diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/0487-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch b/SOURCES/0487-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
new file mode 100644
index 0000000..e7f7a0c
--- /dev/null
+++ b/SOURCES/0487-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Wed, 3 Aug 2022 19:45:33 +0800
+Subject: [PATCH] font: Reject glyphs exceeds font->max_glyph_width or
+ font->max_glyph_height
+
+Check glyph's width and height against limits specified in font's
+metadata. Reject the glyph (and font) if such limits are exceeded.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 5760fcfd466cc757540ea0d591bad6a08caeaa16)
+(cherry picked from commit 3b410ef4bb95e607cadeba2193fa90ae9bddb98d)
+(cherry picked from commit 8ebe587def61af7893ebcae87d45c883f3cfb713)
+---
+ grub-core/font/font.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index b67507fcc8..8d1a990401 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -760,7 +760,9 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+ || read_be_uint16 (font->file, &height) != 0
+ || read_be_int16 (font->file, &xoff) != 0
+ || read_be_int16 (font->file, &yoff) != 0
+- || read_be_int16 (font->file, &dwidth) != 0)
++ || read_be_int16 (font->file, &dwidth) != 0
++ || width > font->max_char_width
++ || height > font->max_char_height)
+ {
+ remove_font (font);
+ return 0;
diff --git a/SOURCES/0488-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/SOURCES/0488-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
new file mode 100644
index 0000000..df3a705
--- /dev/null
+++ b/SOURCES/0488-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
@@ -0,0 +1,112 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 00:51:20 +0800
+Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
+
+The length of memory allocation and file read may overflow. This patch
+fixes the problem by using safemath macros.
+
+There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
+if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
+It is safe replacement for such code. It has safemath-like prototype.
+
+This patch also introduces grub_cast(value, pointer), it casts value to
+typeof(*pointer) then store the value to *pointer. It returns true when
+overflow occurs or false if there is no overflow. The semantics of arguments
+and return value are designed to be consistent with other safemath macros.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 941d10ad6f1dcbd12fb613002249e29ba035f985)
+(cherry picked from commit 6bca9693878bdf61dd62b8c784862a48e75f569a)
+(cherry picked from commit edbbda5486cf8c3dc2b68fbd3dead822ab448022)
+---
+ grub-core/font/font.c | 17 +++++++++++++----
+ include/grub/bitmap.h | 18 ++++++++++++++++++
+ include/grub/safemath.h | 2 ++
+ 3 files changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 8d1a990401..d6df79602d 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+ grub_int16_t xoff;
+ grub_int16_t yoff;
+ grub_int16_t dwidth;
+- int len;
++ grub_ssize_t len;
++ grub_size_t sz;
+
+ if (index_entry->glyph)
+ /* Return cached glyph. */
+@@ -768,9 +769,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+ return 0;
+ }
+
+- len = (width * height + 7) / 8;
+- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
+- if (!glyph)
++ /* Calculate real struct size of current glyph. */
++ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
++ grub_add (sizeof (struct grub_font_glyph), len, &sz))
++ {
++ remove_font (font);
++ return 0;
++ }
++
++ /* Allocate and initialize the glyph struct. */
++ glyph = grub_malloc (sz);
++ if (glyph == NULL)
+ {
+ remove_font (font);
+ return 0;
+diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
+index 5728f8ca3a..0d9603f619 100644
+--- a/include/grub/bitmap.h
++++ b/include/grub/bitmap.h
+@@ -23,6 +23,7 @@
+ #include <grub/symbol.h>
+ #include <grub/types.h>
+ #include <grub/video.h>
++#include <grub/safemath.h>
+
+ struct grub_video_bitmap
+ {
+@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
+ return bitmap->mode_info.height;
+ }
+
++/*
++ * Calculate and store the size of data buffer of 1bit bitmap in result.
++ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
++ * Return true when overflow occurs or false if there is no overflow.
++ * This function is intentionally implemented as a macro instead of
++ * an inline function. Although a bit awkward, it preserves data types for
++ * safemath macros and reduces macro side effects as much as possible.
++ *
++ * XXX: Will report false overflow if width * height > UINT64_MAX.
++ */
++#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
++({ \
++ grub_uint64_t _bitmap_pixels; \
++ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
++ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
++})
++
+ void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
+ struct grub_video_mode_info *mode_info);
+
+diff --git a/include/grub/safemath.h b/include/grub/safemath.h
+index 1ccac276b5..30800ad6a1 100644
+--- a/include/grub/safemath.h
++++ b/include/grub/safemath.h
+@@ -30,6 +30,8 @@
+ #define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
+ #define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
+
++#define grub_cast(a, res) grub_add ((a), 0, (res))
++
+ #else
+ /*
+ * Copyright 2020 Rasmus Villemoes
diff --git a/SOURCES/0489-font-Fix-several-integer-overflows-in-grub_font_cons.patch b/SOURCES/0489-font-Fix-several-integer-overflows-in-grub_font_cons.patch
new file mode 100644
index 0000000..0afdf93
--- /dev/null
+++ b/SOURCES/0489-font-Fix-several-integer-overflows-in-grub_font_cons.patch
@@ -0,0 +1,81 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 01:58:27 +0800
+Subject: [PATCH] font: Fix several integer overflows in
+ grub_font_construct_glyph()
+
+This patch fixes several integer overflows in grub_font_construct_glyph().
+Glyphs of invalid size, zero or leading to an overflow, are rejected.
+The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
+returns NULL is fixed too.
