Debrand for AlmaLinux

Build btrfs module
This commit is contained in:
Eduard Abdullin 2026-03-18 10:46:26 +00:00 committed by root
commit 54d86586d8
7 changed files with 81 additions and 119 deletions

2
.gitignore vendored
View File

@ -1,4 +1,6 @@
gnulib-9f48fb992a3d7e96610c4ce8be969cff2d61a01b.tar.gz
grub-2.12.tar.xz
oraclegrubcer.cer
securebootca.cer
theme.tar.bz2
unifont-13.0.06.pcf.gz

View File

@ -0,0 +1,62 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alec Brown <alec.r.brown@oracle.com>
Date: Thu, 21 Aug 2025 21:14:06 +0000
Subject: [PATCH] gettext/gettext: Unregister gettext command on module unload
When the gettext module is loaded, the gettext command is registered but
isn't unregistered when the module is unloaded. We need to add a call to
grub_unregister_command() when unloading the module.
Fixes: CVE-2025-61662
Reported-by: Alec Brown <alec.r.brown@oracle.com>
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/gettext/gettext.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
index fffe3a05488b..1ca152ddd938 100644
--- a/grub-core/gettext/gettext.c
+++ b/grub-core/gettext/gettext.c
@@ -509,6 +509,8 @@ grub_cmd_translate (grub_command_t cmd __attribute__ ((unused)),
return 0;
}
+static grub_command_t cmd;
+
GRUB_MOD_INIT (gettext)
{
const char *lang;
@@ -528,13 +530,14 @@ GRUB_MOD_INIT (gettext)
grub_register_variable_hook ("locale_dir", NULL, read_main);
grub_register_variable_hook ("secondary_locale_dir", NULL, read_secondary);
- grub_register_command_p1 ("gettext", grub_cmd_translate,
- N_("STRING"),
- /* TRANSLATORS: It refers to passing the string through gettext.
- So it's "translate" in the same meaning as in what you're
- doing now.
- */
- N_("Translates the string with the current settings."));
+ cmd = grub_register_command_p1 ("gettext", grub_cmd_translate,
+ N_("STRING"),
+ /*
+ * TRANSLATORS: It refers to passing the string through gettext.
+ * So it's "translate" in the same meaning as in what you're
+ * doing now.
+ */
+ N_("Translates the string with the current settings."));
/* Reload .mo file information if lang changes. */
grub_register_variable_hook ("lang", NULL, grub_gettext_env_write_lang);
@@ -551,6 +554,8 @@ GRUB_MOD_FINI (gettext)
grub_register_variable_hook ("secondary_locale_dir", NULL, NULL);
grub_register_variable_hook ("lang", NULL, NULL);
+ grub_unregister_command (cmd);
+
grub_gettext_delete_list (&main_context);
grub_gettext_delete_list (&secondary_context);

View File

@ -1,66 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Thu, 24 Oct 2024 14:42:46 +0100
Subject: [PATCH] script/execute: Don't let trailing blank lines determine the
return code
grub_script_execute_sourcecode() parses and executes code one line at a
time, updating the return code each time because only the last line
determines the final status. However, trailing new lines were also
executed, masking any failure on the previous line. Fix this by only
trying to execute the command when there is actually one present.
This has presumably never been noticed because this code is not used by
regular functions, only in special cases like eval and menu entries. The
latter generally don't return at all, having booted an OS. When failing
to boot, upstream GRUB triggers the fallback mechanism regardless of the
return code.
We noticed the problem while using Red Hat's patches, which change this
behaviour to take account of the return code. In that case, a failure
takes you back to the menu rather than triggering a fallback.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
grub-core/script/execute.c | 5 ++++-
tests/grub_script_eval.in | 10 +++++++++-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
index 014132703..3d26a3fe4 100644
--- a/grub-core/script/execute.c
+++ b/grub-core/script/execute.c
@@ -952,7 +952,10 @@ grub_script_execute_sourcecode (const char *source)
break;
}
- ret = grub_script_execute (parsed_script);
+ /* Don't let trailing blank lines determine the return code. */
+ if (parsed_script->cmd)
+ ret = grub_script_execute (parsed_script);
+
grub_script_free (parsed_script);
grub_free (line);
}
diff --git a/tests/grub_script_eval.in b/tests/grub_script_eval.in
index c97b78d77..9c6211042 100644
--- a/tests/grub_script_eval.in
+++ b/tests/grub_script_eval.in
@@ -3,4 +3,12 @@
eval echo "Hello world"
valname=tst
eval $valname=hi
-echo $tst
\ No newline at end of file
+echo $tst
+
+if eval "
+false
+"; then
+ echo should have failed
+else
+ echo failed as expected
+fi
--
2.48.1

