Control: retitle -1 grub2: CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded
On Fri, Dec 03, 2021 at 11:17:26AM +0000, Colin Watson wrote: > Package: grub2 > Version: 2.06-2 > Severity: serious > Justification: maintainer says so > > GRUB 2.06 is a pretty big change over 2.04. I'd like to hold this in > unstable for a while longer to let things shake out before we allow it > to move to testing. Now that it's public, we can say that here's the real reason for this: CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded 6.7/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H The GRUB2's shim_lock verifier allows non-kernel files to be loaded on shim-powered secure boot systems. Allowing such files to be loaded may lead to unverified code and modules to be loaded in GRUB2 breaking the secure boot trust-chain. https://lists.gnu.org/archive/html/grub-devel/2022-06/msg00035.html That's why we wanted to keep it ouf of testing to not expose our testing users to that. Planning to have updates ready in the next couple days. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