+
+Fixes: CVE-2022-2601
+
+Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit b1805f251b31a9d3cfae5c3572ddfa630145dbbf)
+(cherry picked from commit b91eb9bd6c724339b7d7bb4765b9d36f1ee88b84)
+(cherry picked from commit 1ebafd82dd19e522f0d753fd9828553fe8bcac78)
+---
+ grub-core/font/font.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index d6df79602d..129aaa3838 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1517,6 +1517,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+ struct grub_video_signed_rect bounds;
+ static struct grub_font_glyph *glyph = 0;
+ static grub_size_t max_glyph_size = 0;
++ grub_size_t cur_glyph_size;
+
+ ensure_comb_space (glyph_id);
+
+@@ -1533,29 +1534,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+ if (!glyph_id->ncomb && !glyph_id->attributes)
+ return main_glyph;
+
+- if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
++ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
++ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
++ return main_glyph;
++
++ if (max_glyph_size < cur_glyph_size)
+ {
+ grub_free (glyph);
+- max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
+- if (max_glyph_size < 8)
+- max_glyph_size = 8;
+- glyph = grub_malloc (max_glyph_size);
++ if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
++ max_glyph_size = 0;
++ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
+ }
+ if (!glyph)
+ {
++ max_glyph_size = 0;
+ grub_errno = GRUB_ERR_NONE;
+ return main_glyph;
+ }
+
+- grub_memset (glyph, 0, sizeof (*glyph)
+- + (bounds.width * bounds.height
+- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
++ grub_memset (glyph, 0, cur_glyph_size);
+
+ glyph->font = main_glyph->font;
+- glyph->width = bounds.width;
+- glyph->height = bounds.height;
+- glyph->offset_x = bounds.x;
+- glyph->offset_y = bounds.y;
++ if (bounds.width == 0 || bounds.height == 0 ||
++ grub_cast (bounds.width, &glyph->width) ||
++ grub_cast (bounds.height, &glyph->height) ||
++ grub_cast (bounds.x, &glyph->offset_x) ||
++ grub_cast (bounds.y, &glyph->offset_y))
++ return main_glyph;
+
+ if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
+ grub_font_blit_glyph_mirror (glyph, main_glyph,
diff --git a/SOURCES/0490-font-Remove-grub_font_dup_glyph.patch b/SOURCES/0490-font-Remove-grub_font_dup_glyph.patch
new file mode 100644
index 0000000..2f9a33e
--- /dev/null
+++ b/SOURCES/0490-font-Remove-grub_font_dup_glyph.patch
@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 02:13:29 +0800
+Subject: [PATCH] font: Remove grub_font_dup_glyph()
+
+Remove grub_font_dup_glyph() since nobody is using it since 2013, and
+I'm too lazy to fix the integer overflow problem in it.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 25ad31c19c331aaa2dbd9bd2b2e2655de5766a9d)
+(cherry picked from commit ad950e1e033318bb50222ed268a6dcfb97389035)
+(cherry picked from commit 71644fccc1d43309f0a379dcfe9341ec3bd9657d)
+---
+ grub-core/font/font.c | 14 --------------
+ 1 file changed, 14 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 129aaa3838..347e9dfa29 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1055,20 +1055,6 @@ grub_font_get_glyph_with_fallback (grub_font_t font, grub_uint32_t code)
+ return best_glyph;
+ }
+
+-#if 0
+-static struct grub_font_glyph *
+-grub_font_dup_glyph (struct grub_font_glyph *glyph)
+-{
+- static struct grub_font_glyph *ret;
+- ret = grub_malloc (sizeof (*ret) + (glyph->width * glyph->height + 7) / 8);
+- if (!ret)
+- return NULL;
+- grub_memcpy (ret, glyph, sizeof (*ret)
+- + (glyph->width * glyph->height + 7) / 8);
+- return ret;
+-}
+-#endif
+-
+ /* FIXME: suboptimal. */
+ static void
+ grub_font_blit_glyph (struct grub_font_glyph *target,
diff --git a/SOURCES/0491-font-Fix-integer-overflow-in-ensure_comb_space.patch b/SOURCES/0491-font-Fix-integer-overflow-in-ensure_comb_space.patch
new file mode 100644
index 0000000..baa2d74
--- /dev/null
+++ b/SOURCES/0491-font-Fix-integer-overflow-in-ensure_comb_space.patch
@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 02:27:05 +0800
+Subject: [PATCH] font: Fix integer overflow in ensure_comb_space()
+
+In fact it can't overflow at all because glyph_id->ncomb is only 8-bit
+wide. But let's keep safe if somebody changes the width of glyph_id->ncomb
+in the future. This patch also fixes the inconsistency between
+render_max_comb_glyphs and render_combining_glyphs when grub_malloc()
+returns NULL.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit b2740b7e4a03bb8331d48b54b119afea76bb9d5f)
+(cherry picked from commit f66ea1e60c347408e92b6695d5105c7e0f24d568)
+(cherry picked from commit 0e07159c24cdbb62a9d19fba8199065b049e03c7)
+---
+ grub-core/font/font.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 347e9dfa29..1367e44743 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1468,14 +1468,18 @@ ensure_comb_space (const struct grub_unicode_glyph *glyph_id)
+ if (glyph_id->ncomb <= render_max_comb_glyphs)
+ return;
+
+- render_max_comb_glyphs = 2 * glyph_id->ncomb;
+- if (render_max_comb_glyphs < 8)
++ if (grub_mul (glyph_id->ncomb, 2, &render_max_comb_glyphs))
++ render_max_comb_glyphs = 0;
++ if (render_max_comb_glyphs > 0 && render_max_comb_glyphs < 8)
+ render_max_comb_glyphs = 8;
+ grub_free (render_combining_glyphs);
+- render_combining_glyphs = grub_malloc (render_max_comb_glyphs
+- * sizeof (render_combining_glyphs[0]));
++ render_combining_glyphs = (render_max_comb_glyphs > 0) ?
++ grub_calloc (render_max_comb_glyphs, sizeof (render_combining_glyphs[0])) : NULL;
+ if (!render_combining_glyphs)
+- grub_errno = 0;
++ {
++ render_max_comb_glyphs = 0;
++ grub_errno = GRUB_ERR_NONE;
++ }
+ }
+
+ int
diff --git a/SOURCES/0492-font-Fix-integer-overflow-in-BMP-index.patch b/SOURCES/0492-font-Fix-integer-overflow-in-BMP-index.patch
new file mode 100644
index 0000000..c28337d
--- /dev/null
+++ b/SOURCES/0492-font-Fix-integer-overflow-in-BMP-index.patch
@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 15 Aug 2022 02:04:58 +0800
+Subject: [PATCH] font: Fix integer overflow in BMP index
+
+The BMP index (font->bmp_idx) is designed as a reverse lookup table of
+char entries (font->char_index), in order to speed up lookups for BMP
+chars (i.e. code < 0x10000). The values in BMP index are the subscripts
+of the corresponding char entries, stored in grub_uint16_t, while 0xffff
+means not found.
