[Bug 2077201] Re: grub2 vendors libzstd 1.3.6 which has some CVEs

Julian Andres Klode 2077201 at bugs.launchpad.net
Thu Aug 29 10:10:38 UTC 2024 

Might just add grub2-unsigned/signed entries to the CVE tracker and mark
it as not affected? I think porting new zstd to grub may be significant
effort and it's not worth to work around third party tools.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-unsigned in Ubuntu.
https://bugs.launchpad.net/bugs/2077201

Title:
  grub2 vendors libzstd 1.3.6 which has some CVEs

Status in grub2-unsigned package in Ubuntu:
  New

Bug description:
  ~/work/source/jammy/grub2-2.06$ grep -nri "zstd-1.3.6" *
  ChangeLog:6978:	zstd: Import upstream zstd-1.3.6
  ChangeLog:6979:	- Import zstd-1.3.6 from upstream
  ChangeLog:6983:	Import zstd-1.3.6 from upstream [1]. Only the files need for decompression
  ChangeLog:6987:	I included the script used to import zstd-1.3.6 below at the bottom of the
  ChangeLog:7015:	curl -L -O https://github.com/facebook/zstd/releases/download/v1.3.6/zstd-1.3.6.tar.gz
  ChangeLog:7016:	curl -L -O https://github.com/facebook/zstd/releases/download/v1.3.6/zstd-1.3.6.tar.gz.sha256
  ChangeLog:7017:	sha256sum --check zstd-1.3.6.tar.gz.sha256
  ChangeLog:7018:	tar xzf zstd-1.3.6.tar.gz
  ChangeLog:7020:	SRC_LIB="zstd-1.3.6/lib"
  ChangeLog:7028:	rm -rf zstd-1.3.6*

  
  Scanning binaries like grub-install, grub-file; any of the grub binaries linked against grub-core include the embedded libzstd 1.3.6 library.

  This version has outstanding CVEs, already fixed in newer libzstd
  releases:

  https://ubuntu.com/security/CVE-2019-11922
  https://ubuntu.com/security/CVE-2021-24031

  I looked at the latest grub2, 2.12 in oracular, and this still vendors
  libzstd 1.3.6

  The listed CVEs don't look like they apply to the grub vendored
  version (one deals with compress, grub only decompresses), the other
  with file permissions on output (grub doesn't write files).

  Consider bumping the vendored version since CVE scanners tag grub
  binaries with these CVEs even if the don't operationally apply.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: grub2-common 2.06-2ubuntu7.2
  ProcVersionSignature: Ubuntu 5.15.0-1064.69-kvm 5.15.160
  Uname: Linux 5.15.0-1064-kvm x86_64
  ApportVersion: 2.20.11-0ubuntu82.6
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CloudArchitecture: x86_64
  CloudID: lxd
  CloudName: lxd
  CloudPlatform: lxd
  CloudSubPlatform: LXD socket API v. 1.0 (/dev/lxd/sock)
  Date: Fri Aug 16 21:44:02 2024
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   LANG=C.UTF-8
  SourcePackage: grub2
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2077201/+subscriptions

More information about the foundations-bugs mailing list