CVE-2022-2601, CVE-2022-3775: font security fixes

Bug #1996950 reported by Julian Andres Klode
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2-signed (Ubuntu)
Status tracked in Lunar
Bionic
New
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
New
Undecided
Unassigned
Kinetic
New
Undecided
Unassigned
Lunar
Fix Released
Undecided
Unassigned
grub2-unsigned (Ubuntu)
Status tracked in Lunar
Bionic
Fix Committed
Undecided
Unassigned
Focal
Fix Committed
Undecided
Unassigned
Jammy
Fix Committed
Undecided
Unassigned
Kinetic
Fix Committed
Undecided
Unassigned
Lunar
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
security update staged in updates

[Test plan]
Boot it on multiple systems. Notably juliank will be doing semi-automated testing in QEMU that does chainbooting over network (shim->grub->shim->grub); and boots on T14 G3 AMD and an XPS 13; chrisccoulson did his own security testing before that.

[Where problems could occur]
Font loading is disabled, could cause rendering issues

Unicode font stuffed in xz squashfs, could cause more memory issues during boot

CVE References

description: updated
Changed in grub2-unsigned (Ubuntu Lunar):
status: New → Fix Committed
Changed in grub2-signed (Ubuntu Lunar):
status: New → Fix Committed
description: updated
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-unsigned - 2.06-2ubuntu15

---------------
grub2-unsigned (2.06-2ubuntu15) lunar; urgency=medium

  * grub-multi-install: Reset partition type between partitions (LP: #1997795)
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

grub2 (2.06-2ubuntu14) kinetic; urgency=medium

  * SECURITY UPDATE: Fix out of bounds writes due specially crafted fonts.
    - add debian/patches/font-Fix-several-integer-overflows-in-grub_font_construct.patch
    - add debian/patches/font-Fix-an-integer-underflow-in-blit_comb.patch
    - CVE-2022-2601, CVE-2022-3775
    - LP: #1996950
  * Fix various issues as a result of fuzzing, static analysis and code
    review:
    - add debian/patches/font-Reject-glyphs-exceeds-font-max_glyph_width-or-font-m.patch
    - add debian/patches/font-Fix-size-overflow-in-grub_font_get_glyph_internal.patch
    - add debian/patchces/font-Remove-grub_font_dup_glyph.patch
    - add debian/patches/font-Fix-integer-overflow-in-ensure_comb_space.patch
    - add debian/patches/font-Fix-integer-overflow-in-BMP-index.patch
    - add debian/patches/font-Fix-integer-underflow-in-binary-search-of-char-index.patch
    - add debian/patches/fbutil-Fix-integer-overflow.patch
    - add debian/patches/font-Harden-grub_font_blit_glyph-and-grub_font_blit_glyph.patch
    - add debian/patches/font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
    - add debian/patches/normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
  * Enforce verification of fonts when secure boot is enabled:
    - add debian/patches/kern-efi-sb-Enforce-verification-of-font-files.patch
  * Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary
    - update debian/control
    - update debian/build-efi-image
    - add debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch
  * Fix LP: #1997006 - add support for performing measurements to RTMRs
    - add debian/patches/commands-efi-tpm-Refine-the-status-of-log-event.patch
    - add debian/patches/commands-efi-tpm-Use-grub_strcpy-instead-of-grub_memcpy.patch
    - add debian/patches/efi-tpm-Add-EFI_CC_MEASUREMENT_PROTOCOL-support.patch
  * Fix the squashfs tests during the build
    - remove debian/patches/ubuntu-fix-reproducible-squashfs-test.patch
    - add debian/patches/tests-Explicitly-unset-SOURCE_DATE_EPOCH-before-running-f.patch
  * Bump SBAT generation:
    - update debian/sbat.ubuntu.csv.in

 -- Julian Andres Klode <email address hidden> Thu, 01 Dec 2022 16:30:53 +0100

Changed in grub2-unsigned (Ubuntu Lunar):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.189

---------------
grub2-signed (1.189) lunar; urgency=medium

  * Really rebuild against grub2 2.06-2ubuntu15

grub2-signed (1.188) lunar; urgency=medium

  * Rebuild against grub2 2.06-2ubuntu15
  * Source debconf in postinst script (LP: #1997779)
  * Still signed with the old key

grub2-signed (1.187) kinetic; urgency=medium

  * Rebuild against grub2 2.06-2ubuntu14 (LP: #1996950)

 -- Julian Andres Klode <email address hidden> Thu, 01 Dec 2022 17:13:46 +0100

Changed in grub2-signed (Ubuntu Lunar):
status: Fix Committed → Fix Released
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Julian, or anyone else affected,

Accepted grub2-unsigned into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-unsigned/2.04-1ubuntu47.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2-unsigned (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted grub2-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.173.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2-signed (Ubuntu Focal):
status: New → Fix Committed
Revision history for this message
Julian Andres Klode (juliank) wrote :

I did the whole pxe shim -> pxe grub -> disk shim -> disk grub mechanism in qemu and that worked ok.

I don't have a laptop or VM ready with focal to do any further testing right now.

