[Bug 2055835] Please test proposed package

Chris Halse Rogers 2055835 at bugs.launchpad.net
Wed Apr 2 07:08:02 UTC 2025 

Hello Mate, or anyone else affected,

Accepted grub2-signed into noble-proposed. The package will build now
and be available at
https://launchpad.net/ubuntu/+source/grub2-signed/1.202.5 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
noble to verification-done-noble. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-noble. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2055835

Title:
  GRUB 2025 spring security update

Status in grub2 package in Ubuntu:
  Fix Released
Status in grub2-signed package in Ubuntu:
  Fix Released
Status in grub2-unsigned package in Ubuntu:
  Fix Released
Status in grub2 source package in Xenial:
  Invalid
Status in grub2-signed source package in Xenial:
  New
Status in grub2-unsigned source package in Xenial:
  New
Status in grub2 source package in Bionic:
  Invalid
Status in grub2-signed source package in Bionic:
  New
Status in grub2-unsigned source package in Bionic:
  New
Status in grub2 source package in Focal:
  Invalid
Status in grub2-signed source package in Focal:
  Fix Committed
Status in grub2-unsigned source package in Focal:
  Fix Committed
Status in grub2 source package in Jammy:
  Invalid
Status in grub2-signed source package in Jammy:
  Fix Committed
Status in grub2-unsigned source package in Jammy:
  Fix Committed
Status in grub2 source package in Noble:
  Fix Committed
Status in grub2-signed source package in Noble:
  Fix Committed
Status in grub2-unsigned source package in Noble:
  Fix Committed
Status in grub2 source package in Oracular:
  Fix Committed
Status in grub2-signed source package in Oracular:
  Fix Committed
Status in grub2-unsigned source package in Oracular:
  Fix Committed
Status in grub2 source package in Plucky:
  Fix Released
Status in grub2-signed source package in Plucky:
  Fix Released
Status in grub2-unsigned source package in Plucky:
  Fix Released

Bug description:
  Just to be clear this is now the tracking bug for all GRUB2 CVE fixes
  in this batch, and not just the insmod refcount overflow it was
  originally filed for.

  [ Impact ]

   * A large batch of secure boot CVEs in GRUB2 were fixed earlier this
  year and recently un-embargoed.

   * This has an obvious impact on everyone relying on Secure Boot for
  any purpose.

  [ Test Plan ]

   * In archive, ubuntu-boot-test in plucky, oracular, noble.
     Local ubuntu-boot-test for jammy, focal.

   * Manual test boots of all revs on real hardware.

  [ Where problems could occur ]

   * While everything was previously tested, boot regressions are always possible.
     We will watch the situation and quickly remedy anything asap.

  ==============================================================================
  This bug is being reused, but the original bug report is preserved below:

  Repeatedly executing the `insmod` command on a module leads to the
  module's reference count to be incremented on each execution.

  Unfortunately GRUB performs no overflow checks on module reference
  count, thus leading to the reference count overflowing, and in turn
  allowing `rrmod` to be executed on such a module.

  This returns the module's heap memory *while leaving active pointers
  to it*. Subsequent heap allocations will re-use this memory,
  potentially allowing an attacker to replace a module with an unsigned
  payload and lead to its execution.

  The reference count is a 32-bit integer, and executing enough
  `insmod`s that leads to overflow will take multiple hours thus making
  this issue rather time consuming to exploit.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2055835/+subscriptions

More information about the foundations-bugs mailing list