From e58ae796252b5cd2e52226227455579e32662168 Mon Sep 17 00:00:00 2001 From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> Date: Thu, 20 Nov 2025 20:49:50 +0800 Subject: [PATCH] [CVE] CVE-2025-61661,CVE-2025-61663,CVE-2025-61662,CVE-2025-54770 to #27299 add patch to fix CVE-2025-61661,CVE-2025-61663,CVE-2025-61662,CVE-2025-54770 Project: TC2024080204 Signed-off-by: tomcruiseqi --- 1088-bugfix-for-CVE-2025-61661.patch | 34 +++++++++++++++ 1089-bugfix-for-CVE-2025-61663.patch | 58 +++++++++++++++++++++++++ 1090-bugfix-for-CVE-2025-61662.patch | 65 ++++++++++++++++++++++++++++ 1091-bugfix-for-CVE-2025-54770.patch | 35 +++++++++++++++ grub.patches | 8 ++++ grub2.spec | 5 ++- 6 files changed, 204 insertions(+), 1 deletion(-) create mode 100644 1088-bugfix-for-CVE-2025-61661.patch create mode 100644 1089-bugfix-for-CVE-2025-61663.patch create mode 100644 1090-bugfix-for-CVE-2025-61662.patch create mode 100644 1091-bugfix-for-CVE-2025-54770.patch diff --git a/1088-bugfix-for-CVE-2025-61661.patch b/1088-bugfix-for-CVE-2025-61661.patch new file mode 100644 index 0000000..0f6e205 --- /dev/null +++ b/1088-bugfix-for-CVE-2025-61661.patch @@ -0,0 +1,34 @@ +From 549a9cc372fd0b96a4ccdfad0e12140476cc62a3 Mon Sep 17 00:00:00 2001 +From: Jamie +Date: Mon, 14 Jul 2025 09:52:59 +0100 +Subject: [PATCH] commands/usbtest: Use correct string length field + +An incorrect length field is used for buffer allocation. This leads to +grub_utf16_to_utf8() receiving an incorrect/different length and possibly +causing OOB write. This makes sure to use the correct length. + +Fixes: CVE-2025-61661 + +Reported-by: Jamie +Signed-off-by: Jamie +Reviewed-by: Daniel Kiper +--- + grub-core/commands/usbtest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c +index 2c6d93fe6..8ef187a9a 100644 +--- a/grub-core/commands/usbtest.c ++++ b/grub-core/commands/usbtest.c +@@ -99,7 +99,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid, + return GRUB_USB_ERR_NONE; + } + +- *string = grub_malloc (descstr.length * 2 + 1); ++ *string = grub_malloc (descstrp->length * 2 + 1); + if (! *string) + { + grub_free (descstrp); +-- +2.50.1 + diff --git a/1089-bugfix-for-CVE-2025-61663.patch b/1089-bugfix-for-CVE-2025-61663.patch new file mode 100644 index 0000000..ebd7ef0 --- /dev/null +++ b/1089-bugfix-for-CVE-2025-61663.patch @@ -0,0 +1,58 @@ +From 05d3698b8b03eccc49e53491bbd75dba15f40917 Mon Sep 17 00:00:00 2001 +From: Alec Brown +Date: Thu, 21 Aug 2025 21:14:07 +0000 +Subject: [PATCH] normal/main: Unregister commands on module unload + +When the normal module is loaded, the normal and normal_exit commands +are registered but aren't unregistered when the module is unloaded. We +need to add calls to grub_unregister_command() when unloading the module +for these commands. + +Fixes: CVE-2025-61663 +Fixes: CVE-2025-61664 + +Reported-by: Alec Brown +Signed-off-by: Alec Brown +Reviewed-by: Daniel Kiper +--- + grub-core/normal/main.