This fixes the two CVEs and various other OOB bugs in the ntfs driver.

Reported-by: Maxim Suhanov <dfirblog@gmail.com>

Closes: #1034409

Add debconf logic for GRUB_DISABLE_OS_PROBER to make it easier to
control things here. Particularly useful for the installer.
Closes: #1031594, #1012865.

Add arm64-handover-to-kernel-if-sb-enabled.patch

See merge request grub-team/grub!32

Fix Secure Boot on arm64 with patch
arm64-handover-to-kernel-if-sb-enabled.patch.

Fix: #1033657

- disk/cryptodisk: When cheatmounting, use the sector info of the cheat
  device
- osdep/devmapper/getroot: Have devmapper recognize LUKS2
- osdep/devmapper/getroot: Set up cheated LUKS2 cryptodisk mount from DM
  parameters

Thanks for tracking this down Antoine!

I've mostly retired from GRUB maintenance since early 2022, so I think
it would be better if I weren't listed as an uploader in bookworm.
Thanks to Steve and Julian for picking up the torch!

Closes: #1030846

Closes: #1026915. Thanks to Pascal Hambourg for the patch.

It only causes problems. Closes: #1016737

Fixes #845683

to install onto devices

Apply patch from upstream,

Closes: #1001414

Closes: #1026092

Also needs backports from upstream commits to fix warnings/errors
from using gcc 12:

be8eb0eed util/mkimage: Fix dangling pointer may be used error
acffb8148 build: Fix -Werror=array-bounds array subscript 0 is outside array bounds
3ce13d974 lib/reed_solomon: Fix array subscript 0 is outside array bounds

Closes: #1021846. Thanks to программист некто for helping to debug the
problem!

Make font fallback handling work!

Due to a mistake in the buster update that left the CVE-2022-2601 bugs
in place, we need to bump SBAT for all of the Debian GRUB binaries. :-(

The previous security updates disallowed loading unsigned fonts when
in SB mode. To make things work again:

 * Embed the "unicode" font into the embedded memdisk image so it can
   be loaded.
 * Add the memdisk to our normal grubx64.efi loader too
 * Add a patch from Chris Coulson to make the font loader look for
   fonts in the memdisk whenever they're loaded.

Closes: #1024395, #1025352, #1024447

CVE-2022-2601, CVE-2022-3775

Bump SBAT level to 3 for grub-efi packages

The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255.
However, code in grub_unicode_aglomerate_comb() doesn't check for an
overflow when incrementing out->ncomb. If out->ncomb is already 255,
after incrementing it will get 0 instead of 256, and cause illegal
memory access in subsequent processing.

This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max
acceptable value of ncomb. The code now checks for this limit and
ignores additional combining characters when limit is reached.

Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

The calculations in blit_comb() need information from glyph's font, e.g.
grub_font_get_xheight(main_glyph->font). However, main_glyph->font is
NULL if main_glyph comes from ascii_font_glyph[]. Therefore
grub_font_get_*() crashes because of NULL pointer.

There is already a solution, the null_font. So, assign it to those glyphs
in ascii_font_glyph[].

Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

As a mitigation and hardening measure add sanity checks to
grub_font_blit_glyph() and grub_font_blit_glyph_mirror(). This patch
makes these two functions do nothing if target blitting area isn't fully
contained in target bitmap. Therefore, if complex calculations in caller
overflows and malicious coordinates are given, we are still safe because
any coordinates which result in out-of-bound-write are rejected. However,
this patch only checks for invalid coordinates, and doesn't provide any
protection against invalid source glyph or destination glyph, e.g.
mismatch between glyph size and buffer size.

This hardening measure is designed to mitigate possible overflows in
blit_comb(). If overflow occurs, it may return invalid bounding box
during dry run and call grub_font_blit_glyph() with malicious
coordinates during actual blitting. However, we are still safe because
the scratch glyph itself is valid, although its size makes no sense, and
any invalid coordinates are rejected.

It would be better to call grub_fatal() if illegal parameter is detected.
However, doing this may end up in a dangerous recursion because grub_fatal()
would print messages to the screen and we are in the progress of drawing
characters on the screen.

Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>