Porting patches from grub2_2.06-3~deb11u1 to fix below CVEs:
CVE-2021-3695
CVE-2021-3696
CVE-2021-3697
CVE-2022-28733
CVE-2022-28734
The source code of grub2_2.06-3~deb11u1 is from:
https://snapshot.debian.org/archive/debian/20220807T030023Z/pool
/main/g/grub2/grub2_2.06-3~deb11u1.debian.tar.xz
The relationship between commits and CVEs is as below:
(1)CVE-2021-3695
commit <video/readers/png: Drop greyscale support to fix heap
out-of-bounds write>
(2)CVE-2021-3696
commit <video/readers/png: Avoid heap OOB R/W inserting huff table items>
(3)CVE-2021-3697
commit <video/readers/jpeg: Block int underflow -> wild pointer write>
(4)CVE-2022-28733
commit <net/ip: Do IP fragment maths safely>
(5)CVE-2022-28734
commit <net/http: Fix OOB write for split http headers>
commit <net/http: Error out on headers with LF without CR>
Test plan:
- PASS: build grub2/grub-efi.
- PASS: build-image and install and boot up on lab/qemu.
- PASS: check that the "stx.N" version number is right for both
bios(grub2 ver) and uefi(grub-efi ver) boot.
Partial-Bug: #2034119
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ia27b1ee225f13e9c4ad08a0828f93ea37f8d3dfb
44f318a38d