoZChkliGQtlCit0jvchj1/2uRUTJ4wHIuBdjfU9GvFsXffzOZK
DbhPG+bKm9mxMx8cb2lXhg166Xe1gOuxHn3b4cQrXtt5ng5L9obaq9kbdNF9c5AY
GgMJAkTNf/0rLQB8masnwO4D6j1U9eROkItldh2Ja/W+PGobWdBBImz35EEp90j1
3f4/kqSE
=w5AF
-----END PGP SIGNATURE-----