[Bug 2077201] [NEW] grub2 vendors libzstd 1.3.6 which has some CVEs
Ryan Harper
2077201 at bugs.launchpad.net
Fri Aug 16 22:07:40 UTC 2024
Public bug reported:
~/work/source/jammy/grub2-2.06$ grep -nri "zstd-1.3.6" *
ChangeLog:6978: zstd: Import upstream zstd-1.3.6
ChangeLog:6979: - Import zstd-1.3.6 from upstream
ChangeLog:6983: Import zstd-1.3.6 from upstream [1]. Only the files need for decompression
ChangeLog:6987: I included the script used to import zstd-1.3.6 below at the bottom of the
ChangeLog:7015: curl -L -O https://github.com/facebook/zstd/releases/download/v1.3.6/zstd-1.3.6.tar.gz
ChangeLog:7016: curl -L -O https://github.com/facebook/zstd/releases/download/v1.3.6/zstd-1.3.6.tar.gz.sha256
ChangeLog:7017: sha256sum --check zstd-1.3.6.tar.gz.sha256
ChangeLog:7018: tar xzf zstd-1.3.6.tar.gz
ChangeLog:7020: SRC_LIB="zstd-1.3.6/lib"
ChangeLog:7028: rm -rf zstd-1.3.6*
Scanning binaries like grub-install, grub-file; any of the grub binaries linked against grub-core include the embedded libzstd 1.3.6 library.
This version has outstanding CVEs, already fixed in newer libzstd
releases:
https://ubuntu.com/security/CVE-2019-11922
https://ubuntu.com/security/CVE-2021-24031
I looked at the latest grub2, 2.12 in oracular, and this still vendors
libzstd 1.3.6
The listed CVEs don't look like they apply to the grub vendored version
(one deals with compress, grub only decompresses), the other with file
permissions on output (grub doesn't write files).
Consider bumping the vendored version since CVE scanners tag grub
binaries with these CVEs even if the don't operationally apply.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: grub2-common 2.06-2ubuntu7.2
ProcVersionSignature: Ubuntu 5.15.0-1064.69-kvm 5.15.160
Uname: Linux 5.15.0-1064-kvm x86_64
ApportVersion: 2.20.11-0ubuntu82.6
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudID: lxd
CloudName: lxd
CloudPlatform: lxd
CloudSubPlatform: LXD socket API v. 1.0 (/dev/lxd/sock)
Date: Fri Aug 16 21:44:02 2024
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=C.UTF-8
SourcePackage: grub2
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: grub2 (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug jammy uec-images
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2077201
Title:
grub2 vendors libzstd 1.3.6 which has some CVEs
Status in grub2 package in Ubuntu:
New
Bug description:
~/work/source/jammy/grub2-2.06$ grep -nri "zstd-1.3.6" *
ChangeLog:6978: zstd: Import upstream zstd-1.3.6
ChangeLog:6979: - Import zstd-1.3.6 from upstream
ChangeLog:6983: Import zstd-1.3.6 from upstream [1]. Only the files need for decompression
ChangeLog:6987: I included the script used to import zstd-1.3.6 below at the bottom of the
ChangeLog:7015: curl -L -O https://github.com/facebook/zstd/releases/download/v1.3.6/zstd-1.3.6.tar.gz
ChangeLog:7016: curl -L -O https://github.com/facebook/zstd/releases/download/v1.3.6/zstd-1.3.6.tar.gz.sha256
ChangeLog:7017: sha256sum --check zstd-1.3.6.tar.gz.sha256
ChangeLog:7018: tar xzf zstd-1.3.6.tar.gz
ChangeLog:7020: SRC_LIB="zstd-1.3.6/lib"
ChangeLog:7028: rm -rf zstd-1.3.6*
Scanning binaries like grub-install, grub-file; any of the grub binaries linked against grub-core include the embedded libzstd 1.3.6 library.
This version has outstanding CVEs, already fixed in newer libzstd
releases:
https://ubuntu.com/security/CVE-2019-11922
https://ubuntu.com/security/CVE-2021-24031
I looked at the latest grub2, 2.12 in oracular, and this still vendors
libzstd 1.3.6
The listed CVEs don't look like they apply to the grub vendored
version (one deals with compress, grub only decompresses), the other
with file permissions on output (grub doesn't write files).
Consider bumping the vendored version since CVE scanners tag grub
binaries with these CVEs even if the don't operationally apply.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: grub2-common 2.06-2ubuntu7.2
ProcVersionSignature: Ubuntu 5.15.0-1064.69-kvm 5.15.160
Uname: Linux 5.15.0-1064-kvm x86_64
ApportVersion: 2.20.11-0ubuntu82.6
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudID: lxd
CloudName: lxd
CloudPlatform: lxd
CloudSubPlatform: LXD socket API v. 1.0 (/dev/lxd/sock)
Date: Fri Aug 16 21:44:02 2024
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=C.UTF-8
SourcePackage: grub2
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2077201/+subscriptions
More information about the foundations-bugs
mailing list