[Bug 1996950] Re: CVE-2022-2601, CVE-2022-3775: font security fixes

Fri Jan 27 12:34:23 UTC 2023

So I want to say verification failed on bionic because arm64 failed
grub-install due to missing efibootmgr, but it's not actually a
regression. Otherwise autopkgtests passed everywhere:

sqlite> select package, arch, release, triggers, exitcode from test, result where  test_id==test.id AND triggers like "%grub2-unsigned/2.06-2ubuntu14%"  AND triggers like "%grub2-signed%" AND requester="juliank" ORDER BY release;
package  arch   release  triggers                                                    exitcode
-------  -----  -------  ----------------------------------------------------------  --------
gzip     amd64  bionic   grub2-signed/1.187.2~18.04.1 grub2-unsigned/2.06-2ubuntu14  0       
gzip     arm64  bionic   grub2-signed/1.187.2~18.04.1 grub2-unsigned/2.06-2ubuntu14  12      
hello    arm64  focal    grub2-signed/1.187.2~20.04.2 grub2-unsigned/2.06-2ubuntu14  0       
hello    amd64  focal    grub2-signed/1.187.2~20.04.2 grub2-unsigned/2.06-2ubuntu14  0       
hello    amd64  jammy    grub2-signed/1.187.2 grub2-unsigned/2.06-2ubuntu14          0       
hello    arm64  jammy    grub2-signed/1.187.2 grub2-unsigned/2.06-2ubuntu14          0       
hello    arm64  kinetic  grub2-signed/1.187.2 grub2-unsigned/2.06-2ubuntu14          0       
hello    amd64  kinetic  grub2-signed/1.187.2 grub2-unsigned/2.06-2ubuntu14          0       

To fix grub-install needing efibootmgr on bionic, we could add a Depends: efibootmgr [amd64 arm64] to grub2-common there. This is not entirely accurate of course because it's only needed if you have -efi bits installed; but: this allows grub2-unsigned and grub2-signed to remain identical between releases which severely reduces workload for updates.

Though to be fair, we can also add a Depends: grub2-common (>=
2.02+dfsg1-15) | efibootmgr to grub2-signed in all releases. Still
missing Depends in grub2-unsigned. We probably should not block on that
though.

It's not clear to me how autopkgtest arm64 images ended up with grub-
efi-arm64-signed installed successfully in the first place, peculiar, it
should not have built an image that way.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1996950

Title:
  CVE-2022-2601, CVE-2022-3775: font security fixes

Status in grub2-signed package in Ubuntu:
  Fix Released
Status in grub2-unsigned package in Ubuntu:
  Fix Released
Status in grub2-signed source package in Bionic:
  New
Status in grub2-unsigned source package in Bionic:
  Fix Committed
Status in grub2-signed source package in Focal:
  Fix Released
Status in grub2-unsigned source package in Focal:
  Fix Committed
Status in grub2-signed source package in Jammy:
  New
Status in grub2-unsigned source package in Jammy:
  Fix Committed
Status in grub2-signed source package in Kinetic:
  New
Status in grub2-unsigned source package in Kinetic:
  Fix Committed
Status in grub2-signed source package in Lunar:
  Fix Released
Status in grub2-unsigned source package in Lunar:
  Fix Released

Bug description:
  [Impact]
  security update staged in updates

  [Test plan]
  Boot it on multiple systems. Notably juliank will be doing semi-automated testing in QEMU that does chainbooting over network (shim->grub->shim->grub); and boots on T14 G3 AMD and an XPS 13; chrisccoulson did his own security testing before that.

  [Where problems could occur]
  Font loading is disabled, could cause rendering issues

  Unicode font stuffed in xz squashfs, could cause more memory issues
  during boot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1996950/+subscriptions