Ubuntu
grub2-unsigned package

update to 2.04-1ubuntu47.4 drops zz-update-grub

Bug #1995751 reported by dann frazier
34
This bug affects 3 people
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
Invalid
Critical
Unassigned
Bionic
Fix Released
Undecided
Unassigned
grub2-unsigned (Ubuntu)
Confirmed
Undecided
Unassigned
Bionic
In Progress
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
New kernels don't appear in boot menu after install

[Test plan]
On a bionic VM, purge all grub and shim packages.

Test 1: Upgrade release EFI stack
- Install shim-signed with only release pocket
- Enable -updates and add the proposed package, and upgrade

Test 2: Upgrade broken EFI stack
- Install shim-signed with only release and updates pocket
- Upgrade grub2 binaries from proposed

Test 3: Install latest EFI stack
- Install shim-signed with release, updates, proposed grub2 enabled.

Test 1a: Upgrade hybrid release stack:
(same as 1, but install shim-signed and grub-pc)
Test 2a: Upgrade hybrid broken stack:
(same as 2, but install shim-signed and grub-pc)
Test 3a: Upgrade hybrid broken stack:
(same as 2, but install shim-signed and grub-pc)

In all cases check that no errors occur and the /etc/kernel/postinst.d/zz-update-grub script exists at the end.

Test 10: (grub2-unsigned)

Ensure that grub-efi-{amd64,arm64} binary cannot be installed with older grub2-common binary installed / pulls in new binary.

Test 20: (grub2-signed)

Ensure that grub-efi-{amd64,arm64}-signed binary cannot be installed with older grub2-common binary installed / pulls in new binary.

[Where problems could occur]
Could have missed a grub-.* binary or gotten the versions wrong and cause file conflicts.

[build in -security]
SRU is built in -security and binary copied to facilitate releasing the security update to grub2-unsigned that needs it.

[Original bug report]
A user reported that the GRUB menu was no longer being updated on a freshly deployed bionic system, and that this appears to be because /etc/kernel/postinst.d/zz-update-grub has disappeared.

# The version in the bionic-security pocket has it:
ubuntu@akis:~$ dpkg -c grub-efi-amd64_2.04-1ubuntu44.1.2_amd64.deb | grep zz
-rwxr-xr-x root/root 646 2021-03-03 11:42 ./etc/kernel/postinst.d/zz-update-grub
-rwxr-xr-x root/root 646 2021-03-03 11:42 ./etc/kernel/postrm.d/zz-update-grub

# The version in bionic-updates does not:
ubuntu@akis:~$ dpkg -c grub-efi-amd64_2.04-1ubuntu47.4_amd64.deb | grep zz
ubuntu@akis:~$

See original description

Related branches

~juliank/grub/+git/bionic:bionic
Ubuntu Core Development Team: Pending requested
Diff: 51 lines (+12/-4)
4 files modified
debian/changelog (+8/-0)
debian/control (+2/-2)
debian/grub2-common.install (+2/-0)
debian/install.in (+0/-2)

CVE References

Steve Langasek (vorlon)
tags: added: regression-update
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2-unsigned (Ubuntu Bionic):
status: New → Confirmed
Changed in grub2-unsigned (Ubuntu):
status: New → Confirmed
Revision history for this message
Julian Andres Klode (juliank) wrote :

This is a reintroduction of bug 1928674 because Steve fixed that locally in a grub2-unsigned upload in bionic that got overriden by a binary copy again because everybody forgot about that and you don't see it in testing because the conffiles stay around after upgrades I suppose.

We should move the files to grub2-common instead of reintroducing them in grub-efi-amd64 because while that's easier to reintroduce there, it's also more likely to get screwed up by more security uploads.

affects: grub2-unsigned (Ubuntu) → grub2 (Ubuntu)
Changed in grub2 (Ubuntu):
status: Confirmed → Invalid
Changed in grub2 (Ubuntu Bionic):
status: Confirmed → Triaged
Revision history for this message
Julian Andres Klode (juliank) wrote :

So what we need is to move the files and adjust Breaks for this grub2-unsigned version and for unsignable targets, the version of the grub2 upload.