+
+This patch fixes the problem of large subscript truncated to grub_uint16_t,
+leading BMP index to return wrong char entry or report false miss. The
+code now checks for bounds and uses BMP index as a hint, and fallbacks
+to binary-search if necessary.
+
+On the occasion add a comment about BMP index is initialized to 0xffff.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit afda8b60ba0712abe01ae1e64c5f7a067a0e6492)
+(cherry picked from commit 6d90568929e11739b56f09ebbce9185ca9c23519)
+(cherry picked from commit b8c47c3dd6894b3135db861e3e563f661efad5c3)
+---
+ grub-core/font/font.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 1367e44743..059c23dff7 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -300,6 +300,8 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
+ font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t));
+ if (!font->bmp_idx)
+ return 1;
++
++ /* Init the BMP index array to 0xffff. */
+ grub_memset (font->bmp_idx, 0xff, 0x10000 * sizeof (grub_uint16_t));
+
+
+@@ -328,7 +330,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
+ return 1;
+ }
+
+- if (entry->code < 0x10000)
++ if (entry->code < 0x10000 && i < 0xffff)
+ font->bmp_idx[entry->code] = i;
+
+ last_code = entry->code;
+@@ -696,9 +698,12 @@ find_glyph (const grub_font_t font, grub_uint32_t code)
+ /* Use BMP index if possible. */
+ if (code < 0x10000 && font->bmp_idx)
+ {
+- if (font->bmp_idx[code] == 0xffff)
+- return 0;
+- return &table[font->bmp_idx[code]];
++ if (font->bmp_idx[code] < 0xffff)
++ return &table[font->bmp_idx[code]];
++ /*
++ * When we are here then lookup in BMP index result in miss,
++ * fallthough to binary-search.
++ */
+ }
+
+ /* Do a binary search in `char_index', which is ordered by code point. */
diff --git a/SOURCES/0493-font-Fix-integer-underflow-in-binary-search-of-char-.patch b/SOURCES/0493-font-Fix-integer-underflow-in-binary-search-of-char-.patch
new file mode 100644
index 0000000..31b66af
--- /dev/null
+++ b/SOURCES/0493-font-Fix-integer-underflow-in-binary-search-of-char-.patch
@@ -0,0 +1,85 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Sun, 14 Aug 2022 18:09:38 +0800
+Subject: [PATCH] font: Fix integer underflow in binary search of char index
+
+If search target is less than all entries in font->index then "hi"
+variable is set to -1, which translates to SIZE_MAX and leads to errors.
+
+This patch fixes the problem by replacing the entire binary search code
+with the libstdc++'s std::lower_bound() implementation.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit c140a086838e7c9af87842036f891b8393a8c4bc)
+(cherry picked from commit e110997335b1744464ea232d57a7d86e16ca8dee)
+(cherry picked from commit 403053a5116ae945f9515a82c37ff8cfb927362c)
+---
+ grub-core/font/font.c | 40 ++++++++++++++++++++++------------------
+ 1 file changed, 22 insertions(+), 18 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 059c23dff7..31786ab339 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -688,12 +688,12 @@ read_be_int16 (grub_file_t file, grub_int16_t * value)
+ static inline struct char_index_entry *
+ find_glyph (const grub_font_t font, grub_uint32_t code)
+ {
+- struct char_index_entry *table;
+- grub_size_t lo;
+- grub_size_t hi;
+- grub_size_t mid;
++ struct char_index_entry *table, *first, *end;
++ grub_size_t len;
+
+ table = font->char_index;
++ if (table == NULL)
++ return NULL;
+
+ /* Use BMP index if possible. */
+ if (code < 0x10000 && font->bmp_idx)
+@@ -706,25 +706,29 @@ find_glyph (const grub_font_t font, grub_uint32_t code)
+ */
+ }
+
+- /* Do a binary search in `char_index', which is ordered by code point. */
+- lo = 0;
+- hi = font->num_chars - 1;
++ /*
++ * Do a binary search in char_index which is ordered by code point.
++ * The code below is the same as libstdc++'s std::lower_bound().
++ */
++ first = table;
++ len = font->num_chars;
++ end = first + len;
+
+- if (!table)
+- return 0;
+-
+- while (lo <= hi)
++ while (len > 0)
+ {
+- mid = lo + (hi - lo) / 2;
+- if (code < table[mid].code)
+- hi = mid - 1;
+- else if (code > table[mid].code)
+- lo = mid + 1;
++ grub_size_t half = len >> 1;
++ struct char_index_entry *middle = first + half;
++
++ if (middle->code < code)
++ {
++ first = middle + 1;
++ len = len - half - 1;
++ }
+ else
+- return &table[mid];
++ len = half;
+ }
+
+- return 0;
++ return (first < end && first->code == code) ? first : NULL;
+ }
+
+ /* Get a glyph for the Unicode character CODE in FONT. The glyph is loaded
diff --git a/SOURCES/0494-fbutil-Fix-integer-overflow.patch b/SOURCES/0494-fbutil-Fix-integer-overflow.patch
new file mode 100644
index 0000000..8854410
--- /dev/null
+++ b/SOURCES/0494-fbutil-Fix-integer-overflow.patch
@@ -0,0 +1,85 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Tue, 6 Sep 2022 03:03:21 +0800
+Subject: [PATCH] fbutil: Fix integer overflow
+
+Expressions like u64 = u32 * u32 are unsafe because their products are
+truncated to u32 even if left hand side is u64. This patch fixes all
+problems like that one in fbutil.
+
+To get right result not only left hand side have to be u64 but it's also
+necessary to cast at least one of the operands of all leaf operators of
+right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be
+u64 = (u64)u32 * u32 + (u64)u32 * u32.
+
+For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any
+combination of values in (grub_uint64_t)u32 * u32 + u32 expression will
+not overflow grub_uint64_t.
+
+Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable.
+They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32.
+
+This patch also adds a comment to grub_video_fb_get_video_ptr() which
+says it's arguments must be valid and no sanity check is performed
+(like its siblings in grub-core/video/fb/fbutil.c).
