From 6fdd8b9acac842c72cc4159b307f7f86d749d5b5 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 19 Mar 2025 14:50:25 +0300 Subject: [PATCH 1/2] import OL --- ...write-in-grub_net_search_config_file.patch | 79 +++++++++++++++++++ .../0354-misc-Implement-grub_strlcpy.patch | 65 +++++++++++++++ SOURCES/20-grub.install | 18 +++-- ...18504756-use-different-title-for-UEK.patch | 30 +++++++ ...bug26388226-update-redhat-references.patch | 25 ++++++ SOURCES/grub.macros | 11 ++- SOURCES/grub.patches | 4 + SOURCES/sbat.csv.in | 1 + SPECS/grub2.spec | 46 +++++++++-- 9 files changed, 263 insertions(+), 16 deletions(-) create mode 100644 SOURCES/0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch create mode 100644 SOURCES/0354-misc-Implement-grub_strlcpy.patch create mode 100644 SOURCES/bug18504756-use-different-title-for-UEK.patch create mode 100644 SOURCES/bug26388226-update-redhat-references.patch diff --git a/SOURCES/0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch b/SOURCES/0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch new file mode 100644 index 0000000..c6b75f6 --- /dev/null +++ b/SOURCES/0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch @@ -0,0 +1,79 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Tue, 11 Feb 2025 16:38:44 -0600 +Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file() + +The function included a call to grub_strcpy() which copied data from an +environment variable to a buffer allocated in grub_cmd_normal(). The +grub_cmd_normal() didn't consider the length of the environment variable. +So, the copy operation could exceed the allocation and lead to an OOB +write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and +pass the underlying buffers size to the grub_net_search_config_file(). + +Fixes: CVE-2025-0624 + +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper +--- + grub-core/net/net.c | 7 ++++--- + grub-core/normal/main.c | 2 +- + include/grub/net.h | 2 +- + 3 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/grub-core/net/net.c b/grub-core/net/net.c +index 2512862..6c0bd00 100644 +--- a/grub-core/net/net.c ++++ b/grub-core/net/net.c +@@ -1971,14 +1971,15 @@ grub_config_search_through (char *config, char *suffix, + } + + grub_err_t +-grub_net_search_config_file (char *config) ++grub_net_search_config_file (char *config, grub_size_t config_buf_len) + { +- grub_size_t config_len; ++ grub_size_t config_len, suffix_len; + char *suffix; + + config_len = grub_strlen (config); + config[config_len] = '-'; + suffix = config + config_len + 1; ++ suffix_len = config_buf_len - (config_len + 1); + + struct grub_net_network_level_interface *inf; + FOR_NET_NETWORK_LEVEL_INTERFACES (inf) +@@ -2004,7 +2005,7 @@ grub_net_search_config_file (char *config) + + if (client_uuid) + { +- grub_strcpy (suffix, client_uuid); ++ grub_strlcpy (suffix, client_uuid, suffix_len); + if (grub_config_search_through (config, suffix, 1, 0) == 0) + return GRUB_ERR_NONE; + } +diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c +index 6f6e4a8..49b9472 100644 +--- a/grub-core/normal/main.c ++++ b/grub-core/normal/main.c +@@ -360,7 +360,7 @@ grub_try_normal_prefix (const char *prefix) + return err; + + grub_snprintf (config, config_len, "%s/grub.cfg", prefix); +- err = grub_net_search_config_file (config); ++ err = grub_net_search_config_file (config, config_len); + } + + if (err != GRUB_ERR_NONE) +diff --git a/include/grub/net.h b/include/grub/net.h +index 43eba92..1101b03 100644 +--- a/include/grub/net.h ++++ b/include/grub/net.h +@@ -648,7 +648,7 @@ void + grub_net_remove_dns_server (const struct grub_net_network_level_address *s); + + grub_err_t +-grub_net_search_config_file (char *config); ++grub_net_search_config_file (char *config, grub_size_t config_buf_len); + + extern char *grub_net_default_server; + diff --git a/SOURCES/0354-misc-Implement-grub_strlcpy.patch b/SOURCES/0354-misc-Implement-grub_strlcpy.patch new file mode 100644 index 0000000..722cab9 --- /dev/null +++ b/SOURCES/0354-misc-Implement-grub_strlcpy.patch @@ -0,0 +1,65 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: B Horn +Date: Sat, 15 Jun 2024 02:33:08 +0100 +Subject: [PATCH] misc: Implement grub_strlcpy() + +grub_strlcpy() acts the same way as strlcpy() does on most *NIX, +returning the length of src and ensuring dest is always NUL +terminated except when size is 0. + +Signed-off-by: B Horn +Reviewed-by: Daniel Kiper +--- + include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/include/grub/misc.h b/include/grub/misc.h +index 981526644..0592aa68f 100644 +--- a/include/grub/misc.h ++++ b/include/grub/misc.h +@@ -72,6 +72,45 @@ grub_stpcpy (char *dest, const char *src) + return d - 1; + } + ++static inline grub_size_t ++grub_strlcpy (char *dest, const char *src, grub_size_t size) ++{ ++ char *d = dest; ++ grub_size_t res = 0; ++ /* ++ * We do not subtract one from size here to avoid dealing with underflowing ++ * the value, which is why to_copy is always checked to be greater than one ++ * throughout this function. ++ */ ++ grub_size_t to_copy = size; ++ ++ /* Copy size - 1 bytes to dest. */ ++ if (to_copy > 1) ++ while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1) ++ ; ++ ++ /* ++ * NUL terminate if size != 0. The previous step may have copied a NUL byte ++ * if it reached the end of the string, but we know dest[size - 1] must always ++ * be a NUL byte. ++ */ ++ if (size != 0) ++ dest[size - 1] = '\0'; ++ ++ /* If there is still space in dest, but are here, we reached the end of src. */ ++ if (to_copy > 1) ++ return res; ++ ++ /* ++ * If we haven't reached the end of the string, iterate through to determine ++ * the strings total length. ++ */ ++ while (*src++ != '\0' && ++res) ++ ; ++ ++ return res; ++} ++ + /* XXX: If grub_memmove is too slow, we must implement grub_memcpy. */ + static inline void * + grub_memcpy (void *dest, const void *src, grub_size_t n) diff --git a/SOURCES/20-grub.install b/SOURCES/20-grub.install index a3f1b18..67d6895 100755 --- a/SOURCES/20-grub.install +++ b/SOURCES/20-grub.install @@ -6,6 +6,7 @@ fi [[ -f /etc/default/grub ]] && . /etc/default/grub [[ -f /etc/os-release ]] && . /etc/os-release +[[ -f /etc/sysconfig/kernel ]] && . /etc/sysconfig/kernel COMMAND="$1" KERNEL_VERSION="$2" @@ -41,8 +42,14 @@ mkbls() { fi fi + if [[ $kernelver =~ uek ]]; then + local ver_stanza="$kernelver with Unbreakable Enterprise Kernel" + else + local ver_stanza="$kernelver" + fi + cat < +Date: Tue, 18 Dec 2018 13:22:12 -0800 +Subject: [PATCH 1/1] Use different menuentries for UEK kernel + +--- + util/grub.d/10_linux.in | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in +index b54d277..fe8b20f 100644 +--- a/util/grub.d/10_linux.in ++++ b/util/grub.d/10_linux.in +@@ -173,7 +173,12 @@ EOF + fi + + if [ x$type != xsimple ] ; then +- title=$(mktitle "$type" "$version") ++ if echo "$version" | grep -q uek; then ++ kernel_type_text="with Unbreakable Enterprise Kernel" ++ else ++ kernel_type_text="with Linux" ++ fi ++ title=$(mktitle "$type" "$version $kernel_type_text") + if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then + replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')" + quoted="$(echo "$GRUB_ACTUAL_DEFAULT" | grub_quote)" +-- +1.8.3.1 + diff --git a/SOURCES/bug26388226-update-redhat-references.patch b/SOURCES/bug26388226-update-redhat-references.patch new file mode 100644 index 0000000..8e90b0b --- /dev/null +++ b/SOURCES/bug26388226-update-redhat-references.patch @@ -0,0 +1,25 @@ +From aba9976ce324fdf845b04b326f7426566a676335 Mon Sep 17 00:00:00 2001 +From: "livy.ge" +Date: Wed, 5 Jul 2017 03:53:48 -0700 +Subject: [PATCH] update bug url + +--- + util/grub-set-password.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/grub-set-password.in b/util/grub-set-password.in +index 6553eaa..03731d5 100644 +--- a/util/grub-set-password.in ++++ b/util/grub-set-password.in +@@ -21,7 +21,7 @@ located by default at ${grubdir}. + -v, --version print the version information and exit + -o, --output_path put user.cfg in a user-selected directory + +-Report bugs at https://bugzilla.redhat.com. ++Report bugs at https://github.com/oracle/oracle-linux . + EOF + } + +-- +2.43.5 + diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros index 966c079..ff4fe67 100755 --- a/SOURCES/grub.macros +++ b/SOURCES/grub.macros @@ -216,7 +216,7 @@ %ifarch x86_64 %global with_efi_common 1 -%global with_legacy_modules 0 +%global with_legacy_modules 1 %global with_legacy_common 0 %else %global with_efi_common 0 @@ -274,6 +274,11 @@ Requires: %{name}-common = %{evr} \ Requires: %{name}-tools-minimal >= %{evr} \ Requires: %{name}-tools = %{evr} \ Provides: %{name}-efi = %{evr} \ +Provides: oracle(grub2-sig-key) = 202204 \ +%{expand:%%ifarch x86_64 \ +Conflicts: shim-x64 <= 15.3-1.0.5.el9 \ +Conflicts: shim-ia32 <= 15.3-1.0.5.el9 \ +%%endif} \ %{?legacy_provides:Provides: %{name} = %{evr}} \ %{-o:Obsoletes: %{name}-efi < %{evr}} \ \ @@ -372,7 +377,7 @@ install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \ rm -f %{1}.conf \ %{nil} -%global grub_modules " all_video boot blscfg \\\ +%global grub_modules " all_video boot blscfg btrfs \\\ cat configfile cryptodisk \\\ echo ext2 f2fs fat font \\\ gcry_rijndael gcry_rsa gcry_serpent \\\ @@ -387,7 +392,7 @@ rm -f %{1}.conf \ search_label serial sleep syslinuxcfg \\\ test tftp version video xfs zstd " \ -%ifarch x86_64 aarch64 %{arm} riscv64 +%ifarch x86_64 aarch64 %{arm} %define efi_mkimage() \ %{4}./grub-mkimage -O %{1} -o %{2}.orig \\\ -p /EFI/%{efi_vendor} -d grub-core \\\ diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index 83edcfb..b95479e 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches @@ -350,3 +350,7 @@ Patch0349: 0349-grub2-mkconfig-Simplify-os_name-detection.patch Patch0350: 0350-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch Patch0351: 0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch Patch0352: 0352-cmd-search-Fix-a-possible-NULL-ptr-dereference.patch +Patch0353: 0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch +Patch0354: 0354-misc-Implement-grub_strlcpy.patch +Patch1000: bug18504756-use-different-title-for-UEK.patch +Patch1001: bug26388226-update-redhat-references.patch \ No newline at end of file diff --git a/SOURCES/sbat.csv.in b/SOURCES/sbat.csv.in index b338b5f..139cfad 100755 --- a/SOURCES/sbat.csv.in +++ b/SOURCES/sbat.csv.in @@ -1,3 +1,4 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/ grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com +grub.ol9,3,Oracle Linux,grub2,@@VERSION@@,mail:secalert_us@oracle.com diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index 899bb02..bae70ef 