Then we should add Breaks from the grub2-unsigned package so that they also force an upgrade of the old version.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2-unsigned (Ubuntu Bionic):
status: New → Confirmed
Changed in grub2-unsigned (Ubuntu):
status: New → Confirmed
Julian Andres Klode (juliank)
tags: added: foundations-todo
Revision history for this message
Francis Ginther (fginther) wrote :

The workaround for this issue is to manually run 'sudo update-grub' after installing a new kernel.

Revision history for this message
Julian Andres Klode (juliank) wrote :

https://bileto.ubuntu.com/#/ticket/4950

Julian Andres Klode (juliank)
summary: - update to 2.04-1ubuntu44.2 drops zz-update-grub
+ update to 2.04-1ubuntu47.4 drops zz-update-grub
description: updated
Julian Andres Klode (juliank)
description: updated
description: updated
Changed in grub2-unsigned (Ubuntu):
status: Confirmed → Invalid
status: Invalid → Confirmed
Julian Andres Klode (juliank)
description: updated
Julian Andres Klode (juliank)
Changed in grub2 (Ubuntu Bionic):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02-2ubuntu8.25

---------------
grub2 (2.02-2ubuntu8.25) bionic; urgency=medium

  [ Colin Watson ]
  * Move kernel maintainer script snippets into grub2-common (thanks,
    Bastian Blank; closes: #910959) (LP: #1995751)

 -- Julian Andres Klode <email address hidden> Tue, 15 Nov 2022 12:13:43 +0100

Changed in grub2 (Ubuntu Bionic):
status: In Progress → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello dann, or anyone else affected,

Accepted grub2-unsigned into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-unsigned/2.04-1ubuntu47.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2-unsigned (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello dann, or anyone else affected,

Accepted grub2-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.173.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
dann frazier (dannf) wrote (last edit ):
Download full text (79.4 KiB)

= focal verification =
The verification steps required some tweaking to get them to work on focal. Where divergences were required, I've noted them with a "**Note**" below.

== Test 1 ==
ubuntu@ubuntu:~$ sudo apt install -y shim-signed
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  grub-common grub-efi-amd64 grub-efi-amd64-bin grub-efi-amd64-signed grub2-common
  os-prober shim
Suggested packages:
  multiboot-doc grub-emu xorriso desktop-base
The following NEW packages will be installed:
  grub-common grub-efi-amd64 grub-efi-amd64-bin grub-efi-amd64-signed grub2-common
  os-prober shim shim-signed
0 upgraded, 8 newly installed, 0 to remove and 0 not upgraded.
Need to get 4597 kB of archives.
After this operation, 32.5 MB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal/main amd64 grub-common amd64 2.04-1ubuntu26 [1853 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal/main amd64 grub-efi-amd64-bin amd64 2.04-1ubuntu26 [702 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal/main amd64 grub2-common amd64 2.04-1ubuntu26 [589 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal/main amd64 grub-efi-amd64 amd64 2.04-1ubuntu26 [46.6 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal/main amd64 grub-efi-amd64-signed amd64 1.142+2.04-1ubuntu26 [468 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal/main amd64 os-prober amd64 1.74ubuntu2 [20.1 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal/main amd64 shim amd64 15+1533136590.3beb971-0ubuntu1 [575 kB]
Get:8 http://archive.ubuntu.com/ubuntu focal/main amd64 shim-signed amd64 1.40.3+15+1533136590.3beb971-0ubuntu1 [344 kB]
Fetched 4597 kB in 0s (13.3 MB/s)
Preconfiguring packages ...
Selecting previously unselected package grub-common.
(Reading database ... 63129 files and directories currently installed.)
Preparing to unpack .../0-grub-common_2.04-1ubuntu26_amd64.deb ...
Unpacking grub-common (2.04-1ubuntu26) ...
Selecting previously unselected package grub-efi-amd64-bin.
Preparing to unpack .../1-grub-efi-amd64-bin_2.04-1ubuntu26_amd64.deb ...
Unpacking grub-efi-amd64-bin (2.04-1ubuntu26) ...
Selecting previously unselected package grub2-common.
Preparing to unpack .../2-grub2-common_2.04-1ubuntu26_amd64.deb ...
Unpacking grub2-common (2.04-1ubuntu26) ...
Selecting previously unselected package grub-efi-amd64.
Preparing to unpack .../3-grub-efi-amd64_2.04-1ubuntu26_amd64.deb ...
Unpacking grub-efi-amd64 (2.04-1ubuntu26) ...
Selecting previously unselected package grub-efi-amd64-signed.
Preparing to unpack .../4-grub-efi-amd64-signed_1.142+2.04-1ubuntu26_amd64.deb ...
Unpacking grub-efi-amd64-signed (1.142+2.04-1ubuntu26) ...
Selecting previously unselected package os-prober.
Preparing to unpack .../5-os-prober_1.74ubuntu2_amd64.deb ...
Unpacking os-prober (1.74ubuntu2) ...
Selecting previously unselected package shim.
Preparing to unpack .../6-shim_15+1533136590.3beb971-0ubuntu1_amd64.deb ...
Unpacking shim (15+1533136590.3beb971-0ubuntu1) ...
Selecting previously unselected package shim-signed.
Preparing to unpack .../7-shim-signed_1.40.3+15+1533136590.3beb971-0ubuntu1_am...

tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-unsigned - 2.04-1ubuntu47.5

---------------
grub2-unsigned (2.04-1ubuntu47.5) focal; urgency=medium

  [ Chris Coulson ]
  * SECURITY UPDATE: Fix out of bounds writes due specially crafted fonts.
    - add debian/patches/font-Fix-several-integer-overflows-in-grub_font_construct.patch
    - add debian/patches/font-Fix-an-integer-underflow-in-blit_comb.patch
    - CVE-2022-2601, CVE-2022-3775
    - LP: #1996950
  * Fix various issues as a result of fuzzing, static analysis and code
    review:
    - add debian/patches/font-Reject-glyphs-exceeds-font-max_glyph_width-or-font-m.patch
    - add debian/patches/font-Fix-size-overflow-in-grub_font_get_glyph_internal.patch
    - add debian/patchces/font-Remove-grub_font_dup_glyph.patch
    - add debian/patches/font-Fix-integer-overflow-in-ensure_comb_space.patch
    - add debian/patches/font-Fix-integer-overflow-in-BMP-index.patch
    - add debian/patches/font-Fix-integer-underflow-in-binary-search-of-char-index.patch
    - add debian/patches/fbutil-Fix-integer-overflow.patch
    - add debian/patches/font-Harden-grub_font_blit_glyph-and-grub_font_blit_glyph.patch
    - add debian/patches/font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
    - add debian/patches/normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
  * Forbid loading of external fonts when secure boot is enabled:
    - add debian/patches/font-Forbid-loading-of-font-files-when-secure-boot-is-ena.patch
  * Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary
    - update debian/control
    - update debian/build-efi-image
    - add debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch
  * Fix the squashfs tests during the build
    - remove debian/patches/ubuntu-fix-reproducible-squashfs-test.patch
    - add debian/patches/tests-Explicitly-unset-SOURCE_DATE_EPOCH-before-running-f.patch
  * Bump SBAT generation:
    - update debian/sbat.ubuntu.csv.in
  * Make grub-efi-{amd64,arm64} depend on grub2-common 2.02~beta2-36ubuntu3.33
    in xenial and 2.02-2ubuntu8.25 in bionic to fix LP: #1995751 (thanks
    Julian Klode for the base-files hack to make a single binary be able to
    depend on 2 different versions of the same package)

  [ dann frazier ]
  * linuxefi: Invalidate i-cache before starting the kernel (LP: #1987924)
    - d/p/linuxefi-Invalidate-i-cache-before-starting-the-kern.patch

  [ Chris Coulson ]
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Chris Coulson <email address hidden> Thu, 17 Nov 2022 13:27:15 +0000

Changed in grub2-unsigned (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Update Released

The verification of the Stable Release Update for grub2-unsigned has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Julian Andres Klode (juliank)
Changed in grub2-unsigned (Ubuntu Bionic):
status: Confirmed → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.