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 50a11a81bc842c58962244a2dc86bbd31a426e12)
+(cherry picked from commit 8fa75d647362c938c4cc302cf5945b31fb92c078)
+(cherry picked from commit 91005e39b3c8b6ca8dcc84ecb19ac9328966aaea)
+---
+ grub-core/video/fb/fbutil.c | 4 ++--
+ include/grub/fbutil.h | 13 +++++++++----
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/video/fb/fbutil.c b/grub-core/video/fb/fbutil.c
+index b98bb51fe8..25ef39f47d 100644
+--- a/grub-core/video/fb/fbutil.c
++++ b/grub-core/video/fb/fbutil.c
+@@ -67,7 +67,7 @@ get_pixel (struct grub_video_fbblit_info *source,
+ case 1:
+ if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED)
+ {
+- int bit_index = y * source->mode_info->width + x;
++ grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x;
+ grub_uint8_t *ptr = source->data + bit_index / 8;
+ int bit_pos = 7 - bit_index % 8;
+ color = (*ptr >> bit_pos) & 0x01;
+@@ -138,7 +138,7 @@ set_pixel (struct grub_video_fbblit_info *source,
+ case 1:
+ if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED)
+ {
+- int bit_index = y * source->mode_info->width + x;
++ grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x;
+ grub_uint8_t *ptr = source->data + bit_index / 8;
+ int bit_pos = 7 - bit_index % 8;
+ *ptr = (*ptr & ~(1 << bit_pos)) | ((color & 0x01) << bit_pos);
+diff --git a/include/grub/fbutil.h b/include/grub/fbutil.h
+index 4205eb917f..78a1ab3b45 100644
+--- a/include/grub/fbutil.h
++++ b/include/grub/fbutil.h
+@@ -31,14 +31,19 @@ struct grub_video_fbblit_info
+ grub_uint8_t *data;
+ };
+
+-/* Don't use for 1-bit bitmaps, addressing needs to be done at the bit level
+- and it doesn't make sense, in general, to ask for a pointer
+- to a particular pixel's data. */
++/*
++ * Don't use for 1-bit bitmaps, addressing needs to be done at the bit level
++ * and it doesn't make sense, in general, to ask for a pointer
++ * to a particular pixel's data.
++ *
++ * This function assumes that bounds checking has been done in previous phase
++ * and they are opted out in here.
++ */
+ static inline void *
+ grub_video_fb_get_video_ptr (struct grub_video_fbblit_info *source,
+ unsigned int x, unsigned int y)
+ {
+- return source->data + y * source->mode_info->pitch + x * source->mode_info->bytes_per_pixel;
++ return source->data + (grub_addr_t) y * source->mode_info->pitch + (grub_addr_t) x * source->mode_info->bytes_per_pixel;
+ }
+
+ /* Advance pointer by VAL bytes. If there is no unaligned access available,
diff --git a/SOURCES/0495-font-Fix-an-integer-underflow-in-blit_comb.patch b/SOURCES/0495-font-Fix-an-integer-underflow-in-blit_comb.patch
new file mode 100644
index 0000000..4658302
--- /dev/null
+++ b/SOURCES/0495-font-Fix-an-integer-underflow-in-blit_comb.patch
@@ -0,0 +1,91 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 24 Oct 2022 08:05:35 +0800
+Subject: [PATCH] font: Fix an integer underflow in blit_comb()
+
+The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
+evaluate to a very big invalid value even if both ctx.bounds.height and
+combining_glyphs[i]->height are small integers. For example, if
+ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
+expression evaluates to 2147483647 (expected -1). This is because
+coordinates are allowed to be negative but ctx.bounds.height is an
+unsigned int. So, the subtraction operates on unsigned ints and
+underflows to a very big value. The division makes things even worse.
+The quotient is still an invalid value even if converted back to int.
+
+This patch fixes the problem by casting ctx.bounds.height to int. As
+a result the subtraction will operate on int and grub_uint16_t which
+will be promoted to an int. So, the underflow will no longer happen. Other
+uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
+to ensure coordinates are always calculated on signed integers.
+
+Fixes: CVE-2022-3775
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 6d2668dea3774ed74c4cd1eadd146f1b846bc3d4)
+(cherry picked from commit 05e532fb707bbf79aa4e1efbde4d208d7da89d6b)
+(cherry picked from commit 0b2592fbb245d53c5c42885d695ece03ddb0eb12)
+---
+ grub-core/font/font.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 049d7fe0bd49..eca7c4748ce6 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1202,12 +1202,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ ctx.bounds.height = main_glyph->height;
+
+ above_rightx = main_glyph->offset_x + main_glyph->width;
+- above_righty = ctx.bounds.y + ctx.bounds.height;
++ above_righty = ctx.bounds.y + (int) ctx.bounds.height;
+
+ above_leftx = main_glyph->offset_x;
+- above_lefty = ctx.bounds.y + ctx.bounds.height;
++ above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
+
+- below_rightx = ctx.bounds.x + ctx.bounds.width;
++ below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
+ below_righty = ctx.bounds.y;
+
+ comb = grub_unicode_get_comb (glyph_id);
+@@ -1220,7 +1220,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+
+ if (!combining_glyphs[i])
+ continue;
+- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
++ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
+ /* CGJ is to avoid diacritics reordering. */
+ if (comb[i].code
+ == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
+@@ -1230,8 +1230,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ case GRUB_UNICODE_COMB_OVERLAY:
+ do_blit (combining_glyphs[i],
+ targetx,
+- (ctx.bounds.height - combining_glyphs[i]->height) / 2
+- - (ctx.bounds.height + ctx.bounds.y), &ctx);
++ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
++ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
+ if (min_devwidth < combining_glyphs[i]->width)
+ min_devwidth = combining_glyphs[i]->width;
+ break;
+@@ -1304,7 +1304,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+
+ case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
+ do_blit (combining_glyphs[i], targetx,
+- -(ctx.bounds.height + ctx.bounds.y + space
++ -((int) ctx.bounds.height + ctx.bounds.y + space
+ + combining_glyphs[i]->height), &ctx);
+ if (min_devwidth < combining_glyphs[i]->width)
+ min_devwidth = combining_glyphs[i]->width;
+@@ -1312,7 +1312,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+
+ case GRUB_UNICODE_COMB_HEBREW_DAGESH:
+ do_blit (combining_glyphs[i], targetx,
+- -(ctx.bounds.height / 2 + ctx.bounds.y
++ -((int) ctx.bounds.height / 2 + ctx.bounds.y
+ + combining_glyphs[i]->height / 2), &ctx);
+ if (min_devwidth < combining_glyphs[i]->width)
+ min_devwidth = combining_glyphs[i]->width;
diff --git a/SOURCES/0496-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch b/SOURCES/0496-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
new file mode 100644
index 0000000..87b8e33
--- /dev/null
+++ b/SOURCES/0496-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
@@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 24 Oct 2022 07:15:41 +0800
+Subject: [PATCH] font: Harden grub_font_blit_glyph() and
+ grub_font_blit_glyph_mirror()
+
+As a mitigation and hardening measure add sanity checks to
+grub_font_blit_glyph() and grub_font_blit_glyph_mirror(). This patch
+makes these two functions do nothing if target blitting area isn't fully
+contained in target bitmap. Therefore, if complex calculations in caller
+overflows and malicious coordinates are given, we are still safe because
+any coordinates which result in out-of-bound-write are rejected. However,
+this patch only checks for invalid coordinates, and doesn't provide any
+protection against invalid source glyph or destination glyph, e.g.
