-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 01 Apr 2026 21:03:46 +0100 Source: grub2 Binary: grub-common grub-common-dbgsym grub-ieee1275 grub-ieee1275-bin grub-ieee1275-bin-dbgsym grub-ieee1275-dbg grub-mount-udeb grub-theme-starfield grub2 grub2-common grub2-common-dbgsym Architecture: ppc64el Version: 2.06-13+deb12u2 Distribution: bookworm Urgency: medium Maintainer: ppc64el Build Daemon (ppc64el-conova-01) Changed-By: Steve McIntyre <93sam@debian.org> Description: grub-common - GRand Unified Bootloader (common files) grub-ieee1275 - GRand Unified Bootloader, version 2 (Open Firmware version) grub-ieee1275-bin - GRand Unified Bootloader, version 2 (Open Firmware modules) grub-ieee1275-dbg - GRand Unified Bootloader, version 2 (Open Firmware debug files) grub-mount-udeb - export GRUB filesystems using FUSE (udeb) grub-theme-starfield - GRand Unified Bootloader, version 2 (starfield theme) grub2 - GRand Unified Bootloader, version 2 (dummy package) grub2-common - GRand Unified Bootloader (common files for version 2) Changes: grub2 (2.06-13+deb12u2) bookworm; urgency=medium . [ Julian Andres Klode ] * Set Protected: yes for -signed packages so they cannot easily be removed * debian/patches: Backport to bookworm . [ Felix Zielcke ] * Add salsa-ci.yml and disable blhc and reprotest pipelines. . [ Luca Boccassi ] * salsa-ci: configure for stable builds . [ Mate Kukri ] * Cherry-pick remaining XFS delta from 2.12 * Cherry-pick upstream vulnerability fixes * Cherry-pick extfs regression patch * Cherry-pick xfs regression patches * Bump SBAT level to grub,5 * fs/fat: Don't error when mtime is 0 (LP: #2098641) * SECURITY UPDATE: video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG - CVE-2024-45774 * SECURITY UPDATE: commands/extcmd: Missing check for failed allocation - CVE-2024-45775 * SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write or read - CVE-2024-45776 * SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write - CVE-2024-45777 * SECURITY UPDATE: fs/bfs: Integer overflow - CVE-2024-45778 * SECURITY UPDATE: fs/bfs: integer overflow leads to heap OOB read - CVE-2024-45779 * SECURITY UPDATE: fs/tar: Integer overflow leads to heap OOB write - CVE-2024-45780 * SECURITY UPDATE: fs/ufs: `strcpy` use leading to heap OOB write - CVE-2024-45781 * SECURITY UPDATE: fs/hfs: `strcpy` use leading to potential heap OOB write - CVE-2024-45782 * SECURITY UPDATE: fs/hfsplus: incorrect refcount handling leading to UAF - CVE-2024-45783 * SECURITY UPDATE: command/gpg: Use-after-free due to hooks not being removed on module unload - CVE-2025-0622 * SECURITY UPDATE: net: Out-of-bounds write in grub_net_search_config_file() - CVE-2025-0624 * SECURITY UPDATE: UFS: Integer overflow may lead to heap based out-of-bounds write when handling symlinks - CVE-2025-0677 * SECURITY UPDATE: squash4: Integer overflow may lead to heap