Bug#1132510: bookworm-pu: package grub2/2.06-13+deb12u2

Steve McIntyre steve at einval.com
Wed Apr 1 21:42:28 BST 2026 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: grub2 at packages.debian.org
Control: affects -1 + src:grub2
User: release.debian.org at packages.debian.org
Usertags: pu

Hi!

Along with the update to shim in bookworm, I'd like to update our grub2
packages.

The key changes here are:

 * Backport lots of CVE fixes from the GRUB updates in 2025
 * Disable ntfs and jfs from the monolithic grub-efi image, so we
   don't support them in Secure Boot any more.
 * These allow us to bump SBAT to "grub,5" (which we'll need as a
   minimum security level going forwards for Secure Boot)
 * Set Protected: yes for -signed packages so they cannot easily be removed
 * Misc salsa-ci updates for bookworm

Those CVE fixes are marked as nodsa by the security team, hence aiming
for bookworm-pu rather than going via -security. They've all been
fixed in trixie and forky already, but we'd never uploaded similar
fixes for bookworm.

I'm about to bump the minimum revocations in shim for bookworm, trixie
and forky - this will break SB for our existing bookworm signed
grub-efi packages as they only have "grub,4". Hence this upload to
make things work for bookworm again. I'm expecting this may be the
last set of bookworm updates for shim and grub; let's get them to a
state where they'll live as long as possible.

I've tested the binaries here work on a range of machines; the
backported patches included don't show any regressions. There *were*
known regressions in the patches for NTFS, hence we've dropped those
and disabled it for SB instead - similar to trixie and forky.

grub2 (2.06-13+deb12u2) bookworm; urgency=medium

  [ Julian Andres Klode ]
  * Set Protected: yes for -signed packages so they cannot easily be removed
  * debian/patches: Backport to bookworm

  [ Felix Zielcke ]
  * Add salsa-ci.yml and disable blhc and reprotest pipelines.

  [ Luca Boccassi ]
  * salsa-ci: configure for stable builds

  [ Mate Kukri ]
  * Cherry-pick remaining XFS delta from 2.12
  * Cherry-pick upstream vulnerability fixes
  * Cherry-pick extfs regression patch
  * Cherry-pick xfs regression patches
  * Bump SBAT level to grub,5
  * fs/fat: Don't error when mtime is 0 (LP: #2098641)
  * SECURITY UPDATE: video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG
    - CVE-2024-45774
  * SECURITY UPDATE: commands/extcmd: Missing check for failed allocation
    - CVE-2024-45775
  * SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write or read
    - CVE-2024-45776
  * SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write
    - CVE-2024-45777
  * SECURITY UPDATE: fs/bfs: Integer overflow
    - CVE-2024-45778
  * SECURITY UPDATE: fs/bfs: integer overflow leads to heap OOB read
    - CVE-2024-45779
  * SECURITY UPDATE: fs/tar: Integer overflow leads to heap OOB write
    - CVE-2024-45780
  * SECURITY UPDATE: fs/ufs: `strcpy` use leading to heap OOB write
    - CVE-2024-45781
  * SECURITY UPDATE: fs/hfs: `strcpy` use leading to potential heap OOB write
    - CVE-2024-45782
  * SECURITY UPDATE: fs/hfsplus: incorrect refcount handling leading to UAF
    - CVE-2024-45783
  * SECURITY UPDATE: command/gpg: Use-after-free due to hooks not being removed on module unload
    - CVE-2025-0622
  * SECURITY UPDATE: net: Out-of-bounds write in grub_net_search_config_file()
    - CVE-2025-0624
  * SECURITY UPDATE: UFS: Integer overflow may lead to heap based out-of-bounds write when handling symlinks
    - CVE-2025-0677
  * SECURITY UPDATE: squash4: Integer overflow may lead to heap based out-of-bounds write when reading data
    - CVE-2025-0678
  * SECURITY UPDATE: reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
    - CVE-2025-0684
  * SECURITY UPDATE: jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
    - CVE-2025-0685
  * SECURITY UPDATE: romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
    - CVE-2025-0686
  * SECURITY UPDATE: udf: Heap based buffer overflow  in grub_udf_read_block() may lead to arbitrary code execution
    - CVE-2025-0689
  * SECURITY UPDATE: read: Integer overflow may lead to out-of-bounds write
    - CVE-2025-0690
  * SECURITY UPDATE: commands/dump: The dump command is not in lockdown when secure boot is enabled
    - CVE-2025-1118
  * SECURITY UPDATE: fs/hfs: Integer overflow may lead to heap based out-of-bounds write
    - CVE-2025-1125
  * SECURITY UPDATE: insmod: incorrect refcount handling leading to UAF [LP: #2055835]

  [ Steve McIntyre ]
  * Drop NTFS patches that seem to be causing regressions
  * Remove NTFS from the monolithic EFI grub image, so we don't sign
    vulnerable code.
  * Similarly, remove jfs - we have doubts.
  * Bump SBAT levels:
    + grub,5 now we have the 2025 CVE fixes included
    + grub.debian,5
    + grub.debian12,1

 -- Steve McIntyre <93sam at debian.org>  Wed, 01 Apr 2026 21:03:46 +0100

I've attached a debdiff, filtering out PO file rebuild noise.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: grub2_2.06-13+deb12u2.debdiff.gz
Type: application/gzip
Size: 64269 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20260401/c6fe6023/attachment-0001.gz>

More information about the Pkg-grub-devel mailing list