azurelinux-security
diff --git a/‎SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec‎
Lines changed: 4 additions & 1 deletion b/‎SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎SPECS/grub2/CVE-2014-3591.patch‎
Lines changed: 79 additions & 0 deletions b/‎SPECS/grub2/CVE-2014-3591.patch‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎SPECS/grub2/CVE-2017-7526.patch‎
Lines changed: 133 additions & 0 deletions b/‎SPECS/grub2/CVE-2017-7526.patch‎
Lines changed: 133 additions & 0 deletions
diff --git a/‎SPECS/grub2/CVE-2019-13627.patch‎
Lines changed: 68 additions & 0 deletions b/‎SPECS/grub2/CVE-2019-13627.patch‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎SPECS/grub2/CVE-2024-45774.patch‎
Lines changed: 29 additions & 0 deletions b/‎SPECS/grub2/CVE-2024-45774.patch‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎SPECS/grub2/CVE-2024-45775.patch‎
Lines changed: 28 additions & 0 deletions b/‎SPECS/grub2/CVE-2024-45775.patch‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎SPECS/grub2/CVE-2024-45776.patch‎
Lines changed: 29 additions & 0 deletions b/‎SPECS/grub2/CVE-2024-45776.patch‎
Lines changed: 29 additions & 0 deletions
@@ -12,7 +12,7 @@
 Summary:        Signed GRand Unified Bootloader for %{buildarch} systems
 Name:           grub2-efi-binary-signed-%{buildarch}
 Version:        2.06
-Release:        14%{?dist}
+Release:        15%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -77,6 +77,9 @@ cp %{SOURCE3} %{buildroot}/boot/efi/EFI/BOOT/%{grubpxeefiname}
 /boot/efi/EFI/BOOT/%{grubpxeefiname}
 
 %changelog
+* Tue Jun 17 2025 Kshitiz Godara <[email protected]> - 2.06-15
+- Bump release number to match grub release
+
 * Mon Jun 02 2025 Jyoti Kanase <[email protected]> - 2.06-14
 - Bump release number to match grub release
 
 
@@ -0,0 +1,79 @@
+From 25e4ae28da960baec315e0c10e9f70cd46a89a2e Mon Sep 17 00:00:00 2001
+From: Kshitiz Godara <[email protected]>
+Date: Mon, 16 Jun 2025 13:30:22 +0000
+Subject: [PATCH] Fix for CVE-2014-3591
+
+Upstream reference:
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=patch;h=ff53cf06e966dce0daba5f2c84e03ab9db2c3c8b
+---
+ grub-core/lib/libgcrypt/cipher/elgamal.c | 45 +++++++++++++++++++++---
+ 1 file changed, 41 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt/cipher/elgamal.c b/grub-core/lib/libgcrypt/cipher/elgamal.c
+index ce4be85..47ba882 100644
+--- a/grub-core/lib/libgcrypt/cipher/elgamal.c
++++ b/grub-core/lib/libgcrypt/cipher/elgamal.c
+@@ -29,6 +29,11 @@
+ #include "g10lib.h"
+ #include "mpi.h"
+ #include "cipher.h"
++/* Blinding is used to mitigate side-channel attacks.  You may undef
++   this to speed up the operation in case the system is secured
++   against physical and network mounted side-channel attacks.  */
++#define USE_BLINDING 1
++
+ 
+ typedef struct
+ {
+@@ -486,12 +491,44 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+ static void
+ decrypt(gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
+ {
+-  gcry_mpi_t t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
++  MPI t1, t2, r;
++  unsigned int nbits = mpi_get_nbits (skey->p);
++
++  mpi_normalize (a);
++  mpi_normalize (b);
++
++  t1 = mpi_alloc_secure (mpi_nlimb_hint_from_nbits (nbits));
++#ifdef USE_BLINDING
++