based out-of-bounds write when reading data - CVE-2025-0678 * SECURITY UPDATE: reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data - CVE-2025-0684 * SECURITY UPDATE: jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data - CVE-2025-0685 * SECURITY UPDATE: romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data - CVE-2025-0686 * SECURITY UPDATE: udf: Heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution - CVE-2025-0689 * SECURITY UPDATE: read: Integer overflow may lead to out-of-bounds write - CVE-2025-0690 * SECURITY UPDATE: commands/dump: The dump command is not in lockdown when secure boot is enabled - CVE-2025-1118 * SECURITY UPDATE: fs/hfs: Integer overflow may lead to heap based out-of-bounds write - CVE-2025-1125 * SECURITY UPDATE: insmod: incorrect refcount handling leading to UAF [LP: #2055835] . [ Steve McIntyre ] * Drop NTFS patches that seem to be causing regressions * Remove NTFS from the monolithic EFI grub image, so we don't sign vulnerable code. * Similarly, remove jfs - we have doubts. * Bump SBAT levels: + grub,5 now we have the 2025 CVE fixes included + grub.debian,5 + grub.debian12,1 Checksums-Sha1: b85e427dcc62fce5b0024133c9d4e0f0a884b245 10581112 grub-common-dbgsym_2.06-13+deb12u2_ppc64el.deb b83fe01d24c5e0c9ecf24b2d4c5522a29f5e8ef7 2856600 grub-common_2.06-13+deb12u2_ppc64el.deb 3ef30814ad9d74a7a45df888b75374651d70cb33 6276 grub-ieee1275-bin-dbgsym_2.06-13+deb12u2_ppc64el.deb 80d66479064637ab99828ce5e9c988a65cc63cdb 757424 grub-ieee1275-bin_2.06-13+deb12u2_ppc64el.deb e5756878ec46a6ce2b9d4a591dcc329e12eefdad 2658636 grub-ieee1275-dbg_2.06-13+deb12u2_ppc64el.deb 9c2a81042f176fd0b99c7a12c51545e87cba73da 227096 grub-ieee1275_2.06-13+deb12u2_ppc64el.deb e8fddfd070e9d0a38b5da7697f4df779fcc9ac7e 462480 grub-mount-udeb_2.06-13+deb12u2_ppc64el.udeb 72661d9962c7c343f3cca12ee88992f851165e79 2333464 grub-theme-starfield_2.06-13+deb12u2_ppc64el.deb 004598241313f96a9839c9d13d31f5bc634abb84 1481284 grub2-common-dbgsym_2.06-13+deb12u2_ppc64el.deb 6ce1ec588ded8f97970c93ce8fe37fa6e8971612 831680 grub2-common_2.06-13+deb12u2_ppc64el.deb 7c4c0aa4ef9a6ce2061bfbca81950d8f6329fb77 13802 grub2_2.06-13+deb12u2_ppc64el-buildd.buildinfo 03a259cdfb17540eacc89940571b783b0c09fb03 183796 grub2_2.06-13+deb12u2_ppc64el.deb Checksums-Sha256: 24163722a9351377eec4a72b7a7b38630d9b5cbe96ae2f95e7af54ac5651eab6 10581112 grub-common-dbgsym_2.06-13+deb12u2_ppc64el.deb 4b4ff6eb843fecb391b20eab567cd3d7e84fbfb172e0d1cf9bac8e972e6006d0 2856600 grub-common_2.06-13+deb12u2_ppc64el.deb 495c8203be7391d729cc2a8ea246c98d3878a214724ce1fbda43e4fe9dad9001 6276 grub-ieee1275-bin-dbgsym_2.06-13+deb12u2_ppc64el.deb 4b4d40007ad3588629ddb064a226ac0d1437930cc7fe41b19b3bc075324641a8 757424 grub-ieee1275-bin_2.06-13+deb12u2_ppc64el.deb b2d512ec7af49c00aa0c95f154b159d9469c364d09f63423a777199d1e22b716 2658636 grub-ieee1275-dbg_2.06-13+deb12u2_ppc64el.deb 