Addressed multiple grub2 CVEs

[kgodara912]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Addressing Grub2 multiple CVEs

Change Log

• Addressed multiple grub2 CVEs

• Modified grub2 spec for the same

• CVE-2025-0684

• CVE-2024-45782

• CVE-2024-45778

• CVE-2025-0686

• CVE-2025-0678

• CVE-2025-0685

• CVE-2024-45779

• CVE-2025-0689

• CVE-2024-45780

• CVE-2025-1125

• CVE-2025-0690

• CVE-2024-45783

• CVE-2024-45776

• CVE-2024-45777

• CVE-2025-0677

• CVE-2025-1118

• CVE-2024-45775

• CVE-2024-45781

• CVE-2024-45774

• CVE-2024-56737

• CVE-2017-7526

• CVE-2019-13627

• CVE-2014-3591

Does this affect the toolchain?

YES/NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-0684
• https://nvd.nist.gov/vuln/detail/CVE-2024-45782
• https://nvd.nist.gov/vuln/detail/CVE-2024-45778
• https://nvd.nist.gov/vuln/detail/CVE-2025-0686
• https://nvd.nist.gov/vuln/detail/CVE-2025-0678
• https://nvd.nist.gov/vuln/detail/CVE-2025-0685
• https://nvd.nist.gov/vuln/detail/CVE-2024-45779
• https://nvd.nist.gov/vuln/detail/CVE-2025-0689
• https://nvd.nist.gov/vuln/detail/CVE-2024-45780
• https://nvd.nist.gov/vuln/detail/CVE-2025-1125
• https://nvd.nist.gov/vuln/detail/CVE-2025-0690
• https://nvd.nist.gov/vuln/detail/CVE-2024-45783
• https://nvd.nist.gov/vuln/detail/CVE-2024-45776
• https://nvd.nist.gov/vuln/detail/CVE-2024-45777
• https://nvd.nist.gov/vuln/detail/CVE-2025-0677
• https://nvd.nist.gov/vuln/detail/CVE-2025-1118
• https://nvd.nist.gov/vuln/detail/CVE-2024-45775
• https://nvd.nist.gov/vuln/detail/CVE-2024-45781
• https://nvd.nist.gov/vuln/detail/CVE-2024-45774
• https://nvd.nist.gov/vuln/detail/CVE-2024-56737
• https://nvd.nist.gov/vuln/detail/CVE-2017-7526
• https://nvd.nist.gov/vuln/detail/CVE-2019-13627
• https://nvd.nist.gov/vuln/detail/CVE-2014-3591

Test Methodology

• Pipeline build id: 838759

[Copilot]

Pull Request Overview

This PR updates the grub2 package to address multiple security vulnerabilities by applying upstream patches for various CVEs and adjusting the spec files accordingly.

• Bumps the grub2 and grub2-efi-binary-signed release numbers to match the new patch level.
• Adds or updates a series of patch files addressing CVE-2025-0684, CVE-2024-45782, CVE-2024-45778, CVE-2025-0686, CVE-2025-0678, CVE-2025-0685, CVE-2024-45779, CVE-2025-0689, CVE-2024-45780, CVE-2025-1125, CVE-2025-0690, CVE-2024-45783, CVE-2024-45776, CVE-2024-45777, CVE-2025-0677, CVE-2025-1118, CVE-2024-45775, CVE-2024-45781, CVE-2024-45774, CVE-2024-56737, CVE-2017-7526, CVE-2019-13627, and CVE-2014-3591.

Reviewed Changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated no comments.

File	Description
SPECS/grub2/grub2.spec	Release number bump and additions to the patch list for new CVEs.
SPECS/grub2/CVE-*.patch	Multiple patch updates addressing individual CVEs with modifications to functions and security checks.
SPECS-SIGNED/grub2-efi-binary-signed.spec	Release number bump to maintain consistency with grub2.spec.

Comments suppressed due to low confidence (2)

SPECS/grub2/CVE-2019-13627.patch:58

• [nitpick] Consider adding a comment to explain the rationale behind comparing 'scalar' with 'ctx->p' and choosing the respective nbits calculation to improve code clarity for future maintainers.

+  if (mpi_cmp (scalar, ctx->p) >= 0)

SPECS/grub2/CVE-2025-0690.patch:46

• Consider using a separate temporary variable instead of reusing 'i' for the arithmetic operation with grub_add to improve clarity and reduce potential hidden issues with in-place modification.

+      if (grub_add (i, 1, &i))

[kgodara912]

@microsoft/cbl-mariner-bootloader, please do let me know any specific testing I need to do for grub2 package? Will a full build do the needful?

[mfrw]

I would request that we do a full build of this specific change and then test the resulting ISO/VM image if it properly boots - preferably both in Azure & Locally.

Also, it seems our build is failing: link