Debian Package Tracker

general

source: grub2 (main)
version: 2.04-9
maintainer: GRUB Maintainers (archive) (DMD)
uploaders: Ian Campbell [DMD] – Jordi Mallach [DMD] – Steve McIntyre [DMD] – Felix Zielcke [DMD] [DM] – Colin Watson [DMD]
arch: any
std-ver: 3.9.6
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.02~beta2-22+deb8u1
o-o-sec: 2.02~beta2-22+deb8u1
oldstable: 2.02~beta3-5+deb9u2
stable: 2.02+dfsg1-20+deb10u2
stable-sec: 2.02+dfsg1-20+deb10u2
testing: 2.04-8
unstable: 2.04-9

versioned links

2.02~beta2-22+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.02~beta3-5+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.02+dfsg1-20+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.04-8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.04-9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

grub-common (152 bugs: 1, 103, 48, 0)
grub-coreboot (1 bugs: 0, 0, 1, 0)
grub-coreboot-bin (1 bugs: 0, 1, 0, 0)
grub-coreboot-dbg
grub-efi (12 bugs: 0, 12, 0, 0)
grub-efi-amd64 (29 bugs: 4, 20, 5, 0)
grub-efi-amd64-bin (7 bugs: 0, 6, 1, 0)
grub-efi-amd64-dbg
grub-efi-amd64-signed-template
grub-efi-arm (2 bugs: 0, 2, 0, 0)
grub-efi-arm-bin
grub-efi-arm-dbg
grub-efi-arm64 (2 bugs: 0, 2, 0, 0)
grub-efi-arm64-bin
grub-efi-arm64-dbg
grub-efi-arm64-signed-template
grub-efi-ia32 (5 bugs: 0, 4, 1, 0)
grub-efi-ia32-bin
grub-efi-ia32-dbg
grub-efi-ia32-signed-template
grub-efi-ia64
grub-efi-ia64-bin
grub-efi-ia64-dbg
grub-emu (1 bugs: 1, 0, 0, 0)
grub-emu-dbg
grub-firmware-qemu (1 bugs: 0, 0, 1, 0)
grub-ieee1275 (9 bugs: 0, 8, 1, 0)
grub-ieee1275-bin
grub-ieee1275-dbg
grub-linuxbios
grub-mount-udeb
grub-pc (235 bugs: 2, 182, 51, 0)
grub-pc-bin (7 bugs: 0, 6, 1, 0)
grub-pc-dbg
grub-rescue-pc (3 bugs: 0, 1, 2, 0)
grub-theme-starfield
grub-uboot (1 bugs: 0, 1, 0, 0)
grub-uboot-bin
grub-uboot-dbg
grub-xen (2 bugs: 0, 1, 1, 0)
grub-xen-bin
grub-xen-dbg
grub-xen-host (1 bugs: 0, 1, 0, 0)
grub-yeeloong
grub-yeeloong-bin
grub-yeeloong-dbg
grub2 (50 bugs: 0, 34, 16, 0)
grub2-common (54 bugs: 2, 33, 19, 0)

action needed

7 security issues in bullseye high

There are 7 open security issues in bullseye.

7 important issues:

CVE-2020-14308: In grub2 versions before 2.06 the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. This leads the function to return invalid memory allocations which can be further used to cause possible integrity, confidentiality and availability impacts during the boot process.
CVE-2020-10713: A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-14309: There's an issue with grub2 in all versions before 2.06 when handling squashfs filesystems containing a symbolic link with name length of UINT32 bytes in size. The name size leads to an arithmetic overflow leading to a zero-size allocation further causing a heap-based buffer overflow with attacker controlled data.
CVE-2020-14311: There is an issue with grub2 before version 2.06 while handling symlink on ext filesystems. A filesystem containing a symbolic link with an inode size of UINT32_MAX causes an arithmetic overflow leading to a zero-sized memory allocation with subsequent heap-based buffer overflow.
CVE-2020-14310: There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow.
CVE-2020-15707: Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (the functionality is not included in GRUB2 upstream), leading to a heap-based buffer overflow. These could be triggered by an extremely large number of arguments to the initrd command on 32-bit architectures, or a crafted filesystem with very large files on any architecture. An attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. This issue affects GRUB2 version 2.04 and prior versions.
CVE-2020-15706: GRUB2 contains a race condition in grub_script_function_create() leading to a use-after-free vulnerability which can be triggered by redefining a function whilst the same function is already executing, leading to arbitrary code execution and secure boot restriction bypass. This issue affects GRUB2 version 2.04 and prior versions.

