boot/grub2: add CVE trailer in patch

Since Buildroot commit [1] the patches that fixes a security vulnerability needs to reference the fixed vulnerability. This patch adds the relevant information to the patch header. [1] 1167d0ff3d docs/manual: mention CVE trailer Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit d464e5e856cd3cf5c8e1802dc6bbb662f2329eb3) Signed-off-by: Thomas Perale <thomas.perale@mind.be>
2025-12-28 19:56:30 +01:00
parent 160e25159f
commit 6a50b98029
7 changed files with 14 additions and 13 deletions
--- a/boot/grub2/0004-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch
+++ b/boot/grub2/0004-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch
@@ -5,8 +5,8 @@ Subject: [PATCH] fs/hfs: Fix stack OOB write with grub_strcpy()

 Replaced with grub_strlcpy().

-Fixes: CVE-2024-45782
-Fixes: CVE-2024-56737
+CVE: CVE-2024-45782
+CVE: CVE-2024-56737
 Fixes: https://savannah.gnu.org/bugs/?66599

 Reported-by: B Horn <b@horn.uk>
--- a/boot/grub2/0006-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch
+++ b/boot/grub2/0006-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch
@@ -9,7 +9,7 @@ number parsed by read_number(). Later direct arithmetic calculation like
 grub_size_t leading to heap OOB write. This patch fixes the issue by
 using grub_add() and checking for an overflow.

-Fixes: CVE-2024-45780
+CVE: CVE-2024-45780

 Reported-by: Nils Langius <nils@langius.de>
 Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
--- a/boot/grub2/0037-gettext-Integer-overflow-leads-to-heap-OOB-write.patch
+++ b/boot/grub2/0037-gettext-Integer-overflow-leads-to-heap-OOB-write.patch
@@ -9,7 +9,7 @@ to 0 leading to heap OOB write. This patch fixes
 the issue by using grub_add() and checking for
 an overflow.

-Fixes: CVE-2024-45777
+CVE: CVE-2024-45777

 Reported-by: Nils Langius <nils@langius.de>
 Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
--- a/boot/grub2/0043-fs-bfs-Disable-under-lockdown.patch
+++ b/boot/grub2/0043-fs-bfs-Disable-under-lockdown.patch
@@ -6,8 +6,8 @@ Subject: [PATCH] fs/bfs: Disable under lockdown
 The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown.
 This will also disable the AFS.

-Fixes: CVE-2024-45778
-Fixes: CVE-2024-45779
+CVE: CVE-2024-45778
+CVE: CVE-2024-45779

 Reported-by: Nils Langius <nils@langius.de>
 Signed-off-by: Daniel Axtens <dja@axtens.net>
--- a/boot/grub2/0044-fs-Disable-many-filesystems-under-lockdown.patch
+++ b/boot/grub2/0044-fs-Disable-many-filesystems-under-lockdown.patch
@@ -9,11 +9,11 @@ hfsplus, iso9660, squash4, tar, xfs and zfs.
 The JFS, ReiserFS, romfs, UDF and UFS security vulnerabilities were
 reported by Jonathan Bar Or <jonathanbaror@gmail.com>.

-Fixes: CVE-2025-0677
-Fixes: CVE-2025-0684
-Fixes: CVE-2025-0685
-Fixes: CVE-2025-0686
-Fixes: CVE-2025-0689
+CVE: CVE-2025-0677
+CVE: CVE-2025-0684
+CVE: CVE-2025-0685
+CVE: CVE-2025-0686
+CVE: CVE-2025-0689

 Suggested-by: Daniel Axtens <dja@axtens.net>
 Signed-off-by: Daniel Axtens <dja@axtens.net>
--- a/boot/grub2/0050-fs-Prevent-overflows-when-allocating-memory-for-arra.patch
+++ b/boot/grub2/0050-fs-Prevent-overflows-when-allocating-memory-for-arra.patch
@@ -9,8 +9,8 @@ overflow checks are in place.
 The HFS+ and squash4 security vulnerabilities were reported by
 Jonathan Bar Or <jonathanbaror@gmail.com>.

-Fixes: CVE-2025-0678
-Fixes: CVE-2025-1125
+CVE: CVE-2025-0678
+CVE: CVE-2025-1125

 Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
--- a/boot/grub2/0074-Constant-time-grub_crypto_memcmp.patch
+++ b/boot/grub2/0074-Constant-time-grub_crypto_memcmp.patch
@@ -9,6 +9,7 @@ The code is extracted from the upstream commit:

 Fix: bsc#1234959

+CVE: CVE-2024-56738
 Signed-off-by: Gary Lin <glin@suse.com>
 Upstream: not submitted upstream, as upstream has switched to gcrypt
 Taken-from: https://build.opensuse.org/projects/SUSE:SLE-15-SP5:Update/packages/grub2.39923/files/grub2-constant-time-grub_crypto_memcmp.patch?expand=0