+mismatch between glyph size and buffer size.
+
+This hardening measure is designed to mitigate possible overflows in
+blit_comb(). If overflow occurs, it may return invalid bounding box
+during dry run and call grub_font_blit_glyph() with malicious
+coordinates during actual blitting. However, we are still safe because
+the scratch glyph itself is valid, although its size makes no sense, and
+any invalid coordinates are rejected.
+
+It would be better to call grub_fatal() if illegal parameter is detected.
+However, doing this may end up in a dangerous recursion because grub_fatal()
+would print messages to the screen and we are in the progress of drawing
+characters on the screen.
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit fcd7aa0c278f7cf3fb9f93f1a3966e1792339eb6)
+(cherry picked from commit 1d37ec63a1c76a14fdf70f548eada92667b42ddb)
+(cherry picked from commit 686c72ea0a841343b7d8ab64e815751aa36e24b5)
+---
+ grub-core/font/font.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index fc9d92fce4..cfa4bd5096 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1069,8 +1069,15 @@ static void
+ grub_font_blit_glyph (struct grub_font_glyph *target,
+ struct grub_font_glyph *src, unsigned dx, unsigned dy)
+ {
++ grub_uint16_t max_x, max_y;
+ unsigned src_bit, tgt_bit, src_byte, tgt_byte;
+ unsigned i, j;
++
++ /* Harden against out-of-bound writes. */
++ if ((grub_add (dx, src->width, &max_x) || max_x > target->width) ||
++ (grub_add (dy, src->height, &max_y) || max_y > target->height))
++ return;
++
+ for (i = 0; i < src->height; i++)
+ {
+ src_bit = (src->width * i) % 8;
+@@ -1102,9 +1109,16 @@ grub_font_blit_glyph_mirror (struct grub_font_glyph *target,
+ struct grub_font_glyph *src,
+ unsigned dx, unsigned dy)
+ {
++ grub_uint16_t max_x, max_y;
+ unsigned tgt_bit, src_byte, tgt_byte;
+ signed src_bit;
+ unsigned i, j;
++
++ /* Harden against out-of-bound writes. */
++ if ((grub_add (dx, src->width, &max_x) || max_x > target->width) ||
++ (grub_add (dy, src->height, &max_y) || max_y > target->height))
++ return;
++
+ for (i = 0; i < src->height; i++)
+ {
+ src_bit = (src->width * i + src->width - 1) % 8;
diff --git a/SOURCES/0497-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch b/SOURCES/0497-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
new file mode 100644
index 0000000..981d5df
--- /dev/null
+++ b/SOURCES/0497-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 28 Oct 2022 17:29:16 +0800
+Subject: [PATCH] font: Assign null_font to glyphs in ascii_font_glyph[]
+
+The calculations in blit_comb() need information from glyph's font, e.g.
+grub_font_get_xheight(main_glyph->font). However, main_glyph->font is
+NULL if main_glyph comes from ascii_font_glyph[]. Therefore
+grub_font_get_*() crashes because of NULL pointer.
+
+There is already a solution, the null_font. So, assign it to those glyphs
+in ascii_font_glyph[].
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit dd539d695482069d28b40f2d3821f710cdcf6ee6)
+(cherry picked from commit 87526376857eaceae474c9797e3cee5b50597332)
+(cherry picked from commit b4807bbb09d9adf82fe9ae12a3af1c852dc4e32d)
+---
+ grub-core/font/font.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index cfa4bd5096..30cd1fe07f 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -137,7 +137,7 @@ ascii_glyph_lookup (grub_uint32_t code)
+ ascii_font_glyph[current]->offset_x = 0;
+ ascii_font_glyph[current]->offset_y = -2;
+ ascii_font_glyph[current]->device_width = 8;
+- ascii_font_glyph[current]->font = NULL;
++ ascii_font_glyph[current]->font = &null_font;
+
+ grub_memcpy (ascii_font_glyph[current]->bitmap,
+ &ascii_bitmaps[current * ASCII_BITMAP_SIZE],
diff --git a/SOURCES/0498-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch b/SOURCES/0498-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
new file mode 100644
index 0000000..283d560
--- /dev/null
+++ b/SOURCES/0498-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
@@ -0,0 +1,55 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 28 Oct 2022 21:31:39 +0800
+Subject: [PATCH] normal/charset: Fix an integer overflow in
+ grub_unicode_aglomerate_comb()
+
+The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255.
+However, code in grub_unicode_aglomerate_comb() doesn't check for an
+overflow when incrementing out->ncomb. If out->ncomb is already 255,
+after incrementing it will get 0 instead of 256, and cause illegal
+memory access in subsequent processing.
+
+This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max
+acceptable value of ncomb. The code now checks for this limit and
+ignores additional combining characters when limit is reached.
