Accepted grub2 2.04-16 (source) into unstable

To: debian-devel-changes@lists.debian.org
Subject: Accepted grub2 2.04-16 (source) into unstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Tue, 02 Mar 2021 18:21:20 +0000
Message-id: <[🔎] E1lH9e4-000BDA-B4@fasolo.debian.org>
Mail-followup-to: debian-devel@lists.debian.org
Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 02 Mar 2021 18:00:00 +0000
Source: grub2
Architecture: source
Version: 2.04-16
Distribution: unstable
Urgency: medium
Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
Changed-By: Colin Watson <cjwatson@debian.org>
Changes:
 grub2 (2.04-16) unstable; urgency=medium
 .
   * Fix broken advice in message when the postinst has to bail out (thanks
     to Daniel Leidert for pointing out the problem).
   * Backport security patch series from upstream:
     - verifiers: Move verifiers API to kernel image
     - kern: Add lockdown support
     - kern/lockdown: Set a variable if the GRUB is locked down
     - efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
     - efi: Use grub_is_lockdown() instead of hardcoding a disabled modules
       list
     - CVE-2020-14372: acpi: Don't register the acpi command when locked down
     - CVE-2020-27779: mmap: Don't register cutmem and badram commands when
       lockdown is enforced
     - commands: Restrict commands that can load BIOS or DT blobs when locked
       down
     - commands/setpci: Restrict setpci command when locked down
     - commands/hdparm: Restrict hdparm command when locked down
     - gdb: Restrict GDB access when locked down
     - loader/xnu: Don't allow loading extension and packages when locked
       down
     - docs: Document the cutmem command
     - CVE-2020-25632: dl: Only allow unloading modules that are not
       dependencies
     - CVE-2020-25647: usb: Avoid possible out-of-bound accesses caused by
       malicious devices
     - mmap: Fix memory leak when iterating over mapped memory
     - net/net: Fix possible dereference to of a NULL pointer
     - net/tftp: Fix dangling memory pointer
     - kern/parser: Fix resource leak if argc == 0
     - kern/efi: Fix memory leak on failure
     - kern/efi/mm: Fix possible NULL pointer dereference
     - gnulib/regexec: Resolve unused variable
     - gnulib/regcomp: Fix uninitialized token structure
     - gnulib/argp-help: Fix dereference of a possibly NULL state
     - gnulib/regexec: Fix possible null-dereference
     - gnulib/regcomp: Fix uninitialized re_token
     - io/lzopio: Resolve unnecessary self-assignment errors
     - zstd: Initialize seq_t structure fully
     - kern/partition: Check for NULL before dereferencing input string
     - disk/ldm: Make sure comp data is freed before exiting from make_vg()
     - disk/ldm: If failed then free vg variable too
     - disk/ldm: Fix memory leak on uninserted lv references
     - disk/cryptodisk: Fix potential integer overflow
     - hfsplus: Check that the volume name length is valid
     - zfs: Fix possible negative shift operation
     - zfs: Fix resource leaks while constructing path
     - zfs: Fix possible integer overflows
     - zfsinfo: Correct a check for error allocating memory
     - affs: Fix memory leaks
     - libgcrypt/mpi: Fix possible unintended sign extension
     - libgcrypt/mpi: Fix possible NULL dereference
     - syslinux: Fix memory leak while parsing
     - normal/completion: Fix leaking of memory when processing a completion
     - commands/hashsum: Fix a memory leak
     - video/efi_gop: Remove unnecessary return value of
       grub_video_gop_fill_mode_info()
     - video/fb/fbfill: Fix potential integer overflow
     - video/fb/video_fb: Fix multiple integer overflows
     - video/fb/video_fb: Fix possible integer overflow
     - video/readers/jpeg: Test for an invalid next marker reference from a
       jpeg file
     - gfxmenu/gui_list: Remove code that coverity is flagging as dead
     - loader/bsd: Check for NULL arg up-front
     - loader/xnu: Fix memory leak
     - loader/xnu: Free driverkey data when an error is detected in
       grub_xnu_writetree_toheap()
     - loader/xnu: Check if pointer is NULL before using it
     - util/grub-install: Fix NULL pointer dereferences
     - util/grub-editenv: Fix incorrect casting of a signed value
     - util/glue-efi: Fix incorrect use of a possibly negative value
     - script/execute: Fix NULL dereference in grub_script_execute_cmdline()
     - commands/ls: Require device_name is not NULL before printing
     - script/execute: Avoid crash when using "$#" outside a function scope
     - CVE-2021-20225: lib/arg: Block repeated short options that require an
       argument
     - script/execute: Don't crash on a "for" loop with no items
     - CVE-2021-20233: commands/menuentry: Fix quoting in setparams_prefix()
     - kern/misc: Always set *end in grub_strtoull()