++  t2 = mpi_alloc_secure (mpi_nlimb_hint_from_nbits (nbits));
++  r  = mpi_alloc (mpi_nlimb_hint_from_nbits (nbits));
++
++  /* We need a random number of about the prime size.  The random
++     number merely needs to be unpredictable; thus we use level 0.  */
++  randomize_mpi (r, nbits, 0);
++
++  /* t1 = r^x mod p */
++  mpi_powm (t1, r, skey->x, skey->p);
++  /* t2 = (a * r)^-x mod p */
++  mpi_mulm (t2, a, r, skey->p);
++  mpi_powm (t2, t2, skey->x, skey->p);
++  mpi_invm (t2, t2, skey->p);
++  /* t1 = (t1 * t2) mod p*/
++  mpi_mulm (t1, t1, t2, skey->p);
++
++  mpi_free (r);
++  mpi_free (t2);
++
++#else /*!USE_BLINDING*/
+ 
+   /* output = b/(a^x) mod p */
+-  gcry_mpi_powm( t1, a, skey->x, skey->p );
+-  mpi_invm( t1, t1, skey->p );
+-  mpi_mulm( output, b, t1, skey->p );
++  mpi_powm (t1, a, skey->x, skey->p);
++  mpi_invm (t1, t1, skey->p);
++
++#endif  /*!USE_BLINDING*/
++
++  mpi_mulm (output, b, t1, skey->p);
++
+ #if 0
+   if( DBG_CIPHER )
+     {
+-- 
+2.45.3
+
@@ -0,0 +1,133 @@
+From 352e78a73c6b92155038f341095ab06753f965ea Mon Sep 17 00:00:00 2001
+From: Kshitiz Godara <[email protected]>
+Date: Mon, 16 Jun 2025 14:38:07 +0000
+Subject: [PATCH] Fix for CVE-2017-7526
+
+Upstream reference:
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=e6a3dc9900433bbc8ad362a595a3837318c28fa9
+---
+ grub-core/lib/libgcrypt/cipher/rsa.c | 85 ++++++++++++++++++----------
+ 1 file changed, 54 insertions(+), 31 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt/cipher/rsa.c b/grub-core/lib/libgcrypt/cipher/rsa.c
+index ccc9f96..43309f4 100644
+--- a/grub-core/lib/libgcrypt/cipher/rsa.c
++++ b/grub-core/lib/libgcrypt/cipher/rsa.c
+@@ -685,53 +685,75 @@ stronger_key_check ( RSA_secret_key *skey )
+ 
+ 
+ 
+-/****************
+- * Secret key operation. Encrypt INPUT with SKEY and put result into OUTPUT.
++/* Secret key operation - standard version.
+  *
+  *	m = c^d mod n
+- *
+- * Or faster:
++ */
++static void
++secret_core_std (gcry_mpi_t M, gcry_mpi_t C,
++                 gcry_mpi_t D, gcry_mpi_t N)
++{
++  mpi_powm (M, C, D, N);
++}
++
++
++/* Secret key operation - using the CRT.
+  *
+  *      m1 = c ^ (d mod (p-1)) mod p
+  *      m2 = c ^ (d mod (q-1)) mod q
+  *      h = u * (m2 - m1) mod q
+  *      m = m1 + h * p
+- *
+- * Where m is OUTPUT, c is INPUT and d,n,p,q,u are elements of SKEY.
++ */
++static void
++secret_core_crt (gcry_mpi_t M, gcry_mpi_t C,
++                 gcry_mpi_t D, unsigned int Nlimbs,
++                 gcry_mpi_t P, gcry_mpi_t Q, gcry_mpi_t U)
++{
++  gcry_mpi_t m1 = mpi_alloc_secure ( Nlimbs + 1 );
++  gcry_mpi_t m2 = mpi_alloc_secure ( Nlimbs + 1 );
++  gcry_mpi_t h  = mpi_alloc_secure ( Nlimbs + 1 );
++
++  /* m1 = c ^ (d mod (p-1)) mod p */
++  mpi_sub_ui ( h, P, 1 );
++  mpi_fdiv_r ( h, D, h );
++  mpi_powm ( m1, C, h, P );
++
++  /* m2 = c ^ (d mod (q-1)) mod q */
++  mpi_sub_ui ( h, Q, 1  );
++  mpi_fdiv_r ( h, D, h );
++  mpi_powm ( m2, C, h, Q );
++
++  /* h = u * ( m2 - m1 ) mod q */
++  mpi_sub ( h, m2, m1 );
++  if ( mpi_has_sign ( h ) )
++    mpi_add ( h, h, Q );
++  mpi_mulm ( h, U, h, Q );
++
++  /* m = m1 + h * p */
++  mpi_mul ( h, h, P );
++  mpi_add ( M, m1, h );
++
++  mpi_free ( h );
++  mpi_free ( m1 );
++  mpi_free ( m2 );
++}
++
++
++/* Secret key operation.
