Addressed multiple grub2 CVEs

[kgodara912]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Addressing Grub2 multiple CVEs

Change Log

• Addressed multiple grub2 CVEs

• Modified grub2 spec for the same

• CVE-2025-0684

• CVE-2024-45782

• CVE-2024-45778

• CVE-2025-0686

• CVE-2025-0678

• CVE-2025-0685

• CVE-2024-45779

• CVE-2025-0689

• CVE-2024-45780

• CVE-2025-1125

• CVE-2025-0690

• CVE-2024-45783

• CVE-2024-45776

• CVE-2024-45777

• CVE-2025-0677

• CVE-2025-1118

• CVE-2024-45775

• CVE-2024-45781

• CVE-2024-45774

• CVE-2024-56737

• CVE-2017-7526

• CVE-2019-13627

• CVE-2014-3591

Does this affect the toolchain?

YES/NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-0684
• https://nvd.nist.gov/vuln/detail/CVE-2024-45782
• https://nvd.nist.gov/vuln/detail/CVE-2024-45778
• https://nvd.nist.gov/vuln/detail/CVE-2025-0686
• https://nvd.nist.gov/vuln/detail/CVE-2025-0678
• https://nvd.nist.gov/vuln/detail/CVE-2025-0685
• https://nvd.nist.gov/vuln/detail/CVE-2024-45779
• https://nvd.nist.gov/vuln/detail/CVE-2025-0689
• https://nvd.nist.gov/vuln/detail/CVE-2024-45780
• https://nvd.nist.gov/vuln/detail/CVE-2025-1125
• https://nvd.nist.gov/vuln/detail/CVE-2025-0690
• https://nvd.nist.gov/vuln/detail/CVE-2024-45783
• https://nvd.nist.gov/vuln/detail/CVE-2024-45776
• https://nvd.nist.gov/vuln/detail/CVE-2024-45777
• https://nvd.nist.gov/vuln/detail/CVE-2025-0677
• https://nvd.nist.gov/vuln/detail/CVE-2025-1118
• https://nvd.nist.gov/vuln/detail/CVE-2024-45775
• https://nvd.nist.gov/vuln/detail/CVE-2024-45781
• https://nvd.nist.gov/vuln/detail/CVE-2024-45774
• https://nvd.nist.gov/vuln/detail/CVE-2024-56737
• https://nvd.nist.gov/vuln/detail/CVE-2017-7526
• https://nvd.nist.gov/vuln/detail/CVE-2019-13627
• https://nvd.nist.gov/vuln/detail/CVE-2014-3591

Test Methodology

• Pipeline build id: 838703

[Copilot]

Pull Request Overview

This PR addresses a large collection of GRUB2 security vulnerabilities by bumping the package release and integrating numerous upstream CVE patches.

• Bumped the Release number from 24 to 25 and updated the changelog entries
• Added bulk CVE patch entries to the main spec and corresponding .patch files
• Aligned the EFI binary–signed spec’s release with the main GRUB2 release

Reviewed Changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.

File	Description
SPECS/grub2/grub2.spec	Bumped release and registered multiple CVE patches
SPECS-SIGNED/grub2-efi-binary-signed/*.spec	Bumped release in signed EFI spec
SPECS/grub2/*.patch	Added and updated numerous CVE fix patches

Comments suppressed due to low confidence (2)

SPECS/grub2/CVE-2019-13627.patch:32

• The type MPI is not defined in this context; it should likely be gcry_mpi_t to match the existing code base and avoid compilation errors.

   /* Select a random k with 0 < k < q */

SPECS/grub2/CVE-2024-45781.patch:21

• [nitpick] The variable sz is not shown in this snippet; ensure that it correctly represents the destination buffer size to avoid truncation issues or buffer overflows. Consider using a more descriptive name or an explicit constant.

+    grub_strlcpy (symlink, (char *) data->inode.symlink, sz);

[Copilot]

After realloc, the returned pointer is assigned to tmp but not to line. This can lead to use-after-free or memory corruption. You should add line = tmp; before continuing.

Suggested change

	+ tmp = grub_realloc (line, alloc_size);
	+ tmp = grub_realloc (line, alloc_size);
	+ line = tmp;

[Copilot]

[nitpick] This concatenated patch filename groups five CVEs together, which can make tracing and backporting harder. Consider splitting it into individual patch files or grouping by year for better readability.

Suggested change

	Patch: CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch
	Patch: CVE-2025-0677.patch
	Patch: CVE-2025-0684.patch
	Patch: CVE-2025-0685.patch
	Patch: CVE-2025-0686.patch
	Patch: CVE-2025-0689.patch

[kgodara912]

@microsoft/cbl-mariner-bootloader, please do let me know any specific testing I need to do for grub2 package? Will a full build do the needful?