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -16,7 +16,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 93%{?dist} +Release: 94.0.1%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -38,21 +38,21 @@ Source12: sbat.csv.in %include %{SOURCE1} %ifarch x86_64 aarch64 ppc64le -%define sb_ca %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer -%define sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer +%define sb_ca %{SOURCE14} +%define sb_cer %{SOURCE14} %endif %if 0%{?centos} %ifarch x86_64 aarch64 ppc64le -%define sb_key centossecureboot202 +%define sb_key OracleSecureBootgrubsigningkey2 %endif %else %ifarch x86_64 aarch64 -%define sb_key redhatsecureboot502 +%define sb_key OracleSecureBootgrubsigningkey2 %endif %ifarch ppc64le -%define sb_key redhatsecureboot702 +%define sb_key OracleSecureBootgrubsigningkey2 %endif %endif @@ -547,6 +547,40 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog +* Mon Mar 17 2025 Alex Burmashev - 2.06-94.0.1 +- Rework the scripts to cover both in-place upgrade and update scenarios [Orabug: 36768566] +- Restore correct order of processing config files [Orabug: 36758359] +- Support setting custom kernels as default kernels [Orabug: 36043978] +- Bump SBAT metadata for grub to 3 [Orabug: 34872719] +- Fix CVE-2022-3775 [Orabug: 34871953] +- Enable signing for aarch64 EFI +- Fix signing certificate names +- Enable back btrfs grub module for EFI pre-built image [Orabug: 34360986] +- Replaced bugzilla.oracle.com references [Orabug: 34202300] +- Update provided certificate version to 202204 [JIRA: OLDIS-16371] +- Various coverity fixes [JIRA: OLDIS-16371] +- bump SBAT generation +- Update bug url [Orabug: 34202300] +- Revert provided certificate version back to 202102 [JIRA: OLDIS-16371] +- Update signing certificate [JIRA: OLDIS-16371] +- fix SBAT data [JIRA: OLDIS-16371] +- Update requires [JIRA: OLDIS-16371] +- Rebuild for SecureBoot signatures [Orabug: 33801813] +- Do not add shim and grub certificate deps for aarch64 packages [Orabug: 32670033] +- Update Oracle SBAT data [Orabug: 32670033] +- Use new signing certificate [Orabug: 32670033] +- honor /etc/sysconfig/kernel DEFAULTKERNEL setting for BLS [Orabug: 30643497] +- set EFIDIR as redhat for additional grub2 tools [Orabug: 29875597] +- Update upstream references [Orabug: 26388226] +- Insert Unbreakable Enterprise Kernel text into BLS config file [Orabug: 29417955] +- Put "with" in menuentry instead of "using" [Orabug: 18504756] +- Use different titles for UEK and RHCK kernels [Orabug: 18504756] + +* Thu Feb 20 2025 Nicolas Frayer 2.06-94 + - CVE fixes + - Resolves: CVE-2025-0624 + - Resolves: #RHEL-79842 + * Wed Oct 16 2024 Nicolas Frayer 2.06-93 - cmd/search: Fix a possible NULL ptr dereference - Resolves: #RHEL-61263 From e542637ec62b0090753a08a527f928eeb6fadb6f Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 19 Mar 2025 14:52:06 +0300 Subject: [PATCH 2/2] Revert OL changes --- SOURCES/20-grub.install | 18 ++++---- ...18504756-use-different-title-for-UEK.patch | 30 -------------- ...bug26388226-update-redhat-references.patch | 25 ----------- SOURCES/grub.macros | 11 ++--- SOURCES/grub.patches | 2 - SOURCES/sbat.csv.in | 1 - SPECS/grub2.spec | 41 +++---------------- 7 files changed, 16 insertions(+), 112 deletions(-) delete mode 100644 SOURCES/bug18504756-use-different-title-for-UEK.patch delete mode 100644 SOURCES/bug26388226-update-redhat-references.patch diff --git a/SOURCES/20-grub.install b/SOURCES/20-grub.install index 67d6895..a3f1b18 100755 --- a/SOURCES/20-grub.install +++ b/SOURCES/20-grub.install @@ -6,7 +6,6 @@ fi [[ -f /etc/default/grub ]] && . /etc/default/grub [[ -f /etc/os-release ]] && . /etc/os-release -[[ -f /etc/sysconfig/kernel ]] && . /etc/sysconfig/kernel COMMAND="$1" KERNEL_VERSION="$2" @@ -42,14 +41,8 @@ mkbls() { fi fi - if [[ $kernelver =~ uek ]]; then - local ver_stanza="$kernelver with Unbreakable Enterprise Kernel" - else - local ver_stanza="$kernelver" - fi - cat < -Date: Tue, 18 Dec 2018 13:22:12 -0800 -Subject: [PATCH 1/1] Use different menuentries for UEK kernel - ---- - util/grub.d/10_linux.in | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in -index b54d277..fe8b20f 100644 ---- a/util/grub.d/10_linux.in -+++ b/util/grub.d/10_linux.in -@@ -173,7 +173,12 @@ EOF - fi - - if [ x$type != xsimple ] ; then -- title=$(mktitle "$type" "$version") -+ if echo "$version" | grep -q uek; then -+ kernel_type_text="with Unbreakable Enterprise Kernel" -+ else -+ kernel_type_text="with Linux" -+ fi -+ title=$(mktitle "$type" "$version $kernel_type_text") - if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then - replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')" - quoted="$(echo "$GRUB_ACTUAL_DEFAULT" | grub_quote)" --- -1.8.3.1 - diff --git a/SOURCES/bug26388226-update-redhat-references.patch b/SOURCES/bug26388226-update-redhat-references.patch deleted file mode 100644 index 8e90b0b..0000000 --- a/SOURCES/bug26388226-update-redhat-references.patch +++ /dev/null @@ -1,25 +0,0 @@ -From aba9976ce324fdf845b04b326f7426566a676335 Mon Sep 17 00:00:00 2001 -From: "livy.ge" -Date: Wed, 5 Jul 2017 03:53:48 -0700 -Subject: [PATCH] update bug url - ---- - util/grub-set-password.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/util/grub-set-password.in b/util/grub-set-password.in -index 6553eaa..03731d5 100644 ---- a/util/grub-set-password.in -+++ b/util/grub-set-password.in -@@ -21,7 +21,7 @@ located by default at ${grubdir}. - -v, --version print the version information and exit - -o, --output_path put user.cfg in a user-selected directory - --Report bugs at https://bugzilla.redhat.com. -+Report bugs at https://github.com/oracle/oracle-linux . - EOF - } - --- -2.43.5 - diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros index ff4fe67..966c079 100755 --- a/SOURCES/grub.macros +++ b/SOURCES/grub.macros @@ -216,7 +216,7 @@ %ifarch x86_64 %global with_efi_common 1 -%global with_legacy_modules 1 +%global with_legacy_modules 0 %global with_legacy_common 0 %else %global with_efi_common 0 @@ -274,11 +274,6 @@ Requires: %{name}-common = %{evr} \ Requires: %{name}-tools-minimal >= %{evr} \ Requires: %{name}-tools = %{evr} \ Provides: %{name}-efi = %{evr} \ -Provides: oracle(grub2-sig-key) = 202204 \ -%{expand:%%ifarch x86_64 \ -Conflicts: shim-x64 <= 15.3-1.0.5.el9 \ -Conflicts: shim-ia32 <= 15.3-1.0.5.el9 \ -%%endif} \ %{?legacy_provides:Provides: %{name} = %{evr}} \ %{-o:Obsoletes: %{name}-efi < %{evr}} \ \ @@ -377,7 +372,7 @@ install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \ rm -f %{1}.conf \ %{nil} -%global grub_modules " all_video boot blscfg btrfs \\\ +%global grub_modules " all_video boot blscfg \\\ cat configfile cryptodisk \\\ echo ext2 f2fs fat font \\\ gcry_rijndael gcry_rsa gcry_serpent \\\ @@ -392,7 +387,7 @@ rm -f %{1}.conf \ search_label serial sleep syslinuxcfg \\\ test tftp version video xfs zstd " \ -%ifarch x86_64 aarch64 %{arm} +%ifarch x86_64 aarch64 %{arm} riscv64 %define efi_mkimage() \ %{4}./grub-mkimage -O %{1} -o %{2}.orig \\\ -p /EFI/%{efi_vendor} -d grub-core \\\ diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index