diff --git a/1090-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch b/1090-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch new file mode 100644 index 0000000000000000000000000000000000000000..c77fb96df7a11d9323f88b35341b6ce8a13d8aeb --- /dev/null +++ b/1090-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch @@ -0,0 +1,106 @@ + + + +]> + + + + + + +Savannah Git Hosting - grub.git/commitdiff + + + + + + + + +
+git@sv / grub.git / commitdiff +
+
+ + + + ? search: + +
+
+
+summary | shortlog | log | commit | commitdiff | tree
+raw | patch | inline | side by side (from parent 1: 9df1e69)
+
+
+commands/usbtest: Use correct string length field +
+
+ + + + + +
authorJamie <volticks@gmail.com>
Mon, 14 Jul 2025 08:52:59 +0000 (09:52 +0100)
committerDaniel Kiper <daniel.kiper@oracle.com>
Tue, 18 Nov 2025 13:34:44 +0000 (14:34 +0100)
+
+
+An incorrect length field is used for buffer allocation. This leads to
+grub_utf16_to_utf8() receiving an incorrect/different length and possibly
+causing OOB write. This makes sure to use the correct length.
+
+Fixes: CVE-2025-61661
+Reported-by: Jamie <volticks@gmail.com>
+Signed-off-by: Jamie <volticks@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+
+
+ + + + + + +
grub-core/commands/usbtest.cpatch | blob | history
+
+
+
+
diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c
+
+index 2c6d93fe66d5f1d0f322d69106eff9c4f748c53b..8ef187a9ae765c409a8039b7b00d62d750e60eee 100644 (file)
+
+
--- a/grub-core/commands/usbtest.c
+
+++ b/grub-core/commands/usbtest.c
+
@@ -99,7 +99,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid,
+
       return GRUB_USB_ERR_NONE;
+
     }
+
 
+
-  *string = grub_malloc (descstr.length * 2 + 1);
+
+  *string = grub_malloc (descstrp->length * 2 + 1);
+
   if (! *string)
+
     {
+
       grub_free (descstrp);
+
+
+
+
+
GNU GRUB
+ + +
+ + + + \ No newline at end of file diff --git a/1091-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch b/1091-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch new file mode 100644 index 0000000000000000000000000000000000000000..9b1771827408a9e6dcac2af7caae37e550cb9ed8 --- /dev/null +++ b/1091-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch @@ -0,0 +1,107 @@ + + + +]> + + + + + + +Savannah Git Hosting - grub.git/commitdiff + + + + + + + + +
+git@sv / grub.git / commitdiff +
+
+ + + + ? search: + +
+
+
+summary | shortlog | log | commit | commitdiff | tree
+raw | patch | inline | side by side (from parent 1: c4fb4cb)
+
+
+net/net: Unregister net_set_vlan command on unload +
+
+ + + + + +
authorThomas Frauendorfer | Miray Software <tf@miray.de>
Fri, 9 May 2025 12:20:47 +0000 (14:20 +0200)
committerDaniel Kiper <daniel.kiper@oracle.com>
Tue, 18 Nov 2025 13:34:44 +0000 (14:34 +0100)
+
+
+The commit 954c48b9c (net/net: Add net_set_vlan command) added command
+net_set_vlan to the net module. Unfortunately the commit only added the
+grub_register_command() call on module load but missed the
+grub_unregister_command() on unload. Let's fix this.
+
+Fixes: CVE-2025-54770
+Fixes: 954c48b9c (net/net: Add net_set_vlan command)
+Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+
+
+ + + + + + +
grub-core/net/net.cpatch | blob | history
+
+
+
+
diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+
+index 6ea33d1cd9eaf1d06301f2a777d5a776813b4e7a..6c94a3b1e3bc26ca654d2187a490b9bed235766e 100644 (file)
+
+
--- a/grub-core/net/net.c
+
+++ b/grub-core/net/net.c
+
@@ -2146,6 +2146,7 @@ GRUB_MOD_FINI(net)
+
   grub_unregister_command (cmd_deladdr);
+
   grub_unregister_command (cmd_addroute);
+
   grub_unregister_command (cmd_delroute);
+
+  grub_unregister_command (cmd_setvlan);
+
   grub_unregister_command (cmd_lsroutes);
+
   grub_unregister_command (cmd_lscards);
+
   grub_unregister_command (cmd_lsaddr);
+
+
+
+
+
GNU GRUB
+ + +
+ + + + \ No newline at end of file diff --git a/1092-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch b/1092-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch new file mode 100644 index 0000000000000000000000000000000000000000..99e0949a9674ead1b455dd0bede95a2d419788fa --- /dev/null +++ b/1092-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch @@ -0,0 +1,130 @@ + + + +]> + + + + + + +Savannah Git Hosting - grub.git/commitdiff + + + + + + + + +
+git@sv / grub.git / commitdiff +
+
+ + + + ? search: + +
+
+
+summary | shortlog | log | commit | commitdiff | tree
+raw | patch | inline | side by side (parent: 8ed78fd)
+
+
+normal/main: Unregister commands on module unload +
+
+ + + + + +
authorAlec Brown <alec.r.brown@oracle.com>
Thu, 21 Aug 2025 21:14:07 +0000 (21:14 +0000)
committerDaniel Kiper <daniel.kiper@oracle.com>
Tue, 18 Nov 2025 13:34:44 +0000 (14:34 +0100)
+
+
+When the normal module is loaded, the normal and normal_exit commands
+are registered but aren't unregistered when the module is unloaded. We
+need to add calls to grub_unregister_command() when unloading the module
+for these commands.
+
+Fixes: CVE-2025-61663
+Fixes: CVE-2025-61664
+Reported-by: Alec Brown <alec.r.brown@oracle.com>
+Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+
+
+ + + + + + +
grub-core/normal/main.cpatch | blob | history
+
+
+
+
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+
+index 8c2acf938b3675030dc9f7dc3a2b4314945a28df..de9a3f9612aaa10e0e8d528f118d1944d1ac48e2 100644 (file)
+
+
--- a/grub-core/normal/main.c
+
+++ b/grub-core/normal/main.c
+
@@ -510,7 +510,7 @@ grub_mini_cmd_clear (struct grub_command *cmd __attribute__ ((unused)),
+
   return 0;
+
 }
+
 
