[Bug 2077201] [NEW] grub2 vendors libzstd 1.3.6 which has some CVEs

Ryan Harper 2077201 at bugs.launchpad.net
Fri Aug 16 22:07:40 UTC 2024 

Public bug reported:

~/work/source/jammy/grub2-2.06$ grep -nri "zstd-1.3.6" *
ChangeLog:6978:	zstd: Import upstream zstd-1.3.6
ChangeLog:6979:	- Import zstd-1.3.6 from upstream
ChangeLog:6983:	Import zstd-1.3.6 from upstream [1]. Only the files need for decompression
ChangeLog:6987:	I included the script used to import zstd-1.3.6 below at the bottom of the
ChangeLog:7015:	curl -L -O https://github.com/facebook/zstd/releases/download/v1.3.6/zstd-1.3.6.tar.gz
ChangeLog:7016:	curl -L -O https://github.com/facebook/zstd/releases/download/v1.3.6/zstd-1.3.6.tar.gz.sha256
ChangeLog:7017:	sha256sum --check zstd-1.3.6.tar.gz.sha256
ChangeLog:7018:	tar xzf zstd-1.3.6.tar.gz
ChangeLog:7020:	SRC_LIB="zstd-1.3.6/lib"
ChangeLog:7028:	rm -rf zstd-1.3.6*


Scanning binaries like grub-install, grub-file; any of the grub binaries linked against grub-core include the embedded libzstd 1.3.6 library.

This version has outstanding CVEs, already fixed in newer libzstd
releases:

https://ubuntu.com/security/CVE-2019-11922
https://ubuntu.com/security/CVE-2021-24031

I looked at the latest grub2, 2.12 in oracular, and this still vendors
libzstd 1.3.6

The listed CVEs don't look like they apply to the grub vendored version
(one deals with compress, grub only decompresses), the other with file
permissions on output (grub doesn't write files).

Consider bumping the vendored version since CVE scanners tag grub
binaries with these CVEs even if the don't operationally apply.

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: grub2-common 2.06-2ubuntu7.2
ProcVersionSignature: Ubuntu 5.15.0-1064.69-kvm 5.15.160
Uname: Linux 5.15.0-1064-kvm x86_64
ApportVersion: 2.20.11-0ubuntu82.6
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudID: lxd
CloudName: lxd
CloudPlatform: lxd
CloudSubPlatform: LXD socket API v. 1.0 (/dev/lxd/sock)
Date: Fri Aug 16 21:44:02 2024
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=C.UTF-8
SourcePackage: grub2
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: grub2 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug jammy uec-images

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2077201

Title:
  grub2 vendors libzstd 1.3.6 which has some CVEs

Status in grub2 package in Ubuntu:
  New

Bug description:
  ~/work/source/jammy/grub2-2.06$ grep -nri "zstd-1.3.6" *
  ChangeLog:6978:	zstd: Import upstream zstd-1.3.6
  ChangeLog:6979:	- Import zstd-1.3.6 from upstream
  ChangeLog:6983:	Import zstd-1.3.6 from upstream [1]. Only the files need for decompression
  ChangeLog:6987:	I included the script used to import zstd-1.3.6 below at the bottom of the
  ChangeLog:7015:	curl -L -O https://github.com/facebook/zstd/releases/download/v1.3.6/zstd-1.3.6.tar.gz
  ChangeLog:7016:	curl -L -O https://github.com/facebook/zstd/releases/download/v1.3.6/zstd-1.3.6.tar.gz.sha256
  ChangeLog:7017:	sha256sum --check zstd-1.3.6.tar.gz.sha256
  ChangeLog:7018:	tar xzf zstd-1.3.6.tar.gz
  ChangeLog:7020:	SRC_LIB="zstd-1.3.6/lib"
  ChangeLog:7028:	rm -rf zstd-1.3.6*

  
  Scanning binaries like grub-install, grub-file; any of the grub binaries linked against grub-core include the embedded libzstd 1.3.6 library.

  This version has outstanding CVEs, already fixed in newer libzstd
  releases:

  https://ubuntu.com/security/CVE-2019-11922
  https://ubuntu.com/security/CVE-2021-24031

  I looked at the latest grub2, 2.12 in oracular, and this still vendors
  libzstd 1.3.6

  The listed CVEs don't look like they apply to the grub vendored
  version (one deals with compress, grub only decompresses), the other
  with file permissions on output (grub doesn't write files).

  Consider bumping the vendored version since CVE scanners tag grub
  binaries with these CVEs even if the don't operationally apply.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: grub2-common 2.06-2ubuntu7.2
  ProcVersionSignature: Ubuntu 5.15.0-1064.69-kvm 5.15.160
  Uname: Linux 5.15.0-1064-kvm x86_64
  ApportVersion: 2.20.11-0ubuntu82.6
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CloudArchitecture: x86_64
  CloudID: lxd
  CloudName: lxd
  CloudPlatform: lxd
  CloudSubPlatform: LXD socket API v. 1.0 (/dev/lxd/sock)
  Date: Fri Aug 16 21:44:02 2024
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   LANG=C.UTF-8
  SourcePackage: grub2
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2077201/+subscriptions

More information about the foundations-bugs mailing list