     - video/readers/jpeg: Catch files with unsupported quantization or
       Huffman tables
     - video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du()
     - video/readers/jpeg: Don't decode data before start of stream
     - term/gfxterm: Don't set up a font with glyphs that are too big
     - fs/fshelp: Catch impermissibly large block sizes in read helper
     - fs/hfsplus: Don't fetch a key beyond the end of the node
     - fs/hfsplus: Don't use uninitialized data on corrupt filesystems
     - fs/hfs: Disable under lockdown
     - fs/sfs: Fix over-read of root object name
     - fs/jfs: Do not move to leaf level if name length is negative
     - fs/jfs: Limit the extents that getblk() can consider
     - fs/jfs: Catch infinite recursion
     - fs/nilfs2: Reject too-large keys
     - fs/nilfs2: Don't search children if provided number is too large
     - fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup()
     - io/gzio: Bail if gzio->tl/td is NULL
     - io/gzio: Add init_dynamic_block() clean up if unpacking codes fails
     - io/gzio: Catch missing values in huft_build() and bail
     - io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build()
       fails
     - disk/lvm: Don't go beyond the end of the data we read from disk
     - disk/lvm: Don't blast past the end of the circular metadata buffer
     - disk/lvm: Bail on missing PV list
     - disk/lvm: Do not crash if an expected string is not found
     - disk/lvm: Do not overread metadata
     - disk/lvm: Sanitize rlocn->offset to prevent wild read
     - disk/lvm: Do not allow a LV to be it's own segment's node's LV
     - fs/btrfs: Validate the number of stripes/parities in RAID5/6
     - fs/btrfs: Squash some uninitialized reads
     - kern/parser: Fix a memory leak
     - kern/parser: Introduce process_char() helper
     - kern/parser: Introduce terminate_arg() helper
     - kern/parser: Refactor grub_parser_split_cmdline() cleanup
     - kern/buffer: Add variable sized heap buffer
     - CVE-2020-27749: kern/parser: Fix a stack buffer overflow
     - kern/efi: Add initial stack protector implementation
     - util/mkimage: Remove unused code to add BSS section
     - util/mkimage: Use grub_host_to_target32() instead of
       grub_cpu_to_le32()
     - util/mkimage: Always use grub_host_to_target32() to initialize PE
       stack and heap stuff
     - util/mkimage: Unify more of the PE32 and PE32+ header set-up
     - util/mkimage: Reorder PE optional header fields set-up
     - util/mkimage: Improve data_size value calculation
     - util/mkimage: Refactor section setup to use a helper
     - util/mkimage: Add an option to import SBAT metadata into a .sbat
       section
     - grub-install-common: Add --sbat option
     - kern/misc: Split parse_printf_args() into format parsing and va_list
       handling
     - kern/misc: Add STRING type for internal printf() format handling
     - kern/misc: Add function to check printf() format against expected
       format
     - gfxmenu/gui: Check printf() format in the gui_progress_bar and
       gui_label
     - kern/mm: Fix grub_debug_calloc() compilation error
   * Add SBAT section (thanks, Chris Coulson).
Checksums-Sha1:
 5d124a9b035fb9a4ea2a87243185217ab79878de 7145 grub2_2.04-16.dsc
 5eafeb66e170acda6c1f946e11cb511c220a451a 1157316 grub2_2.04-16.debian.tar.xz
Checksums-Sha256:
 2ad1470e7b90097689aa847013b6ed4736c2b95af88b389653c7e8fea3c1f2eb 7145 grub2_2.04-16.dsc
 4eac7a5d8d056388de000aac477bde28b6e3bd2bf6cf1c38ec5d9c7f4a5b2319 1157316 grub2_2.04-16.debian.tar.xz
Files:
 9f9f10d2d039d243f766c94ee229a3aa 7145 admin optional grub2_2.04-16.dsc
 8a20d5cebaee362d7a8f7358b8de1982 1157316 admin optional grub2_2.04-16.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmA+faoACgkQOTWH2X2G
UAt7ZhAAhWkwooxR78jtY4PGs0wCJNzSAvZWVUifmR5motT9p9xCEE5nnnhKefwb
EOMgSyCnl0h3/m5NkDm00pnhhkUvNvxMKDa86FQCFgG7mwxuz+OblLijDPWpwg8C
4iVbxc1OIOCD3O9uRe0h3a/4yrdlDSlSaWukSse/L2jioEInYhlgtAXAy+nqo+hE
gpdIL7NK27LPaNETU3PdLjffC9RCewvIO/29moHCtgsTzq1BUwlU+N/tqoWnoQcx
4OMxAMUPb1+D3dsAk+MgbfpAArXtSZOAoMLvkfGDOHpFEiJeVlh9xDoLmzQhhtd+
8w0oWUxAEXhqTAMMa7OCDr+1Vfx0mGwK0jAXhPxlyYk7/rC04FFTzvic7aUK1UuA
66aDJb82kayMc62KwjgN5Jk6wTWbTsl7DN2wWQKAeXo75mMIKOQ+tEg2L28oQtr/
Gr/dAx1G3ovVtDE85PDWH6Z+0eRQvTCU1mj9JxleRaOdIQ1amtVcAsyWl0Icd51u
7YiT7HT5MkiDG3sK+9aLh+FaJVa2Gf/w0IZ6Rt+vTRjluDIVh3dUTLqzMppSNU2a
DkE8xokC5SsZgByKA0WKuX0iExcakT0Hsb+E5srzHMXOPqhhqQZEzaIhY87C9r34
zpE7sWRjVJS7aMfGteJsUL0hYvjMF8Dy57xdOAwP4kox0Va3tJY=
=qZI0
-----END PGP SIGNATURE-----
Reply to:
Prev by Date: Accepted linux 5.10.19-1 (source) into unstable, unstable
Next by Date: Accepted gmsh 4.7.1+ds1-5 (source) into unstable
Previous by thread: Accepted linux 5.10.19-1 (source) into unstable, unstable
Next by thread: Accepted gmsh 4.7.1+ds1-5 (source) into unstable
Index(es):
- Date
- Thread