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c +index 8c2acf938..de9a3f961 100644 +--- a/grub-core/normal/main.c ++++ b/grub-core/normal/main.c +@@ -510,7 +510,7 @@ grub_mini_cmd_clear (struct grub_command *cmd __attribute__ ((unused)), + return 0; + } + +-static grub_command_t cmd_clear; ++static grub_command_t cmd_clear, cmd_normal, cmd_normal_exit; + + static void (*grub_xputs_saved) (const char *str); + static const char *features[] = { +@@ -554,10 +554,10 @@ GRUB_MOD_INIT(normal) + grub_env_export ("pager"); + + /* Register a command "normal" for the rescue mode. */ +- grub_register_command ("normal", grub_cmd_normal, +- 0, N_("Enter normal mode.")); +- grub_register_command ("normal_exit", grub_cmd_normal_exit, +- 0, N_("Exit from normal mode.")); ++ cmd_normal = grub_register_command ("normal", grub_cmd_normal, ++ 0, N_("Enter normal mode.")); ++ cmd_normal_exit = grub_register_command ("normal_exit", grub_cmd_normal_exit, ++ 0, N_("Exit from normal mode.")); + + /* Reload terminal colors when these variables are written to. */ + grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal); +@@ -599,4 +599,6 @@ GRUB_MOD_FINI(normal) + grub_register_variable_hook ("color_highlight", NULL, NULL); + grub_fs_autoload_hook = 0; + grub_unregister_command (cmd_clear); ++ grub_unregister_command (cmd_normal); ++ grub_unregister_command (cmd_normal_exit); + } +-- +2.50.1 + diff --git a/1090-bugfix-for-CVE-2025-61662.patch b/1090-bugfix-for-CVE-2025-61662.patch new file mode 100644 index 0000000..de36ffe --- /dev/null +++ b/1090-bugfix-for-CVE-2025-61662.patch @@ -0,0 +1,65 @@ +From 8ed78fd9f0852ab218cc1f991c38e5a229e43807 Mon Sep 17 00:00:00 2001 +From: Alec Brown +Date: Thu, 21 Aug 2025 21:14:06 +0000 +Subject: [PATCH] gettext/gettext: Unregister gettext command on module unload + +When the gettext module is loaded, the gettext command is registered but +isn't unregistered when the module is unloaded. We need to add a call to +grub_unregister_command() when unloading the module. + +Fixes: CVE-2025-61662 + +Reported-by: Alec Brown +Signed-off-by: Alec Brown +Reviewed-by: Daniel Kiper +--- + grub-core/gettext/gettext.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c +index 9ffc73428..edebed998 100644 +--- a/grub-core/gettext/gettext.c ++++ b/grub-core/gettext/gettext.c +@@ -502,6 +502,8 @@ grub_cmd_translate (grub_command_t cmd __attribute__ ((unused)), + return 0; + } + ++static grub_command_t cmd; ++ + GRUB_MOD_INIT (gettext) + { + const char *lang; +@@ -521,13 +523,14 @@ GRUB_MOD_INIT (gettext) + grub_register_variable_hook ("locale_dir", NULL, read_main); + grub_register_variable_hook ("secondary_locale_dir", NULL, read_secondary); + +- grub_register_command_p1 ("gettext", grub_cmd_translate, +- N_("STRING"), +- /* TRANSLATORS: It refers to passing the string through gettext. +- So it's "translate" in the same meaning as in what you're +- doing now. +- */ +- N_("Translates the string with the current settings.")); ++ cmd = grub_register_command_p1 ("gettext", grub_cmd_translate, ++ N_("STRING"), ++ /* ++ * TRANSLATORS: It refers to passing the string through gettext. ++ * So it's "translate" in the same meaning as in what you're ++ * doing now. ++ */ ++ N_("Translates the string with the current settings.")); + + /* Reload .mo file information if lang changes. */ + grub_register_variable_hook ("lang", NULL, grub_gettext_env_write_lang); +@@ -544,6 +547,8 @@ GRUB_MOD_FINI (gettext) + grub_register_variable_hook ("secondary_locale_dir", NULL, NULL); + grub_register_variable_hook ("lang", NULL, NULL); + ++ grub_unregister_command (cmd); ++ + grub_gettext_delete_list (&main_context); + grub_gettext_delete_list (&secondary_context); + +-- +2.50.1 + diff --git