Revision history for this message
dann frazier (dannf) wrote :

= focal verification =

I've ran the following tests:

(1) An old HP Moonshot Avoton cartridge (non-EFI amd64, so grub-pc). I deployed it with MAAS, upgraded (made sure grub-install ran), and verified it rebooted fine.

(2) An arm64 system (bluefield2) while verifying bug 1987924

(3) A headless x86 UEFI VM in non-SB mode. I deployed it w/ virt-install using a cloud-image.

(3a) Same as (3), but without grub-efi-amd64-signed.

(3b) Same as (3), but with Secure Boot enabled

tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-unsigned - 2.04-1ubuntu47.5

---------------
grub2-unsigned (2.04-1ubuntu47.5) focal; urgency=medium

  [ Chris Coulson ]
  * SECURITY UPDATE: Fix out of bounds writes due specially crafted fonts.
    - add debian/patches/font-Fix-several-integer-overflows-in-grub_font_construct.patch
    - add debian/patches/font-Fix-an-integer-underflow-in-blit_comb.patch
    - CVE-2022-2601, CVE-2022-3775
    - LP: #1996950
  * Fix various issues as a result of fuzzing, static analysis and code
    review:
    - add debian/patches/font-Reject-glyphs-exceeds-font-max_glyph_width-or-font-m.patch
    - add debian/patches/font-Fix-size-overflow-in-grub_font_get_glyph_internal.patch
    - add debian/patchces/font-Remove-grub_font_dup_glyph.patch
    - add debian/patches/font-Fix-integer-overflow-in-ensure_comb_space.patch
    - add debian/patches/font-Fix-integer-overflow-in-BMP-index.patch
    - add debian/patches/font-Fix-integer-underflow-in-binary-search-of-char-index.patch
    - add debian/patches/fbutil-Fix-integer-overflow.patch
    - add debian/patches/font-Harden-grub_font_blit_glyph-and-grub_font_blit_glyph.patch
    - add debian/patches/font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
    - add debian/patches/normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
  * Forbid loading of external fonts when secure boot is enabled:
    - add debian/patches/font-Forbid-loading-of-font-files-when-secure-boot-is-ena.patch
  * Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary
    - update debian/control
    - update debian/build-efi-image
    - add debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch
  * Fix the squashfs tests during the build
    - remove debian/patches/ubuntu-fix-reproducible-squashfs-test.patch
    - add debian/patches/tests-Explicitly-unset-SOURCE_DATE_EPOCH-before-running-f.patch
  * Bump SBAT generation:
    - update debian/sbat.ubuntu.csv.in
  * Make grub-efi-{amd64,arm64} depend on grub2-common 2.02~beta2-36ubuntu3.33
    in xenial and 2.02-2ubuntu8.25 in bionic to fix LP: #1995751 (thanks
    Julian Klode for the base-files hack to make a single binary be able to
    depend on 2 different versions of the same package)

  [ dann frazier ]
  * linuxefi: Invalidate i-cache before starting the kernel (LP: #1987924)
    - d/p/linuxefi-Invalidate-i-cache-before-starting-the-kern.patch

  [ Chris Coulson ]
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Chris Coulson <email address hidden> Thu, 17 Nov 2022 13:27:15 +0000

Changed in grub2-unsigned (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.173.4

---------------
grub2-signed (1.173.4) focal; urgency=medium

  * Source debconf in postinst script (LP: #1997779)
  * Enforce build against 2.04-1ubuntu47.5

grub2-signed (1.173.3) focal; urgency=medium

  * Rebuild against grub2 2.04-1ubuntu47.5 (LP: #1996950)
  * Bump grub2-common dependency to 2.02~beta2-36ubuntu3.33 in xenial and
    2.02-2ubuntu8.25 in bionic to fix LP: #1995751

 -- Julian Andres Klode <email address hidden> Fri, 02 Dec 2022 15:15:54 +0100

Changed in grub2-signed (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Update Released

The verification of the Stable Release Update for grub2-unsigned has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Julian, or anyone else affected,

Accepted grub2-unsigned into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-unsigned/2.06-2ubuntu14 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2-unsigned (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed verification-needed-jammy
removed: verification-done
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted grub2-unsigned into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-unsigned/2.06-2ubuntu14 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2-unsigned (Ubuntu Kinetic):
status: New → Fix Committed
tags: added: verification-needed-kinetic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Julian, or anyone else affected,

Accepted grub2-unsigned into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-unsigned/2.06-2ubuntu14 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2-unsigned (Ubuntu Focal):
status: Fix Released → Fix Committed
tags: added: verification-needed-focal
removed: verification-done-focal
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Julian, or anyone else affected,

Accepted grub2-unsigned into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-unsigned/2.06-2ubuntu14 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2-unsigned (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Julian Andres Klode (juliank) wrote :

I grabbed the signed binary for 2.06-2ubuntu14 from kinetic and netbooting worked fine. The other binaries are identical to that one except signature, so I'll refrain from fetching each deb manually as we only test chainloading compatability in that test case.