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit da90d62316a3b105d2fbd7334d6521936bd6dcf6)
+(cherry picked from commit 26fafec86000b5322837722a115279ef03922ca6)
+(cherry picked from commit 872fba1c44dee2ab5cb36b2c7a883847f91ed907)
+---
+ grub-core/normal/charset.c | 3 +++
+ include/grub/unicode.h | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
+index 7b2de12001..4849cf06f7 100644
+--- a/grub-core/normal/charset.c
++++ b/grub-core/normal/charset.c
+@@ -472,6 +472,9 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
+ if (!haveout)
+ continue;
+
++ if (out->ncomb == GRUB_UNICODE_NCOMB_MAX)
++ continue;
++
+ if (comb_type == GRUB_UNICODE_COMB_MC
+ || comb_type == GRUB_UNICODE_COMB_ME
+ || comb_type == GRUB_UNICODE_COMB_MN)
+diff --git a/include/grub/unicode.h b/include/grub/unicode.h
+index 4de986a857..c4f6fca043 100644
+--- a/include/grub/unicode.h
++++ b/include/grub/unicode.h
+@@ -147,7 +147,9 @@ struct grub_unicode_glyph
+ grub_uint8_t bidi_level:6; /* minimum: 6 */
+ enum grub_bidi_type bidi_type:5; /* minimum: :5 */
+
++#define GRUB_UNICODE_NCOMB_MAX ((1 << 8) - 1)
+ unsigned ncomb:8;
++
+ /* Hint by unicode subsystem how wide this character usually is.
+ Real width is determined by font. Set only in UTF-8 stream. */
+ int estimated_width:8;
diff --git a/SOURCES/0499-safemath-add-grub_cast-for-gcc-5.1.patch b/SOURCES/0499-safemath-add-grub_cast-for-gcc-5.1.patch
new file mode 100644
index 0000000..f8b7a4c
--- /dev/null
+++ b/SOURCES/0499-safemath-add-grub_cast-for-gcc-5.1.patch
@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nicolas Frayer <nfrayer@redhat.com>
+Date: Wed, 31 Jan 2024 15:36:09 +0100
+Subject: [PATCH] safemath: add grub_cast for gcc < 5.1
+
+Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
+---
+ include/grub/safemath.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/grub/safemath.h b/include/grub/safemath.h
+index 30800ad6a141..f7392469739f 100644
+--- a/include/grub/safemath.h
++++ b/include/grub/safemath.h
+@@ -151,6 +151,8 @@
+ __signed_mul_overflow(a, b, d), \
+ __unsigned_mul_overflow(a, b, d))
+
++#define grub_cast(a, res) grub_add ((a), 0, (res))
++
+ #endif
+
+ #endif /* GRUB_SAFEMATH_H */
diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der
deleted file mode 100644
index 44a2563..0000000
Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ
diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt
deleted file mode 100644
index 294b05f..0000000
--- a/SOURCES/centossecureboot001.crt
+++ /dev/null
@@ -1,425 +0,0 @@
-
-<!DOCTYPE html>
-<html lang='en'>
-<head>
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
- <title>Tree - rpms/kernel - CentOS Git server</title>
- <link rel="shortcut icon" type="image/vnd.microsoft.icon"
-href="/theme/static/favicon.ico"/>
-<link rel="stylesheet" href="/static/vendor/bootstrap/bootstrap.min.css" />
-<link href="/theme/static/theme.css" rel="stylesheet" type="text/css" />
-
- <link type="text/css" rel="stylesheet" nonce="zU2361P7dte9FXpc7MWuyPXgo" href="/static/vendor/font-awesome/font-awesome.css?version=5.8.1"/>
- <link type="text/css" rel="stylesheet" nonce="zU2361P7dte9FXpc7MWuyPXgo" href="/static/pagure.css?version=5.8.1"/>
-<link nonce="zU2361P7dte9FXpc7MWuyPXgo" rel="stylesheet" href="/static/vendor/highlight.js/styles/github.css?version=5.8.1"/>
-<link nonce="zU2361P7dte9FXpc7MWuyPXgo" rel="stylesheet" href="/static/vendor/highlightjs-line-numbers/highlightjs-line-numbers.min.css?version=5.8.1"/>
-<style nonce="zU2361P7dte9FXpc7MWuyPXgo">
- .hljs {
- background: #fff;
- }
-</style>
- </head>
- <body id="home">
-
- <!-- start masthead -->
- <nav class="navbar navbar-dark bg-dark p-0 navbar-expand">
- <div class="container">
- <a href="/" class="navbar-brand">
- <img height=40px src="/theme/static/pagure-logo.png?version=5.8.1"
- alt="pagure Logo" id="pagureLogo"/>
- </a>
- <ul class="navbar-nav ml-auto">
- <li class="nav-item">
- <a class="btn btn-primary" href="/login/?next=https://git.centos.org/rpms/kernel/blob/ed0e597ee2d605d93e246185acb1e5cf68f72f5e/f/SOURCES/centossecureboot001.crt">Log In</a>
- </li>
- </ul>
- </div>
- </nav>
- <!-- close masthead-->
-
- <div class="bodycontent">
-
-
-<div class="bg-light border border-bottom pt-3">
- <div class="container">
- <div class="row mb-3">
- <div class="col-6">
- <div class="row">
- <div class="col-auto pr-0">
- <h3>
-<i class="fa fa-calendar-o fa-rotate-270 text-muted"></i></h3>
- </div>
- <div class="col-auto pl-2">
- <h3 class="mb-0">
-<a href="/projects/rpms/%2A">rpms</a> / <a href="/rpms/kernel"><strong>kernel</strong></a>
- </h3>
- </div>
- </div>
- </div>
- <div class="col-6 text-right">
- <div class="btn-group">
- <div class="btn-group">
- <a href="#"
- class="btn btn-sm dropdown-toggle btn-outline-primary"
- data-toggle="dropdown" id="watch-button">
- <i class="fa fa-clone fa-fw"></i>
- <span>Clone</span>
- </a>
- <div class="dropdown-menu dropdown-menu-right">
- <div class="m-3" id="source-dropdown" class="pointer">
- <div>
- <h5><strong>Source Code</strong></h5>
-
- <div class="form-group">
- <div class="input-group input-group-sm">
- <div class="input-group-prepend"><span class="input-group-text">GIT</span></div>
- <input class="form-control bg-white select-on-focus" type="text" value="https://git.centos.org/rpms/kernel.git" readonly>
- </div>
- </div>
- </div>
- </div>
- </div>
-
- </div>
- </div>
- </div>
-</div>
-
-<ul class="nav nav-tabs nav-small border-bottom-0">
- <li class="nav-item mr-2 text-dark">
- <a class="nav-link active" href="/rpms/kernel">
- <i class="fa fa-code fa-fw text-muted"></i>
- <span class="d-none d-md-inline">Source</span>
- </a>
- </li>
-
- <li class="nav-item mr-2 text-dark">
- <a class="nav-link" href="/rpms/kernel/issues">
- <i class="fa fa-fw text-muted fa-exclamation-circle"></i>
- <span class="d-none d-md-inline">Issues </span>
- <span class="badge badge-secondary py-0 d-none d-md-inline">
- 0
- </span>
- </a>
- </li>
-
