[Medium] Patch grub2 for CVE-2025-61661, CVE-2025-61662 & CVE-2025-61663

[akhila-guruju]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Patch grub2 for CVE-2025-61661, CVE-2025-61662 & CVE-2025-61663

Patches modified: No

For CVE-2025-61661:
Upstream Patch Reference: https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=patch;h=549a9cc372fd0b96a4ccdfad0e12140476cc62a3

For CVE-2025-61662:
Upstream Patch Reference: https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=patch;h=8ed78fd9f0852ab218cc1f991c38e5a229e43807

For CVE-2025-61663:
Upstream Patch Reference: https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=patch;h=05d3698b8b03eccc49e53491bbd75dba15f40917

Change Log

• new file: SPECS/grub2/CVE-2025-61661.patch
• new file: SPECS/grub2/CVE-2025-61662.patch
• new file: SPECS/grub2/CVE-2025-61663.patch
• modified: SPECS/grub2/grub2.spec
• modified: SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec

Does this affect the toolchain?

NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-61661
• https://nvd.nist.gov/vuln/detail/CVE-2025-61662
• https://nvd.nist.gov/vuln/detail/CVE-2025-61663

Test Methodology

• Local Build
• Patches applied cleanly

[Kanishk-Bansal]

Buddy Build

[akhila-guruju]

BB has passed.

[xordux]

I signoff this PR.

[xordux]

Patch Analysis: 1 Clean Patch and 2 Backported

• Buddy Build
• patch applied during the build (Screenshots added in PR Description)
• patch include an upstream reference
• PR has security tags

CVE-2025-61661 - Clean Patch. Difference of one blank line that doesn't matter.
CVE-2025-61662 - Backported. Code fixing the patch is same, code around the patched line is different (this is expected due to difference between our version and upstream)
CVE-2025-61663 - Backport. Code fixing the patch is same, code around the patched line is different (this is expected due to difference between our version and upstream)

[kgodara912]

Will merge post December release to get it tested in development branch.

[kgodara912]

Full build

[kgodara912]

Buddy build and full build are successful. Both the generated iso and vhdx files from full build are booting fine with hyper-v vms. LGTM.