++ * Encrypt INPUT with SKEY and put result into
++ * OUTPUT.  SKEY has the secret key parameters.
+  */
+ static void
+ secret(gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
+ {
+   if (!skey->p || !skey->q || !skey->u)
+     {
+-      mpi_powm (output, input, skey->d, skey->n);
++      secret_core_std (output, input, skey->d, skey->n);
+     }
+   else
+     {
+-      gcry_mpi_t m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+-      gcry_mpi_t m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+-      gcry_mpi_t h  = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+-
+-      /* m1 = c ^ (d mod (p-1)) mod p */
+-      mpi_sub_ui( h, skey->p, 1  );
+-      mpi_fdiv_r( h, skey->d, h );
+-      mpi_powm( m1, input, h, skey->p );
+-      /* m2 = c ^ (d mod (q-1)) mod q */
+-      mpi_sub_ui( h, skey->q, 1  );
+-      mpi_fdiv_r( h, skey->d, h );
+-      mpi_powm( m2, input, h, skey->q );
+-      /* h = u * ( m2 - m1 ) mod q */
+-      mpi_sub( h, m2, m1 );
+-      if ( mpi_is_neg( h ) )
+-        mpi_add ( h, h, skey->q );
+-      mpi_mulm( h, skey->u, h, skey->q );
+-      /* m = m2 + h * p */
+-      mpi_mul ( h, h, skey->p );
+-      mpi_add ( output, m1, h );
+-
+-      mpi_free ( h );
+-      mpi_free ( m1 );
+-      mpi_free ( m2 );
++      secret_core_crt (output, input, skey->d, mpi_get_nlimbs (skey->n),
++                       skey->p, skey->q, skey->u);
+     }
+ }
+ 
+@@ -778,6 +800,7 @@ rsa_unblind (gcry_mpi_t x, gcry_mpi_t ri, gcry_mpi_t n)
+   return y;
+ }
+ 
++
+ /*********************************************
+  **************  interface  ******************
+  *********************************************/
+-- 
+2.45.3
+
@@ -0,0 +1,68 @@
+From ec78ea01c197d46ed44c226613536490a6b0c87f Mon Sep 17 00:00:00 2001
+From: Kshitiz Godara <[email protected]>
+Date: Mon, 16 Jun 2025 14:01:28 +0000
+Subject: [PATCH] Fix for CVE-2019-13627
+
+Upstream reference:
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=db4e9976cc31b314aafad6626b2894e86ee44d60
+---
+ grub-core/lib/libgcrypt/cipher/dsa.c | 14 ++++++++++++--
+ grub-core/lib/libgcrypt/mpi/ec.c     |  6 +++++-
+ 2 files changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt/cipher/dsa.c b/grub-core/lib/libgcrypt/cipher/dsa.c
+index 883a815..1d77305 100644
+--- a/grub-core/lib/libgcrypt/cipher/dsa.c
++++ b/grub-core/lib/libgcrypt/cipher/dsa.c
+@@ -600,8 +600,6 @@ check_secret_key( DSA_secret_key *sk )
+   return rc;
+ }
+ 
+-
+-
+ /*
+    Make a DSA signature from HASH and put it into r and s.
+  */
+@@ -611,10 +609,22 @@ sign(gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t hash, DSA_secret_key *skey )
+   gcry_mpi_t k;
+   gcry_mpi_t kinv;
+   gcry_mpi_t tmp;
++  unsigned int qbits = mpi_get_nbits (skey->q);
+ 
+   /* Select a random k with 0 < k < q */
+   k = gen_k( skey->q );
+ 
++  /* Originally, ECDSA computation requires k where 0 < k < n.
++   * Here, we add n (the order of curve), to keep k in a
++   * range: n < k < 2*n, or, addming more n, keep k in a range:
++   * 2*n < k < 3*n, so that timing difference of the EC
++   * multiply operation can be small.  The result is same.