View File

@ -1,45 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Thu, 24 Oct 2024 15:00:26 +0100
Subject: [PATCH] normal/menu: Check return code of the script when executing a
menu entry
Don't rely on grub_errno here because grub_script_execute_new_scope()
calls grub_print_error(), which always resets grub_errno back to
GRUB_ERR_NONE. It may also get reset by grub_wait_after_message().
This problem was observed when a "bad signature" error resulted in the
menu being redisplayed rather than the fallback mechanism being
triggered, although another change was also needed to fix it. This only
happens with Red Hat's patches because upstream GRUB triggers the
fallback mechanism regardless of the return code.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
grub-core/normal/menu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
index 97687013c..a2703dabb 100644
--- a/grub-core/normal/menu.c
+++ b/grub-core/normal/menu.c
@@ -377,14 +377,14 @@ grub_menu_execute_entry(grub_menu_entry_t entry, int auto_boot)
if (ptr && ptr[0] && ptr[1])
grub_env_set ("default", ptr + 1);
- grub_script_execute_new_scope (entry->sourcecode, entry->argc, entry->args);
+ err = grub_script_execute_new_scope (entry->sourcecode, entry->argc, entry->args);
if (errs_before != grub_err_printed_errors)
grub_wait_after_message ();
errs_before = grub_err_printed_errors;
- if (grub_errno == GRUB_ERR_NONE && grub_loader_is_loaded ())
+ if (err == GRUB_ERR_NONE && grub_loader_is_loaded ())
/* Implicit execution of boot, only if something is loaded. */
err = grub_command_execute ("boot", 0, 0);
--
2.48.1

View File

@ -367,5 +367,4 @@ Patch0367: 0367-Use-medany-instead-of-large-model-for-RISCV.patch
Patch0368: 0368-10_linux.in-escape-kernel-option-characters-properly.patch
Patch0369: 0369-blscfg-check-if-variable-is-escaped-before-consideri.patch
Patch0370: 0370-Set-correctly-the-memory-attributes-for-the-kernel-P.patch
Patch0371: 0371-script-execute-Don-t-let-trailing-blank-lines-determ.patch
Patch0372: 0372-normal-menu-Check-return-code-of-the-script-when-exe.patch
Patch0371: 0371-gettext-gettext-Unregister-gettext-command-on-module.patch

View File

@ -17,7 +17,7 @@
Name: grub2
Epoch: 1
Version: 2.12
Release: 29%{?dist}.alma.1
Release: 29%{?dist}.2.alma.1
Summary: Bootloader with support for Linux, Multiboot and more
License: GPL-3.0-or-later
URL: http://www.gnu.org/software/grub/
@ -44,7 +44,7 @@ Source13: gen_grub_cfgstub
%define sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer
%endif
%define sb_key almalinuxsecurebootca0
%define sb_key almalinuxsecureboot0
BuildRequires: autoconf
BuildRequires: automake
@ -565,13 +565,21 @@ fi
%endif
%changelog
* Fri Nov 14 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:2.12-29.alma.1
* Wed Mar 18 2026 Eduard Abdullin <eabdullin@almalinux.org> - 1:2.12-29.2.alma.1
- Debrand for AlmaLinux
- Build btrfs module
* Mon Sep 08 2025 Leo Sandoval <lsandova@redhat.com> 2.12-29
- Fix the fallback mechanism when menu entries fail to boot
- Resolves: RHEL-113024
* Tue Mar 03 2026 Nicolas Frayer <nfrayer@redhat.com> - 2.12-29.2
- Try to get gating tests running via fmf/tmt
- Resolves: #RHEL-152849
* Thu Feb 19 2026 Therese Cornell <tcornell@redhat.com> - 2.12-29.1
- Fixes CVE-2025-61662 Missing unregister call for gettext command may lead to use-after-free
- Resolves: #RHEL-141580
* Wed Oct 8 2025 Nicolas Frayer <nfrayer@redhat.com> 2.12-29
- spec: Update signing key to redhatsecureboot802
- Resolves: #RHEL-116730
* Thu Aug 21 2025 Leo Sandoval <lsandova@redhat.com> 2.12-28
- Remove strong stack protector on target CFLAGS

View File

@ -1,4 +1,6 @@
SHA512 (gnulib-9f48fb992a3d7e96610c4ce8be969cff2d61a01b.tar.gz) = 6887dede2d4a403422ea045329ee9bd7ca4c1561bcaf39e805e1d1ce8f4c050a65ce286e7d8362fb8e815b5fab0b405730a3f93194e343e2aedcf9b4411a285e
SHA512 (grub-2.12.tar.xz) = 761c060a4c3da9c0e810b0ea967e3ebc66baa4ddd682a503ae3d30a83707626bccaf49359304a16b3a26fc4435fe6bea1ee90be910c84de3c2b5485a31a15be3
SHA512 (oraclegrubcer.cer) = 45d6ba3ae6f640fe7c26836e697085b12b39b2aee41ae5c474f00aa68a40d7c0380206f81eab8fc784298e82f8a4d268c38eb3ae9e3c3e80dbabcfc3857c66f3
SHA512 (securebootca.cer) = f8ef4b87e610b07ef53bcde253469b5316d9ba128357123246c64e4468c13f329d42187503908201d67168e61e5ce5e8a969935087b9bda38eee85d306561050
SHA512 (theme.tar.bz2) = 0f6f914d5f801509403094b28b8cfe5169cb56ae9bdd808ae21a6780a8236b434161a068351508dd78729c25ee2fed066c124c1eef9e15102750b409b4576a5c
SHA512 (unifont-13.0.06.pcf.gz) = 25f1ea4e316cd77b65cf4f60aa10ed054db6df2195be7344216673dee6628ab055ebcdeea186996d931fd1e9e4f519f4a2e4b4544b8a9ad2fe410aadc4eecd2d