starlingx/integ
Code Issues Proposed changes
2d8cd2a351
integ/grub/grub-efi/debian/patches/series
Li Zhou daea2d8219 grub2/grub-efi: fix CVE-2023-4692/CVE-2023-4693 
Porting patches from grub2_2.06-3~deb11u6 to fix
CVE-2023-4692/CVE-2023-4693.

The source code of grub2_2.06-3~deb11u6 is from:
https://snapshot.debian.org/archive/debian-security/20231006T185629Z/
pool/updates/main/g/grub2/grub2_2.06-3~deb11u6.debian.tar.xz

Patch for CVE-2023-4692:
<fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute
 for the $MFT file>
Patch for CVE-2023-4693:
<fs/ntfs: Fix an OOB read when reading data from the resident $DATA
 attribute>

No content changes for all the patches from debian release.

We do this because grub2/grub-efi is ported from wrlinux for
secure boot bringing up.

Test plan:
 - PASS: build grub2/grub-efi.
 - PASS: build-image and install and boot up on lab/qemu.
 - PASS: check that the "stx.N" version number is right for both
         bios(grub2 ver) and uefi(grub-efi ver) boot.

Closes-bug: 2038742

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I7c8e11952fb409be93e9d777bf7da7b87414a95d
2023-10-09 22:31:36 -04:00

46 lines
2.7 KiB
Plaintext
Raw Blame History

0001-grub2-add-tboot.patch
0002-grub2-checking-if-loop-devices-are-available.patch
0020-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch
0021-video-readers-Add-artificial-limit-to-image-dimensio.patch
0022-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
0023-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
0024-font-Fix-several-integer-overflows-in-grub_font_cons.patch
0025-font-Remove-grub_font_dup_glyph.patch
0026-font-Fix-integer-overflow-in-ensure_comb_space.patch
0027-font-Fix-integer-overflow-in-BMP-index.patch
0028-font-Fix-integer-underflow-in-binary-search-of-char-.patch
0029-kern-efi-sb-Enforce-verification-of-font-files.patch
0030-fbutil-Fix-integer-overflow.patch
0031-font-Fix-an-integer-underflow-in-blit_comb.patch
0032-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
0033-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
0034-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
0035-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
0036-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
0037-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
0038-net-ip-Do-IP-fragment-maths-safely.patch
0039-net-http-Fix-OOB-write-for-split-http-headers.patch
0040-net-http-Error-out-on-headers-with-LF-without-CR.patch
0041-loader-efi-chainloader-Simplify-the-loader-state.patch
0042-commands-boot-Add-API-to-pass-context-to-loader.patch
0043-loader-efi-chainloader-Use-grub_loader_set_ex.patch
0044-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
0045-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
lat/0003-Make-UEFI-watchdog-behaviour-configurable.patch
lat/0004-correct-grub_errno.patch
lat/0005-grub-verify-Add-skip_check_cfg-variable.patch
secure-core/0006-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch
secure-core/0007-shim-add-needed-data-structures.patch
secure-core/0008-efi-chainloader-implement-an-UEFI-Exit-service.patch
secure-core/0009-efi-chainloader-port-shim-to-grub.patch
secure-core/0010-efi-chainloader-use-shim-to-load-and-verify-an-image.patch
secure-core/0011-efi-chainloader-boot-the-image-using-shim.patch
secure-core/0012-efi-chainloader-take-care-of-unload-undershim.patch
secure-core/0013-chainloader-handle-the-unauthenticated-image-by-shim.patch
secure-core/0014-chainloader-Don-t-check-empty-section-in-file-like-..patch
secure-core/0015-chainloader-find-the-relocations-correctly.patch
secure-core/0016-Add-a-module-for-reading-EFI-global-variables.patch
secure-core/0017-grub-shim-verify-Report-that-the-loaded-object-is-ve.patch
secure-core/0018-grub-verify-Add-strict_security-variable.patch
secure-core/0019-Disable-inside-lockdown-and-shim_lock-verifiers.patch
View Git Blame Copy Permalink