++   */
++  mpi_add (k, k, skey->E.n);
++  if (!mpi_test_bit (k, qbits))
++    mpi_add (k, k, skey->E.n);
++
++
+   /* r = (a^k mod p) mod q */
+   gcry_mpi_powm( r, skey->g, k, skey->p );
+   mpi_fdiv_r( r, r, skey->q );
+diff --git a/grub-core/lib/libgcrypt/mpi/ec.c b/grub-core/lib/libgcrypt/mpi/ec.c
+index fa00818..0089347 100644
+--- a/grub-core/lib/libgcrypt/mpi/ec.c
++++ b/grub-core/lib/libgcrypt/mpi/ec.c
+@@ -617,7 +617,11 @@ _gcry_mpi_ec_mul_point (mpi_point_t *result,
+   unsigned int nbits;
+   int i;
+ 
+-  nbits = mpi_get_nbits (scalar);
++  if (mpi_cmp (scalar, ctx->p) >= 0)
++    nbits = mpi_get_nbits (scalar);
++  else
++    nbits = mpi_get_nbits (ctx->p);
++
+   mpi_set_ui (result->x, 1);
+   mpi_set_ui (result->y, 1);
+   mpi_set_ui (result->z, 0);
+-- 
+2.45.3
+
@@ -0,0 +1,29 @@
+From 78297135895384a0653a6748f1af4b9f50609fec Mon Sep 17 00:00:00 2001
+From: Kshitiz Godara <[email protected]>
+Date: Mon, 16 Jun 2025 14:53:20 +0000
+Subject: [PATCH] Fix for CVE-2024-45774
+
+Upstream reference:
+https://cgit.git.savannah.gnu.org/cgit/grub.git/patch/?id=2c34af908ebf4856051ed29e46d88abd2b20387f
+---
+ grub-core/video/readers/jpeg.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 97a533b..80c5bd7 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -333,6 +333,10 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
+   if (grub_errno != GRUB_ERR_NONE)
+     return grub_errno;
+ 
++  if (data->image_height != 0 || data->image_width != 0)
++    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++		       "jpeg: cannot have duplicate SOF0 markers");
++
+   if (grub_jpeg_get_byte (data) != 8)
+     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ 		       "jpeg: only 8-bit precision is supported");
+-- 
+2.45.3
+
@@ -0,0 +1,28 @@
+From 3451d40564b03136222abd225d2408794c98e57a Mon Sep 17 00:00:00 2001
+From: Kshitiz Godara <[email protected]>
+Date: Mon, 16 Jun 2025 15:51:34 +0000
+Subject: [PATCH] Fix for CVE-2024-45775
+
+Upstream reference:
+https://cgit.git.savannah.gnu.org/cgit/grub.git/patch/?id=05be856a8c3aae41f5df90cab7796ab7ee34b872
+---
+ grub-core/commands/extcmd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
+index 90a5ca2..c236be1 100644
+--- a/grub-core/commands/extcmd.c
++++ b/grub-core/commands/extcmd.c
+@@ -49,6 +49,9 @@ grub_extcmd_dispatcher (struct grub_command *cmd, int argc, char **args,
+     }
+ 
+   state = grub_arg_list_alloc (ext, argc, args);
++  if (state == NULL)
++    return grub_errno;
++
+   if (grub_arg_parse (ext, argc, args, state, &new_args, &new_argc))
+     {
+       context.state = state;
+-- 
+2.45.3
+
@@ -0,0 +1,29 @@
+From cba3d3966de27f3de803205de897df407603441a Mon Sep 17 00:00:00 2001
+From: Kshitiz Godara <[email protected]>
+Date: Mon, 16 Jun 2025 16:43:45 +0000
+Subject: [PATCH] Fix for CVE-2024-45776
+
+Upstream reference:
+https://cgit.git.savannah.gnu.org/cgit/grub.git/patch/?id=09bd6eb58b0f71ec273916070fa1e2de16897a91
+---
+ grub-core/gettext/gettext.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 16ebc20..85ea44a 100644
+--- a/grub-core/gettext/gettext.c
++++ b/grub-core/gettext/gettext.c
+@@ -328,8 +328,8 @@ grub_mofile_open (struct grub_gettext_context *ctx,
+   for (ctx->grub_gettext_max_log = 0; ctx->grub_gettext_max >> ctx->grub_gettext_max_log;
+        ctx->grub_gettext_max_log++);
+ 
+-  ctx->grub_gettext_msg_list = grub_zalloc (ctx->grub_gettext_max
+-					    * sizeof (ctx->grub_gettext_msg_list[0]));
++  ctx->grub_gettext_msg_list = grub_calloc (ctx->grub_gettext_max,
++					    sizeof (ctx->grub_gettext_msg_list[0]));
+   if (!ctx->grub_gettext_msg_list)
+     {
+       grub_file_close (fd);
+-- 
+2.45.3
+