- <li class="nav-item mr-2 text-dark">
- <a class="nav-link" href="/rpms/kernel/pull-requests">
- <i class="fa fa-fw text-muted fa-arrow-circle-down"></i>
- <span class="d-none d-md-inline">Pull Requests </span>
- <span class="badge badge-secondary py-0 d-none d-md-inline">
- 0
- </span>
- </a>
- </li>
-
-
- <li class="nav-item mr-2 text-dark">
- <a class="nav-link" href="/rpms/kernel/stats">
- <i class="fa fa-line-chart fa-fw text-muted"></i>
- <span class="d-none d-md-inline">Stats</span>
- </a>
- </li>
-
-
-</ul>
- </div>
-</div>
-
-<div class="container pt-5 repo-body-container">
- <div class="row">
- <div class="col-2">
-<nav class="nav nav-tabs nav-sidetabs flex-column">
- <a class=
- "nav-link nowrap
-"
- href="/rpms/kernel">
- <i class="fa fa-home text-muted fa-fw"></i> <span class="d-none d-md-inline">Overview</span>
- </a>
- <a class=
- "nav-link nowrap
- active"
- href="/rpms/kernel/tree/ed0e597ee2d605d93e246185acb1e5cf68f72f5e">
- <i class="fa fa-file-code-o text-muted fa-fw"></i> Files
- </a>
- <a class=
- "nav-link nowrap
-"
- href="/rpms/kernel/commits/ed0e597ee2d605d93e246185acb1e5cf68f72f5e">
- <i class="fa fa-list-alt text-muted fa-fw" data-glyph="spreadsheet"></i> Commits
- </a>
- <a class=
- "nav-link nowrap
-"
- href="/rpms/kernel/branches?branchname=ed0e597ee2d605d93e246185acb1e5cf68f72f5e">
- <i class="fa fa-random text-muted fa-fw"></i> Branches
- </a>
- <a class=
- "nav-link nowrap
-"
- href="/rpms/kernel/forks">
- <i class="fa fa-code-fork text-muted fa-fw"></i> Forks
- </a>
- <a class=
- "nav-link nowrap
-"
- href="/rpms/kernel/releases">
- <i class="fa fa-tags text-muted fa-fw"></i> Releases
- </a>
-</nav> </div>
- <div class="col-10">
- <div class="row mb-1">
- <div class="col-sm-6">
- <h3>
- Files
- </h3>
- </div>
-
- <div class="col-sm-6">
- <div class="float-right">
- <a href="#" class="btn btn-outline-light border-secondary text-dark btn-sm"
- aria-haspopup="true" aria-expanded="false">
- Commit: <span class="font-weight-bold">ed0e597ee2d605d93e246185acb1e5cf68f72f5e</span>
- </a>
- </div>
- </div>
- </div>
- <div class="card mb-3">
- <div class="card-header">
- <ol class="breadcrumb p-0 bg-transparent mb-0">
- <li class="breadcrumb-item">
- <a href="/rpms/kernel/tree/ed0e597ee2d605d93e246185acb1e5cf68f72f5e">
- <span class="fa fa-random">
- </span> ed0e597ee2d605d93e246185acb1e5cf68f72f5e
- </a>
- </li>
-<li class="breadcrumb-item"><a href="/rpms/kernel/blob/ed0e597ee2d605d93e246185acb1e5cf68f72f5e/f/SOURCES">
- <span class="fa fa-folder"></span> SOURCES</a>
- </li>
- <li class="active breadcrumb-item">
- <span class="fa fa-file" data-glyph="">
- </span> centossecureboot001.crt
- </li>
- </ol>
- </div>
-
- <div class="card-body p-0">
- <div class="bg-light border text-right pr-2">
- <form class="btn btn-sm" method="POST" name="fork_project"
- action="/fork_edit/rpms/kernel/edit/ed0e597ee2d605d93e246185acb1e5cf68f72f5e/f/SOURCES/centossecureboot001.crt">
- <button class="btn btn-sm btn-secondary fork_project_btn">
- Fork and Edit
- </button>
-
- </form>
-
- <a class="btn btn-secondary btn-sm" href="/rpms/kernel/blob/ed0e597ee2d605d93e246185acb1e5cf68f72f5e/f/SOURCES/centossecureboot001.crt" title="View as blob">Blob</a>
-
- <a class="btn btn-secondary btn-sm" href="/rpms/kernel/blame/SOURCES/centossecureboot001.crt?identifier=ed0e597ee2d605d93e246185acb1e5cf68f72f5e" title="View git blame">Blame</a>
-
- <a class="btn btn-secondary btn-sm" href="/rpms/kernel/raw/ed0e597ee2d605d93e246185acb1e5cf68f72f5e/f/SOURCES/centossecureboot001.crt" title="View as raw">Raw</a>
- </div>
-
- <pre class="syntaxhighlightblock"><code class="">Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number:
- b6:16:15:71:72:fb:31:7e
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org
- Validity
- Not Before: Aug 1 11:47:30 2018 GMT
- Not After : Dec 31 11:47:30 2037 GMT
- Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa:
- 76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51:
- cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2:
- 4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3:
- 24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0:
- bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18:
- 00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97:
- a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57:
- 6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35:
- 6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0:
- aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65:
- 53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46:
- f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f:
- 6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2:
- 76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4:
- 94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28:
- 4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef:
- 94:0f
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature
- X509v3 Subject Key Identifier:
- F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29
- X509v3 Authority Key Identifier:
- keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3
-
- Signature Algorithm: sha256WithRSAEncryption
- 97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c:
- dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da:
- 11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b:
- 2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a:
- 28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e:
- b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef:
- f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f:
- 0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56:
- a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30:
- 17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a:
- ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97:
- 58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c:
- 75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77:
