diff --git a/SOURCES/0481-gettext-gettext-Unregister-gettext-command-on-module.patch b/SOURCES/0481-gettext-gettext-Unregister-gettext-command-on-module.patch new file mode 100644 index 0000000..89741a1 --- /dev/null +++ b/SOURCES/0481-gettext-gettext-Unregister-gettext-command-on-module.patch @@ -0,0 +1,62 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alec Brown +Date: Thu, 21 Aug 2025 21:14:06 +0000 +Subject: [PATCH] gettext/gettext: Unregister gettext command on module unload + +When the gettext module is loaded, the gettext command is registered but +isn't unregistered when the module is unloaded. We need to add a call to +grub_unregister_command() when unloading the module. + +Fixes: CVE-2025-61662 + +Reported-by: Alec Brown +Signed-off-by: Alec Brown +Reviewed-by: Daniel Kiper +--- + grub-core/gettext/gettext.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c +index 0e51b5d28ad0..92e91b35e87f 100644 +--- a/grub-core/gettext/gettext.c ++++ b/grub-core/gettext/gettext.c +@@ -509,6 +509,8 @@ grub_cmd_translate (grub_command_t cmd __attribute__ ((unused)), + return 0; + } + ++static grub_command_t cmd; ++ + GRUB_MOD_INIT (gettext) + { + const char *lang; +@@ -528,13 +530,14 @@ GRUB_MOD_INIT (gettext) + grub_register_variable_hook ("locale_dir", NULL, read_main); + grub_register_variable_hook ("secondary_locale_dir", NULL, read_secondary); + +- grub_register_command_p1 ("gettext", grub_cmd_translate, +- N_("STRING"), +- /* TRANSLATORS: It refers to passing the string through gettext. +- So it's "translate" in the same meaning as in what you're +- doing now. +- */ +- N_("Translates the string with the current settings.")); ++ cmd = grub_register_command_p1 ("gettext", grub_cmd_translate, ++ N_("STRING"), ++ /* ++ * TRANSLATORS: It refers to passing the string through gettext. ++ * So it's "translate" in the same meaning as in what you're ++ * doing now. ++ */ ++ N_("Translates the string with the current settings.")); + + /* Reload .mo file information if lang changes. */ + grub_register_variable_hook ("lang", NULL, grub_gettext_env_write_lang); +@@ -551,6 +554,8 @@ GRUB_MOD_FINI (gettext) + grub_register_variable_hook ("secondary_locale_dir", NULL, NULL); + grub_register_variable_hook ("lang", NULL, NULL); + ++ grub_unregister_command (cmd); ++ + grub_gettext_delete_list (&main_context); + grub_gettext_delete_list (&secondary_context); + diff --git a/SOURCES/20-grub.install b/SOURCES/20-grub.install index 30e5d5b..492c9ac 100755 --- a/SOURCES/20-grub.install +++ b/SOURCES/20-grub.install @@ -173,12 +173,6 @@ case "$COMMAND" in ;; remove) - # If the boot entry type is type2, we are not removing the BLS entry - if [[ "x${KERNEL_INSTALL_BOOT_ENTRY_TYPE}" = "xtype2" ]]; then - [ "${KERNEL_INSTALL_VERBOSE}" -gt 0 ] && echo "The boot entry type is type2. Skip removing BLS entry." - exit 0 - fi - if [[ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]] || [[ ! -f /sbin/new-kernel-pkg ]]; then BLS_TARGET="${BLS_DIR}/${MACHINE_ID}-${KERNEL_VERSION}.conf" BLS_FAKE_TARGET="${BLS_DIR}/ffffffffffffffffffffffffffffffff-${KERNEL_VERSION}.conf" diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index 87b04a7..aa2dbd1 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches @@ -476,4 +476,5 @@ Patch0476: 0476-efi-Add-efitextmode-command-for-getting-setting-the-.patch Patch0477: 0477-10_linux.in-escape-kernel-option-characters-properly.patch Patch0478: 0478-blscfg-check-if-variable-is-escaped-before-consideri.patch Patch0479: 0479-osdep-linux-getroot-Detect-DDF-container-similar-to-.patch -Patch0480: 0480-Set-correctly-the-memory-attributes-for-the-kernel-P.patch \ No newline at end of file +Patch0480: 0480-Set-correctly-the-memory-attributes-for-the-kernel-P.patch +Patch0481: 0481-gettext-gettext-Unregister-gettext-command-on-module.patch \ No newline at end of file diff --git a/SOURCES/sbat.csv.in b/SOURCES/sbat.csv.in index 972ba20..b52bb95 100755 --- a/SOURCES/sbat.csv.in +++ b/SOURCES/sbat.csv.in @@ -1,5 +1,5 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,5,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/ grub.rh,2,Red Hat,grub2,@@RHEL_VERSION_RELEASE@@,mailto:secalert@redhat.com +grub.centos,2,Red Hat,grub2,@@RHEL_VERSION_RELEASE@@,mailto:secalert@redhat.com grub.almalinux,2,AlmaLinux,grub2,@@VERSION_RELEASE@@,mailto:security@almalinux.org -grub.centos,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index c5d1be9..07363b2 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -16,7 +16,7 @@ Name: grub2 Epoch: 1 Version: 2.06 -Release: 114%{?dist}.alma.1 +Release: 114%{?dist}.1.alma.1 Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -43,7 +43,7 @@ Source13: gen_grub_cfgstub %define sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer %endif -%define sb_key almalinuxsecurebootca0 +%define sb_key almalinuxsecureboot0 BuildRequires: gcc efi-srpm-macros @@ -529,12 +529,16 @@ fi %endif %changelog -* Tue Nov 11 2025 Eduard Abdullin - 1:2.06-114.alma.1 +* Thu Mar 19 2026 Eduard Abdullin - 1:2.06-114.1.alma.1 - Debrand for AlmaLinux -* Thu Aug 28 2025 Leo Sandoval 2.06-114 -- 20-grub.install: Skip BLS removal when entry type is type2 -- Resolves: #RHEL-108008 +* Thu Feb 19 2026 Therese Cornell - 2.06-114.1 +- Fixes CVE-2025-61662 Missing unregister call for gettext command may lead to use-after-free +- Resolves: #RHEL-141593 + +* Wed Oct 8 2025 Nicolas Frayer 2.06-114 +- spec: Update signing key to redhatsecureboot802 +- Resolves: #RHEL-116729 * Thu Aug 7 2025 Nicolas Frayer 2.06-113 - sbat: add new sbat entry for centos