b95479e..c0ee4f6 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches @@ -352,5 +352,3 @@ Patch0351: 0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch Patch0352: 0352-cmd-search-Fix-a-possible-NULL-ptr-dereference.patch Patch0353: 0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch Patch0354: 0354-misc-Implement-grub_strlcpy.patch -Patch1000: bug18504756-use-different-title-for-UEK.patch -Patch1001: bug26388226-update-redhat-references.patch \ No newline at end of file diff --git a/SOURCES/sbat.csv.in b/SOURCES/sbat.csv.in index 139cfad..b338b5f 100755 --- a/SOURCES/sbat.csv.in +++ b/SOURCES/sbat.csv.in @@ -1,4 +1,3 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/ grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com -grub.ol9,3,Oracle Linux,grub2,@@VERSION@@,mail:secalert_us@oracle.com diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index bae70ef..a7183f6 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -16,7 +16,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 94.0.1%{?dist} +Release: 94%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -38,21 +38,21 @@ Source12: sbat.csv.in %include %{SOURCE1} %ifarch x86_64 aarch64 ppc64le -%define sb_ca %{SOURCE14} -%define sb_cer %{SOURCE14} +%define sb_ca %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer +%define sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer %endif %if 0%{?centos} %ifarch x86_64 aarch64 ppc64le -%define sb_key OracleSecureBootgrubsigningkey2 +%define sb_key centossecureboot202 %endif %else %ifarch x86_64 aarch64 -%define sb_key OracleSecureBootgrubsigningkey2 +%define sb_key redhatsecureboot502 %endif %ifarch ppc64le -%define sb_key OracleSecureBootgrubsigningkey2 +%define sb_key redhatsecureboot702 %endif %endif @@ -547,35 +547,6 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog -* Mon Mar 17 2025 Alex Burmashev - 2.06-94.0.1 -- Rework the scripts to cover both in-place upgrade and update scenarios [Orabug: 36768566] -- Restore correct order of processing config files [Orabug: 36758359] -- Support setting custom kernels as default kernels [Orabug: 36043978] -- Bump SBAT metadata for grub to 3 [Orabug: 34872719] -- Fix CVE-2022-3775 [Orabug: 34871953] -- Enable signing for aarch64 EFI -- Fix signing certificate names -- Enable back btrfs grub module for EFI pre-built image [Orabug: 34360986] -- Replaced bugzilla.oracle.com references [Orabug: 34202300] -- Update provided certificate version to 202204 [JIRA: OLDIS-16371] -- Various coverity fixes [JIRA: OLDIS-16371] -- bump SBAT generation -- Update bug url [Orabug: 34202300] -- Revert provided certificate version back to 202102 [JIRA: OLDIS-16371] -- Update signing certificate [JIRA: OLDIS-16371] -- fix SBAT data [JIRA: OLDIS-16371] -- Update requires [JIRA: OLDIS-16371] -- Rebuild for SecureBoot signatures [Orabug: 33801813] -- Do not add shim and grub certificate deps for aarch64 packages [Orabug: 32670033] -- Update Oracle SBAT data [Orabug: 32670033] -- Use new signing certificate [Orabug: 32670033] -- honor /etc/sysconfig/kernel DEFAULTKERNEL setting for BLS [Orabug: 30643497] -- set EFIDIR as redhat for additional grub2 tools [Orabug: 29875597] -- Update upstream references [Orabug: 26388226] -- Insert Unbreakable Enterprise Kernel text into BLS config file [Orabug: 29417955] -- Put "with" in menuentry instead of "using" [Orabug: 18504756] -- Use different titles for UEK and RHCK kernels [Orabug: 18504756] - * Thu Feb 20 2025 Nicolas Frayer 2.06-94 - CVE fixes - Resolves: CVE-2025-0624