I have also run the kinetic grub with the new shim on my T14 G3 which booted nicely, hooray.

dannf also booted the focal 2.06 upload in at least one fancy machine.

Up next, I'll boot entire systems in VMs to finish validation.

Revision history for this message
Julian Andres Klode (juliank) wrote :

I have also triggered autopkgtests for hello on kinetic, jammy, focal; and gzip on bionic with both grub2-signed and grub2-unsigned triggers; this will upgrade the grubs and reboot prior to running tests, ensuring that we can boot correctly on autopkgtest infra.

Revision history for this message
Julian Andres Klode (juliank) wrote :

So I want to say verification failed on bionic because arm64 failed grub-install due to missing efibootmgr, but it's not actually a regression. Otherwise autopkgtests passed everywhere:

sqlite> select package, arch, release, triggers, exitcode from test, result where test_id==test.id AND triggers like "%grub2-unsigned/2.06-2ubuntu14%" AND triggers like "%grub2-signed%" AND requester="juliank" ORDER BY release;
package arch release triggers exitcode
------- ----- ------- ---------------------------------------------------------- --------
gzip amd64 bionic grub2-signed/1.187.2~18.04.1 grub2-unsigned/2.06-2ubuntu14 0
gzip arm64 bionic grub2-signed/1.187.2~18.04.1 grub2-unsigned/2.06-2ubuntu14 12
hello arm64 focal grub2-signed/1.187.2~20.04.2 grub2-unsigned/2.06-2ubuntu14 0
hello amd64 focal grub2-signed/1.187.2~20.04.2 grub2-unsigned/2.06-2ubuntu14 0
hello amd64 jammy grub2-signed/1.187.2 grub2-unsigned/2.06-2ubuntu14 0
hello arm64 jammy grub2-signed/1.187.2 grub2-unsigned/2.06-2ubuntu14 0
hello arm64 kinetic grub2-signed/1.187.2 grub2-unsigned/2.06-2ubuntu14 0
hello amd64 kinetic grub2-signed/1.187.2 grub2-unsigned/2.06-2ubuntu14 0

To fix grub-install needing efibootmgr on bionic, we could add a Depends: efibootmgr [amd64 arm64] to grub2-common there. This is not entirely accurate of course because it's only needed if you have -efi bits installed; but: this allows grub2-unsigned and grub2-signed to remain identical between releases which severely reduces workload for updates.

Though to be fair, we can also add a Depends: grub2-common (>= 2.02+dfsg1-15) | efibootmgr to grub2-signed in all releases. Still missing Depends in grub2-unsigned. We probably should not block on that though.

It's not clear to me how autopkgtest arm64 images ended up with grub-efi-arm64-signed installed successfully in the first place, peculiar, it should not have built an image that way.

Revision history for this message
Julian Andres Klode (juliank) wrote :

kinetic verified in multipass (see bug 1997779), and lxd - by installing:

Setting up grub-efi-amd64-bin (2.06-2ubuntu14) ...
Setting up grub-efi-amd64-signed (1.187.2+2.06-2ubuntu14) ...
Trying to migrate /boot/efi into esp config
Installing grub to /boot/efi.
Installing for x86_64-efi platform.
Installation finished. No error reported.

and rebooting succesfully.

tags: added: verification-done-kinetic
removed: verification-needed-kinetic
Revision history for this message
Julian Andres Klode (juliank) wrote :

jammy verified as well with multipass and lxd.

Setting up grub-efi-amd64-bin (2.06-2ubuntu14) ...
Setting up grub-efi-amd64-signed (1.187.2+2.06-2ubuntu14) ...
Trying to migrate /boot/efi into esp config
Installing grub to /boot/efi.
Installing for x86_64-efi platform.
Installation finished. No error reported.

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Julian Andres Klode (juliank) wrote :

Both focal and bionic also succesfully rebooted, horray. I forgot to mention I checked mokutil --sb-state on all lxd instances (and the multipass instances checked booting without secure boot, fwiw).

focal:

Setting up grub-efi-amd64-bin (2.06-2ubuntu14) ...
Setting up grub-efi-amd64-signed (1.187.2~20.04.2+2.06-2ubuntu14) ...
Trying to migrate /boot/efi into esp config
Installing grub to /boot/efi.
Installing for x86_64-efi platform.
Installation finished. No error reported.
root@focal:~# mokutil --sb-state
SecureBoot enabled

bionic:

Setting up grub-efi-amd64-bin (2.06-2ubuntu14) ...
Setting up grub-efi-amd64 (2.06-2ubuntu14) ...
Installing for x86_64-efi platform.
Installation finished. No error reported.
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/50-lxd.cfg'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.15.0-202-generic
Found initrd image: /boot/initrd.img-4.15.0-202-generic
Adding boot menu entry for EFI firmware configuration
done
Setting up grub-efi-amd64-signed (1.187.2~18.04.1+2.06-2ubuntu14) ...
Installing for x86_64-efi platform.
Installation finished. No error reported.

tags: added: verification-done-bionic verification-done-focal
removed: verification-needed-bionic verification-needed-focal
tags: added: verification-done
removed: verification-needed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.