boot/grub2: ignore the last 3 remaining CVEs
authorThomas Petazzoni <thomas.petazzoni@bootlin.com>
Mon, 5 Apr 2021 18:52:30 +0000 (20:52 +0200)
committerPeter Korsgaard <peter@korsgaard.com>
Tue, 6 Apr 2021 07:36:48 +0000 (09:36 +0200)
An analysis of the last 3 remaining CVEs that are reported to affect
the grub2 package has allowed to ensure that we can safely ignore
them:

 * CVE-2020-14372 is already fixed by a patch we have in our patch
   stack for grub2

 * CVE-2019-14865 and CVE-2020-15705 are both distro-specific and do
   not affect grub2 upstream, nor grub2 with the stack of patches we
   have in Buildroot

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
boot/grub2/grub2.mk

index c5742ede71ab1d8d79e631346a909040fb5e1205..af16ee91e1775990561b08a01070e30d008ff1ae 100644 (file)
@@ -37,6 +37,18 @@ GRUB2_IGNORE_CVES += CVE-2020-15707
 # 2021/03/02 security fixes - patches 0029-0149
 GRUB2_IGNORE_CVES += CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 \
        CVE-2020-27779 CVE-2021-3418 CVE-2021-20225 CVE-2021-20233
+# 0039-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
+GRUB2_IGNORE_CVES += CVE-2020-14372
+# CVE-2019-14865 is about a flaw in the grub2-set-bootflag tool, which
+# doesn't exist upstream, but is added by the Redhat/Fedora
+# packaging. Not applicable to Buildroot.
+GRUB2_IGNORE_CVES += CVE-2019-14865
+# CVE-2020-15705 is related to a flaw in the use of the
+# grub_linuxefi_secure_validate(), which was added by Debian/Ubuntu
+# patches. The issue doesn't affect upstream Grub, and
+# grub_linuxefi_secure_validate() is not implemented in the grub2
+# version available in Buildroot.
+GRUB2_IGNORE_CVES += CVE-2020-15705
 
 ifeq ($(BR2_TARGET_GRUB2_INSTALL_TOOLS),y)
 GRUB2_INSTALL_TARGET = YES