mirror of
https://github.com/godotengine/buildroot.git
synced 2025-12-31 09:48:56 +03:00
65c99394ff
Grub 2.06 is affected by a number of CVEs, which have been fixed in the master branch of Grub, but are not yet part of any release (there is a 2.12-rc1 release, but nothing else between 2.06 and 2.12-rc1). So this patch backports the relevant fixes for CVE-2022-28736, CVE-2022-28735, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28733, CVE-2022-28734, CVE-2022-2601 and CVE-2022-3775. It should be noted that CVE-2021-3695, CVE-2021-3696, CVE-2021-3697 are not reported as affecting Grub by our CVE matching logic because the NVD database uses an incorrect CPE ID in those CVEs: it uses "grub" as the product instead of "grub2" like all other CVEs for grub. This issue has been reported to the NVD maintainers. This requires backporting a lot of patches, but jumping from 2.06 to 2.12-rc1 implies getting 592 commits, which is quite a lot. All Grub test cases are working fine: https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500585 https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500679 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> [Arnout: fix check-package warning in patch 0002] Signed-off-by: Arnout Vandecappelle <arnout@mind.be>