+
-static grub_command_t cmd_clear;
+
+static grub_command_t cmd_clear, cmd_normal, cmd_normal_exit;
+
 
+
 static void (*grub_xputs_saved) (const char *str);
+
 static const char *features[] = {
+
@@ -554,10 +554,10 @@ GRUB_MOD_INIT(normal)
+
   grub_env_export ("pager");
+
 
+
   /* Register a command "normal" for the rescue mode.  */
+
-  grub_register_command ("normal", grub_cmd_normal,
+
-                        0, N_("Enter normal mode."));
+
-  grub_register_command ("normal_exit", grub_cmd_normal_exit,
+
-                        0, N_("Exit from normal mode."));
+
+  cmd_normal = grub_register_command ("normal", grub_cmd_normal,
+
+                                     0, N_("Enter normal mode."));
+
+  cmd_normal_exit = grub_register_command ("normal_exit", grub_cmd_normal_exit,
+
+                                          0, N_("Exit from normal mode."));
+
 
+
   /* Reload terminal colors when these variables are written to.  */
+
   grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal);
+
@@ -599,4 +599,6 @@ GRUB_MOD_FINI(normal)
+
   grub_register_variable_hook ("color_highlight", NULL, NULL);
+
   grub_fs_autoload_hook = 0;
+
   grub_unregister_command (cmd_clear);
+
+  grub_unregister_command (cmd_normal);
+
+  grub_unregister_command (cmd_normal_exit);
+
 }
+
+
+
+
+
GNU GRUB
+ + +
+ + + + \ No newline at end of file diff --git a/1093-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch b/1093-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch new file mode 100644 index 0000000000000000000000000000000000000000..b30994700f2626da7cb8595467f96e945b6f3925 --- /dev/null +++ b/1093-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch @@ -0,0 +1,111 @@ + + + +]> + + + + + + +Savannah Git Hosting - grub.git/blobdiff - grub-core/gettext/gettext.c + + + + + + + + +
+git@sv / grub.git / blobdiff +
+
+ + + + ? search: + +
+
+
+summary | shortlog | log | commit | commitdiff | tree
+raw | inline | side by side
+
+
+gettext/gettext: Unregister gettext command on module unload +
+
[grub.git] / grub-core / gettext / gettext.c
+
+
+
+
diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+
+index 9ffc734284e9985118d5331e6826e580300454b2..edebed9984e85c03aec0ef8d94e520fe6bf0545d 100644 (file)
+
+
--- a/grub-core/gettext/gettext.c
+
+++ b/grub-core/gettext/gettext.c
+
@@ -502,6 +502,8 @@ grub_cmd_translate (grub_command_t cmd __attribute__ ((unused)),
+
   return 0;
+
 }
+
 