a/1091-bugfix-for-CVE-2025-54770.patch b/1091-bugfix-for-CVE-2025-54770.patch new file mode 100644 index 0000000..12d8409 --- /dev/null +++ b/1091-bugfix-for-CVE-2025-54770.patch @@ -0,0 +1,35 @@ +From 10e58a14db20e17d1b6a39abe38df01fef98e29d Mon Sep 17 00:00:00 2001 +From: Thomas Frauendorfer | Miray Software +Date: Fri, 9 May 2025 14:20:47 +0200 +Subject: [PATCH] net/net: Unregister net_set_vlan command on unload + +The commit 954c48b9c (net/net: Add net_set_vlan command) added command +net_set_vlan to the net module. Unfortunately the commit only added the +grub_register_command() call on module load but missed the +grub_unregister_command() on unload. Let's fix this. + +Fixes: CVE-2025-54770 +Fixes: 954c48b9c (net/net: Add net_set_vlan command) + +Reported-by: Thomas Frauendorfer | Miray Software +Signed-off-by: Thomas Frauendorfer | Miray Software +Reviewed-by: Daniel Kiper +--- + grub-core/net/net.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/grub-core/net/net.c b/grub-core/net/net.c +index 6ea33d1cd..6c94a3b1e 100644 +--- a/grub-core/net/net.c ++++ b/grub-core/net/net.c +@@ -2146,6 +2146,7 @@ GRUB_MOD_FINI(net) + grub_unregister_command (cmd_deladdr); + grub_unregister_command (cmd_addroute); + grub_unregister_command (cmd_delroute); ++ grub_unregister_command (cmd_setvlan); + grub_unregister_command (cmd_lsroutes); + grub_unregister_command (cmd_lscards); + grub_unregister_command (cmd_lsaddr); +-- +2.50.1 + diff --git a/grub.patches b/grub.patches index d977393..7433c4b 100644 --- a/grub.patches +++ b/grub.patches @@ -286,3 +286,11 @@ Patch1084: 1084-kern-misc-Add-sanity-check-after-grub_strtoul-call.patch Patch1085: 1085-loader-i386-linux-Cast-left-shift-to-grub_uint32_t.patch Patch1086: 1086-loader-i386-bsd-Use-safe-math-to-avoid-underflow.patch Patch1087: 1087-fix-CVE-2024-56738.patch +# CVE-2025-61661 https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=patch;h=549a9cc372fd0b96a4ccdfad0e12140476cc62a3 +Patch1088: 1088-bugfix-for-CVE-2025-61661.patch +# CVE-2025-61663 https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=patch;h=05d3698b8b03eccc49e53491bbd75dba15f40917 +Patch1089: 1089-bugfix-for-CVE-2025-61663.patch +# CVE-2025-61662 https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=patch;h=8ed78fd9f0852ab218cc1f991c38e5a229e43807 +Patch1090: 1090-bugfix-for-CVE-2025-61662.patch +# CVE-2025-54770 https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=patch;h=10e58a14db20e17d1b6a39abe38df01fef98e29d +Patch1091: 1091-bugfix-for-CVE-2025-54770.patch diff --git a/grub2.spec b/grub2.spec index 0e423bf..187727b 100644 --- a/grub2.spec +++ b/grub2.spec @@ -1,4 +1,4 @@ -%define anolis_release 15 +%define anolis_release 16 %global _lto_cflags %{nil} %undefine _hardened_build @@ -506,6 +506,9 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog +* Thu Nov 20 2025 tomcruiseqi - 1:2.12-16 +- Fix CVE-2025-61661,CVE-2025-61663,CVE-2025-61662,CVE-2025-54770 + * Tue Aug 26 2025 zjl002254423 -2.12-15 - Fix CVE-2024-56738,CVE-2024-56737,CVE-2024-45774,CVE-2024-45775,CVE-2024-45776,CVE-2024-45777,CVE-2024-45778,CVE-2024-45779,CVE-2024-45780,CVE-2024-45781,CVE-2024-45782,CVE-2024-45783,CVE-2025-0622,CVE-2025-0624,CVE-2025-0677,CVE-2025-0678,CVE-2025-0684,CVE-2025-0685,CVE-2025-0686,CVE-2025-0689,CVE-2025-0690,CVE-2025-1118,CVE-2025-1125 -- Gitee