Back to grub2 PTS page

Accepted grub2 2.02+dfsg1-20+deb10u1 (source) into proposed-updates->stable-new, proposed-updates



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 26 Jul 2020 22:38:55 +0100
Source: grub2
Architecture: source
Version: 2.02+dfsg1-20+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
Changed-By: Colin Watson <cjwatson@debian.org>
Changes:
 grub2 (2.02+dfsg1-20+deb10u1) buster-security; urgency=high
 .
   * Backport security patch series from upstream:
     - CVE-2020-10713: yylex: Make lexer fatal errors actually be fatal
     - safemath: Add some arithmetic primitives that check for overflow
     - calloc: Make sure we always have an overflow-checking calloc()
       available
     - CVE-2020-14308: calloc: Use calloc() at most places
     - CVE-2020-14309, CVE-2020-14310, CVE-2020-14311: malloc: Use overflow
       checking primitives where we do complex allocations
     - iso9660: Don't leak memory on realloc() failures
     - font: Do not load more than one NAME section
     - gfxmenu: Fix double free in load_image()
     - xnu: Fix double free in grub_xnu_devprop_add_property()
     - lzma: Make sure we don't dereference past array
     - term: Fix overflow on user inputs
     - udf: Fix memory leak
     - tftp: Do not use priority queue
     - relocator: Protect grub_relocator_alloc_chunk_addr() input args
       against integer underflow/overflow
     - relocator: Protect grub_relocator_alloc_chunk_align() max_addr against
       integer underflow
     - script: Remove unused fields from grub_script_function struct
     - CVE-2020-15706: script: Avoid a use-after-free when redefining a
       function during execution
     - relocator: Fix grub_relocator_alloc_chunk_align() top memory
       allocation
     - hfsplus: fix two more overflows
     - lvm: fix two more potential data-dependent alloc overflows
     - emu: make grub_free(NULL) safe
     - efi: fix some malformed device path arithmetic errors
     - update safemath with fallback code for gcc older than 5.1
     - efi: Fix use-after-free in halt/reboot path
     - linux loader: avoid overflow on initrd size calculation
     - CVE-2020-15707: linux: Fix integer overflows in initrd size handling
   * Apply overflow checking to allocations in Debian patches:
     - CVE-2020-15707: efilinux: Fix integer overflows in grub_cmd_initrd
     - bootp: Fix integer overflow in parse_dhcp6_option
     - unix/config: Fix integer overflow in grub_util_load_config
     - deviceiter: Fix integer overflow in grub_util_iterate_devices
Checksums-Sha1:
 cb6268f3be38c30a8700707b0b8456f458d623c3 6885 grub2_2.02+dfsg1-20+deb10u1.dsc
 7a7b17051b32cef09493aaf21ac54f680ddc37b1 6217988 grub2_2.02+dfsg1.orig.tar.xz
 ab5193b4471ee99b1886339bca507990bb26ac30 1174008 grub2_2.02+dfsg1-20+deb10u1.debian.tar.xz
 a5f173da1b5c4c76bd12ecad29cdd302e1e293da 13404 grub2_2.02+dfsg1-20+deb10u1_source.buildinfo
Checksums-Sha256:
 71cf3e3f2aa5320ad2582c78ef078b9a7dcc47db47fbec98930b7af4bc2cae62 6885 grub2_2.02+dfsg1-20+deb10u1.dsc
 7ceb97380b2924de2b857f1e962f57aa65603a679ce120ee9a1ca11464636a1e 6217988 grub2_2.02+dfsg1.orig.tar.xz
 3d184b6eddac3da8f71ab9608dcdede691be23c65531138e109a98161da839ba 1174008 grub2_2.02+dfsg1-20+deb10u1.debian.tar.xz
 69578012e50d9a2389445011d495233fcf9c8b4f87d4e5620eb8a4ec88cd4d7e 13404 grub2_2.02+dfsg1-20+deb10u1_source.buildinfo
Files:
 7501778bb6adf2ee562d480625a8d428 6885 admin optional grub2_2.02+dfsg1-20+deb10u1.dsc
 20a33f95edb3786aca5e01cd46a87e01 6217988 admin optional grub2_2.02+dfsg1.orig.tar.xz
 6705e3b5ee52fbd88071a712bbaeb7c5 1174008 admin optional grub2_2.02+dfsg1-20+deb10u1.debian.tar.xz
 5ca93d5f19edd8190642a7cc67ee1ec1 13404 admin optional grub2_2.02+dfsg1-20+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAl8d+c8ACgkQOTWH2X2G
UAv8fhAAo8TRQXMfrXb1IMV82QeoqmOWB8Md6qyg8fbUV4DaRWKrSSFxhpXJcEWC
s1yMtrvqHAL08TKzJHbh7Dd7+9hNG+QU5ZV5vmahfr01HwMlBZgo1SSACRjxjjym
GiSoDucx5QSeG6DPsSgF2ojYA5G6He+Mcj9ENGRixGpxvA7aBHfCp4Ct6B9oQa6t
FX/d8X8PJ/JgPdudh/GWdmBAShH0JqliBe41qFjfQeCtW3WZw/LxeCyFgA33TdNq
ljlLy+wNu/1x5VcBgrhiMteStD29TQlvPa8dDX1zbRX60oU0zUzwD6o3R7w1wWV1
9ffvI+aDOm9iDInDJhRrP46JL3d/KgGMnxgtdbm55EzcTToUtU+QcUIoZGJTCfyN
ZlaSftP2f2uomgzvKxnmZNvkES5dffkHaXTGaV86iph9tMtXIkp9b+X1cekxYDyT
V4Y7D+Dzuq98TRk7rnprq4O0VP/zS3C5NtfrtYL2TBpXnqWo3yTFxxSewz8A7IlW
ppFEsgBNRztjj/Yt3+fYHrCshdPLtUpiLF3Fdgwry+inPsg8O/N9NvKTjgV9YsPf
i87cdx0ISg0ajSva0wdTB6VEf1zr6G2qFCGdZ9siC/+KD7eoLToTmMTsUXdAyOle
oLG1Jjnls0Ub8NJKaO4xxqDP52cJ0l+/OKtupsibLlzJsY8LmyU=
=ZU+N
-----END PGP SIGNATURE-----