+
+static grub_command_t cmd;
+
+
+
 GRUB_MOD_INIT (gettext)
+
 {
+
   const char *lang;
+
@@ -521,13 +523,14 @@ GRUB_MOD_INIT (gettext)
+
   grub_register_variable_hook ("locale_dir", NULL, read_main);
+
   grub_register_variable_hook ("secondary_locale_dir", NULL, read_secondary);
+
 
+
-  grub_register_command_p1 ("gettext", grub_cmd_translate,
+
-                           N_("STRING"),
+
-                           /* TRANSLATORS: It refers to passing the string through gettext.
+
-                              So it's "translate" in the same meaning as in what you're
+
-                              doing now.
+
-                            */
+
-                           N_("Translates the string with the current settings."));
+
+  cmd = grub_register_command_p1 ("gettext", grub_cmd_translate,
+
+                                 N_("STRING"),
+
+                                 /*
+
+                                  * TRANSLATORS: It refers to passing the string through gettext.
+
+                                  * So it's "translate" in the same meaning as in what you're
+
+                                  * doing now.
+
+                                  */
+
+                                 N_("Translates the string with the current settings."));
+
 
+
   /* Reload .mo file information if lang changes.  */
+
   grub_register_variable_hook ("lang", NULL, grub_gettext_env_write_lang);
+
@@ -544,6 +547,8 @@ GRUB_MOD_FINI (gettext)
+
   grub_register_variable_hook ("secondary_locale_dir", NULL, NULL);
+
   grub_register_variable_hook ("lang", NULL, NULL);
+
 
+
+  grub_unregister_command (cmd);
+
+
+
   grub_gettext_delete_list (&main_context);
+
   grub_gettext_delete_list (&secondary_context);
+
 
+
+
+
+
+
GNU GRUB
+ + +
+ + + + \ No newline at end of file diff --git a/grub.patches b/grub.patches index 4898a1f51643275ee399904ee9ec300ff62593da..00675f5d91c6c6abec579bf583db6b6639c5d278 100644 --- a/grub.patches +++ b/grub.patches @@ -288,3 +288,13 @@ Patch1084: 1084-kern-misc-Add-sanity-check-after-grub_strtoul-call.patch Patch1085: 1085-loader-i386-linux-Cast-left-shift-to-grub_uint32_t.patch Patch1086: 1086-loader-i386-bsd-Use-safe-math-to-avoid-underflow.patch Patch1087: 1087-fix-CVE-2024-56738.patch +# https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commitdiff;h=549a9cc372fd0b96a4ccdfad0e12140476cc62a3;hp=9df1e693e70c5a274b6d60dc76efe2694b89c2fc +Patch1090: 1090-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch +# https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commitdiff;h=10e58a14db20e17d1b6a39abe38df01fef98e29d;hp=c4fb4cbc941981894a00ba8e75d634a41967a27f +Patch1091: 1091-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch +# https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commitdiff;h=05d3698b8b03eccc49e53491bbd75dba15f40917 +Patch1092: 1092-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch +# https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=blobdiff;f=grub-core/gettext/gettext.c;h=edebed9984e85c03aec0ef8d94e520fe6bf0545d;hp=9ffc734284e9985118d5331e6826e580300454b2;hb=8ed78fd9f0852ab218cc1f991c38e5a229e43807;hpb=10e58a14db20e17d1b6a39abe38df01fef98e29d +Patch1093: 1093-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch +# https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commitdiff;h=05d3698b8b03eccc49e53491bbd75dba15f40917 +Patch1094: 1094-bugfix-for-CVE-2025-61661,CVE-2025-54770,CVE-2025-61663,CVE-2025-61662,CVE-2025-61664.patch diff --git a/grub2.spec b/grub2.spec index e5a800a564888e73d630f7283d3bab7dd83865b7..82c0fd1d4e4f7ecb95666f667f7f09212a06b5af 100644 --- a/grub2.spec +++ b/grub2.spec @@ -1,4 +1,4 @@ -%define anolis_release 18 +%define anolis_release 19 %global _lto_cflags %{nil} %undefine _hardened_build @@ -510,6 +510,9 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog +* Thu Nov 20 2025 tomcruiseqi - 1:2.12-19 +- Fix CVE-2025-61661, CVE-2025-54770, CVE-2025-61663, CVE-2025-61662, CVE-2025-61664 + * Mon Oct 27 2025 Yihao Yan - 2.12-18 - fix patches index