Please fix them.

Created: 2020-07-29 Last update: 2020-08-02 06:48

Standards version of the package is outdated. high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.0 instead of 3.9.6).

Created: 2016-02-06 Last update: 2020-07-29 22:08

lintian reports 2 errors and 14 warnings high

Lintian reports 2 errors and 14 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-07-29 Last update: 2020-07-29 12:31

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 2-day delay is over. Check why.

Created: 2020-08-01 Last update: 2020-08-05 07:07

42 bugs tagged patch in the BTS normal

The BTS contains patches fixing 42 bugs (52 if counting merged bugs), consider including or untagging them.

Created: 2020-06-28 Last update: 2020-08-05 07:01

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2018-09-01 Last update: 2020-08-05 02:02

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.04-10, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit a2ace2e45eb3e3114e7ed1489b74066cb2ace185
Merge: 0a2ba124 73489be4
Author: Colin Watson <cjwatson@debian.org>
Date:   Wed Jul 29 18:02:23 2020 +0100

    Merge remote-tracking branch 'salsa/master' into master

commit 73489be4812388f3ecbf31b69a2296cecb70a05d
Author: Ian Campbell <ijc@debian.org>
Date:   Sat Jun 27 10:36:23 2020 +0100

    Remove myself from Uploaders

Created: 2020-06-27 Last update: 2020-07-30 20:38

RFH: The maintainer is looking for help with this package. normal

The current maintainer is looking for someone who can help with the maintenance of this package. If you are interested in this package, please consider helping out. One way you can help is offer to be a co-maintainer or triage bugs in the BTS. Please see bug number #248397 for more information.

Created: 2017-12-02 Last update: 2017-12-02 00:26

7 ignored security issues in stretch low

There are 7 open security issues in stretch.

7 issues skipped by the security teams:

CVE-2020-14308: In grub2 versions before 2.06 the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. This leads the function to return invalid memory allocations which can be further used to cause possible integrity, confidentiality and availability impacts during the boot process.
CVE-2020-10713: A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-14309: There's an issue with grub2 in all versions before 2.06 when handling squashfs filesystems containing a symbolic link with name length of UINT32 bytes in size. The name size leads to an arithmetic overflow leading to a zero-size allocation further causing a heap-based buffer overflow with attacker controlled data.
CVE-2020-14311: There is an issue with grub2 before version 2.06 while handling symlink on ext filesystems. A filesystem containing a symbolic link with an inode size of UINT32_MAX causes an arithmetic overflow leading to a zero-sized memory allocation with subsequent heap-based buffer overflow.
CVE-2020-14310: There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow.
CVE-2020-15707: Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (the functionality is not included in GRUB2 upstream), leading to a heap-based buffer overflow. These could be triggered by an extremely large number of arguments to the initrd command on 32-bit architectures, or a crafted filesystem with very large files on any architecture. An attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. This issue affects GRUB2 version 2.04 and prior versions.
CVE-2020-15706: GRUB2 contains a race condition in grub_script_function_create() leading to a use-after-free vulnerability which can be triggered by redefining a function whilst the same function is already executing, leading to arbitrary code execution and secure boot restriction bypass. This issue affects GRUB2 version 2.04 and prior versions.

Please fix them.

