[Bug 1911440] Re: Build using distro minilzo
Dimitri John Ledkov
1911440 at bugs.launchpad.net
Wed Jan 13 14:50:01 UTC 2021
** Description changed:
- Build using distro minilzo
+ [Impact]
+
+ * grub2 builds freestanding libc-less minilzo library to be used by the bootloader code.
+ * It has a vendorized copy of it, whilst the distribution has newer copies of it.
+ * Specifically distribution build has FTBFS fixes for new compiler and CVE fixes, specifically https://ubuntu.com/security/cve-2014-4607
+
+ CVE-2014-4607
+
+ * Building grub with minilzo from the archive seems to be the best way
+ to keep minilzo up to date and secure
+
+ [Test Case]
+
+ * Check that grub can open lzo compressed files in the command line
+ prompt, for example by having /boot on btrfs filesystem with
+ compress=lzo option.
+
+ [Where problems could occur]
+
+ * Changes limited to lzo compression, so for example grub may fail to
+ mount / read data off btrfs filesystem with compress=lzo
** Also affects: grub2 (Ubuntu Groovy)
Importance: Undecided
Status: New
** Also affects: grub2 (Ubuntu Hirsute)
Importance: Undecided
Status: New
** Also affects: grub2 (Ubuntu Focal)
Importance: Undecided
Status: New
** Description changed:
[Impact]
- * grub2 builds freestanding libc-less minilzo library to be used by the bootloader code.
- * It has a vendorized copy of it, whilst the distribution has newer copies of it.
- * Specifically distribution build has FTBFS fixes for new compiler and CVE fixes, specifically https://ubuntu.com/security/cve-2014-4607
+ * grub2 builds freestanding libc-less minilzo library to be used by the bootloader code.
+ * It has a vendorized copy of it, whilst the distribution has newer copies of it.
+ * Specifically distribution build has FTBFS fixes for new compiler and CVE fixes, specifically https://ubuntu.com/security/cve-2014-4607
CVE-2014-4607
- * Building grub with minilzo from the archive seems to be the best way
+ * Building grub with minilzo from the archive seems to be the best way
to keep minilzo up to date and secure
[Test Case]
- * Check that grub can open lzo compressed files in the command line
+ * Check that grub can open lzo compressed files in the command line
prompt, for example by having /boot on btrfs filesystem with
compress=lzo option.
[Where problems could occur]
- * Changes limited to lzo compression, so for example grub may fail to
+ * Changes limited to lzo compression, so for example grub may fail to
mount / read data off btrfs filesystem with compress=lzo
+
+ [Other Info]
+
+ Fixed in:
+
+ hirsute grub2 2.04-1ubuntu37
+ hirsute grub2-signed 1.157
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-4607
** Changed in: grub2 (Ubuntu Hirsute)
Status: New => Fix Released
** Also affects: grub2-signed (Ubuntu)
Importance: Undecided
Status: New
** Changed in: grub2-signed (Ubuntu Hirsute)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1911440
Title:
Build using distro minilzo
Status in grub2 package in Ubuntu:
Fix Released
Status in grub2-signed package in Ubuntu:
Fix Released
Status in grub2 source package in Focal:
New
Status in grub2-signed source package in Focal:
New
Status in grub2 source package in Groovy:
New
Status in grub2-signed source package in Groovy:
New
Status in grub2 source package in Hirsute:
Fix Released
Status in grub2-signed source package in Hirsute:
Fix Released
Bug description:
[Impact]
* grub2 builds freestanding libc-less minilzo library to be used by the bootloader code.
* It has a vendorized copy of it, whilst the distribution has newer copies of it.
* Specifically distribution build has FTBFS fixes for new compiler and CVE fixes, specifically https://ubuntu.com/security/cve-2014-4607
CVE-2014-4607
* Building grub with minilzo from the archive seems to be the best
way to keep minilzo up to date and secure
[Test Case]
* Check that grub can open lzo compressed files in the command line
prompt, for example by having /boot on btrfs filesystem with
compress=lzo option.
[Where problems could occur]
* Changes limited to lzo compression, so for example grub may fail to
mount / read data off btrfs filesystem with compress=lzo
[Other Info]
Fixed in:
hirsute grub2 2.04-1ubuntu37
hirsute grub2-signed 1.157
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1911440/+subscriptions
More information about the foundations-bugs
mailing list