Public bug reported: ~/work/source/jammy/grub2-2.06$ grep -nri "zstd-1.3.6" * ChangeLog:6978: zstd: Import upstream zstd-1.3.6 ChangeLog:6979: - Import zstd-1.3.6 from upstream ChangeLog:6983: Import zstd-1.3.6 from upstream [1]. Only the files need for decompression ChangeLog:6987: I included the script used to import zstd-1.3.6 below at the bottom of the ChangeLog:7015: curl -L -O https://github.com/facebook/zstd/releases/download/v1.3.6/zstd-1.3.6.tar.gz ChangeLog:7016: curl -L -O https://github.com/facebook/zstd/releases/download/v1.3.6/zstd-1.3.6.tar.gz.sha256 ChangeLog:7017: sha256sum --check zstd-1.3.6.tar.gz.sha256 ChangeLog:7018: tar xzf zstd-1.3.6.tar.gz ChangeLog:7020: SRC_LIB="zstd-1.3.6/lib" ChangeLog:7028: rm -rf zstd-1.3.6*
Scanning binaries like grub-install, grub-file; any of the grub binaries linked against grub-core include the embedded libzstd 1.3.6 library. This version has outstanding CVEs, already fixed in newer libzstd releases: https://ubuntu.com/security/CVE-2019-11922 https://ubuntu.com/security/CVE-2021-24031 I looked at the latest grub2, 2.12 in oracular, and this still vendors libzstd 1.3.6 The listed CVEs don't look like they apply to the grub vendored version (one deals with compress, grub only decompresses), the other with file permissions on output (grub doesn't write files). Consider bumping the vendored version since CVE scanners tag grub binaries with these CVEs even if the don't operationally apply. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: grub2-common 2.06-2ubuntu7.2 ProcVersionSignature: Ubuntu 5.15.0-1064.69-kvm 5.15.160 Uname: Linux 5.15.0-1064-kvm x86_64 ApportVersion: 2.20.11-0ubuntu82.6 Architecture: amd64 CasperMD5CheckResult: unknown CloudArchitecture: x86_64 CloudID: lxd CloudName: lxd CloudPlatform: lxd CloudSubPlatform: LXD socket API v. 1.0 (/dev/lxd/sock) Date: Fri Aug 16 21:44:02 2024 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=C.UTF-8 SourcePackage: grub2 UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: grub2 (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug jammy uec-images -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2077201 Title: grub2 vendors libzstd 1.3.6 which has some CVEs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2077201/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
