Hello community, here is the log from the commit of package grub2 for openSUSE:Leap:15.2 checked in at 2020-02-27 06:40:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/grub2 (Old) and /work/SRC/openSUSE:Leap:15.2/.grub2.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2" Thu Feb 27 06:40:45 2020 rev:78 rq:778828 version:2.04 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/grub2/grub2.changes 2020-02-16 18:26:12.830651828 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.grub2.new.26092/grub2.changes 2020-02-27 06:40:47.685521054 +0100 @@ -1,0 +2,14 @@ +Tue Feb 18 08:43:30 UTC 2020 - Michael Chang <[email protected]> + +- Fix grub hangs after loading rogue image without valid signature for uefi + secure boot (bsc#1159102) + * grub2-verifiers-fix-system-freeze-if-verify-failed.patch + +------------------------------------------------------------------- +Tue Feb 4 07:59:40 UTC 2020 - Michael Chang <[email protected]> + +- From Stefan Seyfried <[email protected]> : Fix grub2-install fails + with "not a directory" error (boo#1161641, bsc#1162403) + * grub2-install-fix-not-a-directory-error.patch + +------------------------------------------------------------------- New: ---- grub2-install-fix-not-a-directory-error.patch grub2-verifiers-fix-system-freeze-if-verify-failed.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grub2.spec ++++++ --- /var/tmp/diff_new_pack.x29VCT/_old 2020-02-27 06:40:49.429524686 +0100 +++ /var/tmp/diff_new_pack.x29VCT/_new 2020-02-27 06:40:49.433524695 +0100 @@ -1,7 +1,7 @@ # # spec file for package grub2 # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -222,6 +222,8 @@ Patch85: grub2-getroot-scan-disk-pv.patch Patch92: grub2-util-30_os-prober-multiple-initrd.patch Patch93: grub2-getroot-support-nvdimm.patch +Patch94: grub2-install-fix-not-a-directory-error.patch +Patch95: grub2-verifiers-fix-system-freeze-if-verify-failed.patch # Btrfs snapshot booting related patches Patch101: grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch Patch102: grub2-btrfs-02-export-subvolume-envvars.patch @@ -506,6 +508,8 @@ %patch85 -p1 %patch92 -p1 %patch93 -p1 +%patch94 -p1 +%patch95 -p1 %patch101 -p1 %patch102 -p1 %patch103 -p1 ++++++ grub2-install-fix-not-a-directory-error.patch ++++++ From: Stefan Seyfried <[email protected]> Subject: Makefile.am: makes sure that ext2/3/4 is tried before minix References: boo#1161641 I recently came across a strange grub2-install error when building kiwi images in OBS. The reason is a bug in the minix file system detection. I filed upstream bug [1]. Note I experienced this on SLES15-SP1. The bug is still present in current Tumbleweed [2]. This bug thus needs fixing in all supported openSUSE releases. The reproducer-script is called as root like bash ./grub-bug-57652-reproduce-suse.sh /tmp/grub-test.img /mnt /tmp needs 1GB of free storage to store the image. Maybe this would be good enough as a minimal-intrusive fix. It does not fix the minix detection code, but instead makes sure that ext[234] is tried before minix. [1] https://savannah.gnu.org/bugs/index.php?57652 [2] https://bugzilla.opensuse.org/attachment.cgi?id=828118 Index: grub-2.04/Makefile.am =================================================================== --- grub-2.04.orig/Makefile.am +++ grub-2.04/Makefile.am @@ -42,8 +42,11 @@ libgrub.pp: grub_script.tab.h grub_scrip -D'GRUB_MOD_INIT(x)=@MARKER@x@' $^ > $@ || (rm -f $@; exit 1) CLEANFILES += libgrub.pp +# the grep/sed ensures that ext2 gets initialized before minix* +# see https://savannah.gnu.org/bugs/?57652 libgrub_a_init.lst: libgrub.pp cat $< | grep '@MARKER@' | sed 's/@MARKER@\(.*\)@/\1/g' | sort -u > $@ || (rm -f $@; exit 1) + if grep ^ext2 $@ >/dev/null; then sed '/ext2/d;/newc/iext2' < $@ > [email protected] && mv [email protected] $@; fi CLEANFILES += libgrub_a_init.lst libgrub_a_init.c: libgrub_a_init.lst $(top_srcdir)/geninit.sh ++++++ grub2-verifiers-fix-system-freeze-if-verify-failed.patch ++++++ >From d0de8b37f651e13886ef0e0fda285a1294adafe8 Mon Sep 17 00:00:00 2001 From: Michael Chang <[email protected]> Date: Tue, 18 Feb 2020 18:08:18 +0800 Subject: [PATCH] verifiers: Fix calling uninitialized function pointer The necessary check for NULL before use of function ver->close is not taking place in the failure path. This patch simply adds the missing check and fixes the problem that GRUB hangs indefinitely after booting rogue image without valid signature if secure boot is turned on. Now it displays like this for booting rogue UEFI image: error: bad shim signature error: you need to load the kernel first Press any key to continue... and then you can go back to boot menu by pressing any key or after a few seconds expired. Signed-off-by: Michael Chang <[email protected]> Reviewed-by: Javier Martinez Canillas <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> --- grub-core/commands/verifiers.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/grub-core/commands/verifiers.c b/grub-core/commands/verifiers.c index 0dde48182..7b9297cd3 100644 --- a/grub-core/commands/verifiers.c +++ b/grub-core/commands/verifiers.c @@ -196,7 +196,8 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type) return ret; fail: - ver->close (context); + if (ver->close) + ver->close (context); fail_noclose: verified_free (verified); grub_free (ret); -- 2.16.4