0372bb35138d22b3df52467fbabd57c38ee4637b84339c4e725ce7b100798c5f 227096 grub-ieee1275_2.06-13+deb12u2_ppc64el.deb c46e83f941ce5cbcc5f0ea3fb5181d656a30b4a8e24fe09975e5c24735b57c88 462480 grub-mount-udeb_2.06-13+deb12u2_ppc64el.udeb 4fa0ce006494a1c92bf4a7c9d8d5f7a78ab8a9d6ad4c25abfad9739cb4ce0437 2333464 grub-theme-starfield_2.06-13+deb12u2_ppc64el.deb b5a3b60d73a649e41f7818b70a4053cb6166d48ba2728989e43a496396a31a4f 1481284 grub2-common-dbgsym_2.06-13+deb12u2_ppc64el.deb 57e2f98fe4424852453d872a95ad57504638db9b673e2b287e00b31588881ac0 831680 grub2-common_2.06-13+deb12u2_ppc64el.deb abe20c2c60f9c27fc4ce3bb50e70484a6be610811403d5c339e590167aa0ec40 13802 grub2_2.06-13+deb12u2_ppc64el-buildd.buildinfo 6c0e3f3318038f46d180ed7e4126e96662929b278853f46790383862c568a235 183796 grub2_2.06-13+deb12u2_ppc64el.deb Files: 77f8efdf10cecdaa76b9e92bdff6c95f 10581112 debug optional grub-common-dbgsym_2.06-13+deb12u2_ppc64el.deb d12f01a023cb3f33798222038b358a04 2856600 admin optional grub-common_2.06-13+deb12u2_ppc64el.deb e2d51f10780bc564fec1416ba0558739 6276 debug optional grub-ieee1275-bin-dbgsym_2.06-13+deb12u2_ppc64el.deb 565bd0bb3c121a08f54a0260efd86b5f 757424 admin optional grub-ieee1275-bin_2.06-13+deb12u2_ppc64el.deb 2d14b64eda4a278ad3bf22754880dfee 2658636 debug optional grub-ieee1275-dbg_2.06-13+deb12u2_ppc64el.deb a795637d0e885ae196986729d4d677b1 227096 admin optional grub-ieee1275_2.06-13+deb12u2_ppc64el.deb ea28064c105058aa6552c8dbd7c5351e 462480 debian-installer optional grub-mount-udeb_2.06-13+deb12u2_ppc64el.udeb 48238ba005915a41336e48a7af73928c 2333464 admin optional grub-theme-starfield_2.06-13+deb12u2_ppc64el.deb 485ffa21ac1d63cbce61dbe0466e0a8f 1481284 debug optional grub2-common-dbgsym_2.06-13+deb12u2_ppc64el.deb 9234a61048bfb603d999e7a5f86f506e 831680 admin optional grub2-common_2.06-13+deb12u2_ppc64el.deb b0339d736a876a216711dd2f4d57cef9 13802 admin optional grub2_2.06-13+deb12u2_ppc64el-buildd.buildinfo 1f97a3128934ea1bc86fc30acb4b4f26 183796 oldlibs optional grub2_2.06-13+deb12u2_ppc64el.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEDoRc43uRWMOoIqIgDNLUPhbmg7MFAmn3wOkACgkQDNLUPhbm g7Nkbw//ZCGy/2UFnCPV100E3MshB54pGfs52lHGWoqKj3c6+gEsO1EwfgZjt5tP XStTHpPORJuq1xllNBF3V1auep1JMoecDBZsVJFhMgnYqv7u+MsK9gRlq6AsUSaI 2OOoSLcw/wDKaA2OJmKoxRFeVswlvioWT3UCFfI38IrX82cwS/704uwi1XIG1Xa1 mpApC6W9WLH29Pcc2wjOMUEAyCozZTVJfi6rFf2JTr5Kww27NN7vvnwbFjAL+tpX EU/UBe2VsBFuiM0SHxQf5IV4E5E9I871soaAD4jV33NH79I9dH2YDY09eecx+toq 4zfr8GjZJRytGNtp6SQi8F3IQs+6cAKIAESTftyg2LLea3m4JCsVsixDJNiv9W6a tPKiVJ5s9JR1zK3QYpLaxwNrxaIvuGuLlbXEM4hz0tn2bUhiv2XRP2RjMbhuxPoL 1YY4i0+dt6quY0q0J7BZCyOBHuGVT2N3kWgladKCFhh5Vld4MR2XJu8sgN/if3HH vozKap08/twhJMJEgBvmaVGh9/TfzGh0tU3czUnP03ef0CzPN/OGteZLoZ2ugIer 77LbZFymehJdjLY6Q7MNczavJjvTH7MILrJpBpqvJg+QnajLQtfDlXh+qSN9An5G 83uy9HxemBiq9ndmSzFQAHJRDa0a10CTYDUAR6WXWu1ZSYZmVvU= =0AC5 -----END PGP SIGNATURE-----