grub2: fix CVE-2020-15707

Avoid to the heap-based buffer overflow.

Upgrade to the below package to fix the CVE issue:
 grub2-2.02-0.86.el7.centos.src.rpm

At the same time adjust the context and drop
0004-grub2-remove-32b-requirements.patch since it already had been
included in the new version.

Story: 2008532
Task: 41664
Change-Id: I7943127323ee28457ffe0a4ece54764633f86d9f
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
This commit is contained in:
Zhixiong Chi 2021-01-25 03:49:38 -05:00
parent d6a07b92eb
commit a0b2acecaa
10 changed files with 24 additions and 41 deletions

View File

@ -3,7 +3,7 @@ cloud-init-0.7.9-24.el7.centos.1.src.rpm
dhcp-4.2.5-68.el7.centos.1.src.rpm
dnsmasq-2.76-7.el7.src.rpm
facter-2.4.4-4.el7.src.rpm
grub2-2.02-0.76.el7.centos.src.rpm
grub2-2.02-0.86.el7.centos.src.rpm
grubby-8.28-25.el7.src.rpm
haproxy-1.5.18-8.el7.src.rpm
initscripts-9.49.46-1.el7.src.rpm

View File

@ -15,8 +15,8 @@ index 12d34ad..88c6c09 100644
Name: grub2
Epoch: 1
Version: 2.02
-Release: 0.76%{?dist}%{?buildid}
+Release: 0.76.el7.centos%{?_tis_dist}.%{tis_patch_ver}
-Release: 0.86%{?dist}%{?buildid}
+Release: 0.86.el7.centos%{?_tis_dist}.%{tis_patch_ver}
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
License: GPLv3+

View File

@ -1,16 +0,0 @@
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index 11f6b0e..613f2e1 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -49,11 +49,6 @@ BuildRequires: /usr/lib64/crt1.o glibc-static glibc-devel
BuildRequires: /usr/lib64/crt1.o glibc-static(x86-64) glibc-devel(x86-64)
# glibc32 is what will be in the buildroots, but glibc-static(x86-32) is what
# will be in an epel-7 (i.e. centos) mock root. I think.
-%if 0%{?centos}%{?mock}
-BuildRequires: /usr/lib/crt1.o glibc-static(x86-32) glibc-devel(x86-32)
-%else
-BuildRequires: /usr/lib/crt1.o glibc32
-%endif
%else
# ppc64 builds need the ppc crt1.o
BuildRequires: /usr/lib/crt1.o glibc-static glibc-devel

View File

@ -11,10 +11,10 @@ diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index bac4594..d7475f0 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -286,3 +286,4 @@ Patch0285: 0285-editenv-handle-relative-symlinks.patch
Patch0286: 0286-efinet-also-use-the-firmware-acceleration-for-http.patch
Patch0287: 0287-Make-root_url-reflect-the-protocol-hostname-of-our-b.patch
Patch0289: 0288-efi-uga-Fix-PCIe-LER-when-GRUB2-accesses-non-enabled.patch
@@ -332,3 +332,4 @@ Patch0285: 0285-editenv-handle-relative-symlinks.patch
Patch0332: 0332-linux-loader-avoid-overflow-on-initrd-size-calculati.patch
Patch0333: 0333-linuxefi-fail-kernel-validation-without-shim-protoco.patch
Patch0334: 0334-linux-Fix-integer-overflows-in-initrd-size-handling.patch
+Patch1000: 1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch
--
2.7.4