Created: 2020-07-29 Last update: 2020-08-02 06:48

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-02-26 Last update: 2020-02-26 10:49

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2014-07-02 Last update: 2014-07-02 18:05

testing migrations

excuses:
- Migration status for grub2 (2.04-8 to 2.04-9): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- Updating grub2 introduces new bugs: #966575
- missing build on armhf
- Additional info:
- Piuparts tested OK - https://piuparts.debian.org/sid/source/g/grub2.html
- 6 days old (needed 2 days)
- Not considered

news

[rss feed]

[2020-07-30] Accepted grub2 2.02+dfsg1-20+deb10u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Colin Watson)
[2020-07-30] Accepted grub2 2.02+dfsg1-20+deb10u2 (source) into stable->embargoed, stable (Debian FTP Masters) (signed by: Colin Watson)
[2020-07-29] Accepted grub2 2.02+dfsg1-20+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Colin Watson)
[2020-07-29] Accepted grub2 2.04-9 (source) into unstable (Colin Watson)
[2020-07-29] Accepted grub2 2.02+dfsg1-20+deb10u1 (source) into stable->embargoed, stable (Debian FTP Masters) (signed by: Colin Watson)
[2020-06-12] grub2 2.04-8 MIGRATED to testing (Debian testing watch)
[2020-06-07] Accepted grub2 2.04-8 (source) into unstable (Colin Watson)
[2020-05-01] grub2 2.04-7 MIGRATED to testing (Debian testing watch)
[2020-04-22] Accepted grub2 2.04-7 (source) into unstable (Colin Watson)
[2020-04-20] Accepted grub2 2.04-6 (source) into unstable (Colin Watson)
[2019-12-30] grub2 2.04-5 MIGRATED to testing (Debian testing watch)
[2019-12-16] Accepted grub2 2.04-5 (source) into unstable (Colin Watson)
[2019-11-14] grub2 2.04-4 MIGRATED to testing (Debian testing watch)
[2019-11-08] Accepted grub2 2.04-4 (source) into unstable (Colin Watson)
[2019-09-07] grub2 2.04-3 MIGRATED to testing (Debian testing watch)
[2019-08-30] Accepted grub2 2.04-3 (source) into unstable (Colin Watson)
[2019-08-11] Accepted grub2 2.02~beta3-5+deb9u2 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Colin Watson)
[2019-08-09] grub2 2.04-2 MIGRATED to testing (Debian testing watch)
[2019-08-03] Accepted grub2 2.04-2 (source) into unstable (Colin Watson)
[2019-07-15] grub2 2.04-1 MIGRATED to testing (Debian testing watch)
[2019-07-09] Accepted grub2 2.04-1 (source) into unstable (Colin Watson)
[2019-07-01] grub2 2.02+dfsg1-20 MIGRATED to testing (Debian testing watch)
[2019-06-30] grub2 2.02+dfsg1-20 MIGRATED to testing (Debian testing watch)
[2019-06-29] grub2 2.02+dfsg1-20 MIGRATED to testing (Debian testing watch)
[2019-06-27] Accepted grub2 2.04~rc1-3 (source) into experimental (Colin Watson)
[2019-06-25] Accepted grub2 2.02+dfsg1-20 (source) into unstable (Steve McIntyre)
[2019-06-23] grub2 2.02+dfsg1-19 MIGRATED to testing (Debian testing watch)
[2019-06-15] Accepted grub2 2.04~rc1-2 (source) into experimental (Colin Watson)
[2019-06-14] Accepted grub2 2.02+dfsg1-19 (source) into unstable (Colin Watson)
[2019-05-30] Accepted grub2 2.04~rc1-1 (source) into experimental (Colin Watson)

bugs [bug history graph]

all: 579 605
RC: 10 11
I&N: 419 436
M&W: 150 158
F&P: 0
patch: 42 52

links

homepage
lintian (2, 14)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots
l10n (93, 82)

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.04-1ubuntu26.2
476 bugs (21 patches)
patches for 2.04-1ubuntu26.2