Pull in upstream patches to harden font and image handling

CVE-2022-2601, CVE-2022-3775 Bump SBAT level to 3 for grub-efi packages

Pull in upstream patches to harden font and image handling
CVE-2022-2601, CVE-2022-3775 Bump SBAT level to 3 for grub-efi packages
25fe9dd8 · Steve McIntyre · afa02a1b · 25fe9dd8 · 25fe9dd8 · 25fe9dd8
Commit 25fe9dd8 authored 2 years ago by Steve McIntyre
--- a/debian/changelog
+++ b/debian/changelog
-grub2 (2.06-5) UNRELEASED; urgency=high
+grub2 (2.06-5) unstable; urgency=high

  [ Steve McIntyre ]
  * Explicitly unset SOURCE_DATE_EPOCH before running fs tests
+  * Pull in upstream patches to harden font and image handling -
+    CVE-2022-2601, CVE-2022-3775.
+  * Bump SBAT level to 3 for grub-efi packages

- -- Steve McIntyre <93sam@debian.org>  Wed, 14 Sep 2022 22:35:49 +0100
+ -- Steve McIntyre <93sam@debian.org>  Sun, 13 Nov 2022 00:33:35 +0000

 grub2 (2.06-4) unstable; urgency=high


--- a/debian/patches/series
+++ b/debian/patches/series
@@ -91,3 +91,17 @@ minilzo-2.10.patch
 0091-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch
 0092-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch
 fs-tester-time-fail.patch
+cve_2022_2601/0001-video-readers-Add-artificial-limit-to-image-dimensio.patch
+cve_2022_2601/0002-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
+cve_2022_2601/0003-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
+cve_2022_2601/0004-font-Fix-several-integer-overflows-in-grub_font_cons.patch
+cve_2022_2601/0005-font-Remove-grub_font_dup_glyph.patch
+cve_2022_2601/0006-font-Fix-integer-overflow-in-ensure_comb_space.patch
+cve_2022_2601/0007-font-Fix-integer-overflow-in-BMP-index.patch
+cve_2022_2601/0008-font-Fix-integer-underflow-in-binary-search-of-char-.patch
+cve_2022_2601/0009-kern-efi-sb-Enforce-verification-of-font-files.patch
+cve_2022_2601/0010-fbutil-Fix-integer-overflow.patch
+cve_2022_2601/0011-font-Fix-an-integer-underflow-in-blit_comb.patch
+cve_2022_2601/0012-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
+cve_2022_2601/0013-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
+cve_2022_2601/0014-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
--- a/debian/sbat.debian.csv.in
+++ b/debian/sbat.debian.csv.in
 sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
-grub,2,Free Software Foundation,grub,@UPSTREAM_VERSION@,https://www.gnu.org/software/grub/
+grub,3,Free Software Foundation,grub,@UPSTREAM_VERSION@,https://www.gnu.org/software/grub/
 grub.debian,1,Debian,grub2,@DEB_VERSION@,https://tracker.debian.org/pkg/grub2