View File

@ -16,10 +16,10 @@ index 075727c..5581deb 100644
%{desc} \
This subpackage provides optional components of grub used with removeable media on %{1} systems.\
+ \
+%package %{1}-unsigned \
+%{expand:%%package %{1}-unsigned} \
+Summary: Unsigned versions of GRUB EFI binaries \
+ \
+%description %{1}-unsigned \
+%{expand:%%description %{1}-unsigned} \
+This package contains unsigned version of GRUB EFI binaries. \
+ \
%{nil}
@ -31,9 +31,9 @@ index 075727c..5581deb 100644
-p /EFI/BOOT -d grub-core ${GRUB_MODULES} \
+cp %{2}.orig %{2}.unsigned \
+cp %{3}.orig %{3}.unsigned \
%{expand:%%{pesign -s -i %{2}.orig -o %{2} -a %{5} -c %{6} -n %{7}}} \
%{expand:%%{pesign -s -i %{3}.orig -o %{3} -a %{5} -c %{6} -n %{7}}} \
%{nil}
%{expand:%%{pesign -s -i %{2}.orig -o %{2}.one -a %{5} -c %{6} -n %{7}}} \
%{expand:%%{pesign -s -i %{3}.orig -o %{3}.one -a %{5} -c %{6} -n %{7}}} \
%{expand:%%{pesign -s -i %{2}.one -o %{2} -a %{8} -c %{9} -n %{10}}} \
@@ -403,6 +412,8 @@ find $RPM_BUILD_ROOT -iname "*.module" -exec chmod a-x {} '\;' \
touch $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/grub.cfg \
ln -sf ../boot/efi/EFI/%{efidir}/grub.cfg \\\
@ -45,8 +45,8 @@ index 075727c..5581deb 100644
install -D -m 700 unicode.pf2 \\\
@@ -490,4 +501,8 @@ cd .. \
%defattr(-,root,root,-) \
%attr(0700,root,root)/boot/efi/EFI/%{efidir}/%{3} \
%attr(0700,root,root)/boot/efi/EFI/%{efidir}/fonts \
%verify(not mtime) %attr(0700,root,root)/boot/efi/EFI/%{efidir}/%{3} \
%verify(not mtime) %attr(0700,root,root)/boot/efi/EFI/%{efidir}/fonts \
+ \
+%{expand:%%files %{1}-unsigned} \
+/boot/efi/EFI/%{efidir}/%{grubefiname}.unsigned \

View File

@ -12,13 +12,13 @@ index 5581deb..9ef91d6 100644
--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@@ -242,6 +242,13 @@ Summary: Unsigned versions of GRUB EFI binaries \
%description %{1}-unsigned \
%{expand:%%description %{1}-unsigned} \
This package contains unsigned version of GRUB EFI binaries. \
\
+%package %{1}-pxeboot \
+%{expand:%%package %{1}-pxeboot} \
+Summary: PXE bootable GRUB EFI binaries \
+ \
+%description %{1}-pxeboot \
+%{expand:%%description %{1}-pxeboot} \
+This package contains the version of EFI GRUB that is served by the pxeboot \
+server \
+ \

View File

@ -28,16 +28,16 @@ index 9ef91d6..ffdd23c 100644
video xfs" \
GRUB_MODULES+=%{efi_modules} \
+GRUB_MODULES+=%{wrs_modules} \
%{expand:%%{mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7}}} \
%{expand:%%{mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}} \
%{nil}
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index d7475f0..e24bd8c 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -287,3 +287,4 @@ Patch0286: 0286-efinet-also-use-the-firmware-acceleration-for-http.patch
Patch0287: 0287-Make-root_url-reflect-the-protocol-hostname-of-our-b.patch
Patch0289: 0288-efi-uga-Fix-PCIe-LER-when-GRUB2-accesses-non-enabled.patch
@@ -333,3 +334,4 @@ Patch0286: 0286-efinet-also-use-the-firmware-acceleration-for-http.patch
Patch0333: 0333-linuxefi-fail-kernel-validation-without-shim-protoco.patch
Patch0334: 0334-linux-Fix-integer-overflows-in-initrd-size-handling.patch
Patch1000: 1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch
+Patch1001: 1001-add-tboot.patch
--

View File

@ -29,8 +29,8 @@ diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index e24bd8c..73ccdee 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -288,3 +288,5 @@ Patch0287: 0287-Make-root_url-reflect-the-protocol-hostname-of-our-b.patch
Patch0289: 0288-efi-uga-Fix-PCIe-LER-when-GRUB2-accesses-non-enabled.patch
@@ -334,3 +334,5 @@ Patch0287: 0287-Make-root_url-reflect-the-protocol-hostname-of-our-b.patch
Patch0334: 0334-linux-Fix-integer-overflows-in-initrd-size-handling.patch
Patch1000: 1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch
Patch1001: 1001-add-tboot.patch
+Patch1002: 1002-Don-t-write-trailing-colon-when-populating-MAC-strin.patch

View File

@ -1,7 +1,6 @@
0001-grub2-Update-package-versioning-for-TIS-format.patch
0002-grub2-fix-cflags.patch
0003-grub2-remove-debug-pkgs.patch
0004-grub2-remove-32b-requirements.patch
0005-grub2-remove-32b-build.patch
0006-grub2-ship-lst-files.patch
0007-1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch

View File

@ -1 +1 @@
mirror:Source/grub2-2.02-0.76.el7.centos.src.rpm
mirror:Source/grub2-2.02-0.86.el7.centos.src.rpm