- da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71:
- da:7f:89:1d
------BEGIN CERTIFICATE-----
-MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV
-BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB
-FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx
-NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg
-BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4
-MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP
-f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2
-bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/
-VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR
-pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud
-EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb
-Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B
-AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G
-1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV
-IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv
-0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ
-+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD
-bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ==
------END CERTIFICATE-----
-</code></pre>
- </div>
- </div> <!-- end .card-->
-
-</div>
-</div>
-</div>
- </div>
-
- <div class="footer py-3 bg-light border-top text-center">
- <div class="container">
- <p class="text-muted credit">
- Powered by
- <a href="https://pagure.io/pagure">Pagure</a>
- 5.8.1
- </p>
- <p><a href="/ssh_info">SSH Hostkey/Fingerprint</a> | <a href="https://docs.pagure.org/pagure/usage/index.html">Documentation</a></p>
- </div>
- </div>
-
-
- <script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo" src="/static/vendor/jquery/jquery.min.js?version=5.8.1"></script>
-
- <script src="/static/vendor/bootstrap/bootstrap.bundle.min.js"></script>
-
- <script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo">
- $('[data-toggle="tooltip"]').tooltip({placement : 'bottom'});
- $(".cancel_btn").click(function() {
- history.back();
- });
- </script>
-
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo" src="/static/vendor/lazyload/lazyload.min.js?version=5.8.1"></script>
-
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo">
-window.addEventListener("load", function(event) {
- lazyload();
-});
-</script>
-
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo">
-$("#giturl-toggle").on('click', function(event){
- event.stopPropagation();
- $("#giturl-more").toggle();
- $("#giturl-toggle").hide();
-})
-
-$(".fork_project_btn").click(function() {
- $('#fork_project').submit();
-});
-
-$(".select-on-focus").on("focus", function() {
- $(this).select();
-});
-
-</script>
-
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo" src="/static/vendor/highlight.js/highlight.pack.js?version=5.8.1"></script>
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo" src="/static/vendor/highlightjs-line-numbers/highlightjs-line-numbers.min.js?version=5.8.1"></script>
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo" src="/static/vendor/highlight.js/spec.js?version=5.8.1"></script>
-
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo">
- $(document).ready(function() {
- $('.fork_project_btn').click($("[name=fork_project]").submit);
-
- $('pre.syntaxhighlightblock code').each(function(i, block) {
- hljs.highlightBlock(block);
- hljs.lineNumbersBlock(block);
- });
-
- var cls = "highlighted-line";
- var lines = location.hash.substr(2).split('-').map(function (x) { return parseInt(x, 10) });
- if (! isNaN(lines[0]))
- {
- for (var i = lines[lines.length - 1]; i >= lines[0]; i--) {
- $('#_' + i).parent().parent().addClass(cls);
- }
- setTimeout(function(){
- $("#_" + lines[0]).get(0).scrollIntoView({behavior: "instant", block: "start", inline: "nearest"});
- }, 50);
- }
-});
-</script>
-
-<script type="text/javascript" nonce="zU2361P7dte9FXpc7MWuyPXgo">
-
- function updateHighlight() {
- var cls = "highlighted-line";
- $('.' + cls).removeClass(cls)
- if (location.hash !== '') {
- var lines = location.hash.substr(2).split('-').map(function (x) { return parseInt(x, 10) });
- for (var i = lines[lines.length - 1]; i >= lines[0]; i--) {
- $('[data-line-number=' + i + ']').closest('tr').addClass(cls);
- }
- return lines;
- }
- return [];
- }
- $(window).on('hashchange', updateHighlight);
- var selected = [];
- $("[data-line-number]").click(function (ev) {
- var line = $(this).attr('data-line-number');
- if (ev.shiftKey) {
- selected = selected.slice(-1).concat(line);
- } else {
- selected = [line];
- }
-
- var hash = '_' + selected[0];
- if (selected.length === 2) {
- hash = '_' + Math.min(selected[0], selected[1]) + '-' + Math.max(selected[0], selected[1]);
- }
- window.location.hash = hash;
- return false;
- });
-
-</script>
-
-
-
-</body>
-</html>
\ No newline at end of file
diff --git a/SOURCES/centossecureboot202.crt b/SOURCES/centossecureboot202.crt
deleted file mode 100644
index fba3730..0000000
--- a/SOURCES/centossecureboot202.crt
+++ /dev/null
@@ -1,84 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number:
- 93:c2:04:d8:bd:77:6b:12
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=CentOS Secure Boot CA 2/emailAddress=security@centos.org
- Validity
- Not Before: Jun 9 10:37:54 2020 GMT
- Not After : Jan 18 10:37:54 2038 GMT
- Subject: CN=CentOS Secure Boot Signing 202/emailAddress=security@centos.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:d4:f0:32:4d:50:7a:c0:41:d6:61:68:59:5e:5b:
- ce:65:e3:e9:7b:01:e4:53:94:c9:b7:c1:6b:b7:12:
- 0b:bc:8f:d7:17:1b:c1:77:3a:08:17:ba:23:f1:bd:
- 98:f0:7c:cb:96:70:2e:0e:2e:96:66:b7:9f:29:12:
- 6f:ee:30:33:a1:a5:ee:f9:4b:a3:fb:52:45:d8:7e:
- c2:e8:a9:20:a9:f2:2e:f4:44:b7:85:3f:34:7c:c0:
- 73:1d:73:63:2f:11:a0:7d:df:e7:5a:20:b9:b9:ff:
- 5d:0e:6d:90:86:1f:2e:fa:c7:b5:94:37:80:46:0d:
- fb:5f:f8:26:f4:ce:2f:0d:5b:bf:e5:8d:a5:12:d7:
- ba:cf:16:f2:5c:10:ae:a0:80:a8:dc:c4:6b:00:24:
- f4:4b:f0:01:82:7e:4b:1c:b6:d6:ac:e1:72:32:07:
- 5d:48:4a:cd:ba:5c:9c:09:72:89:b2:2e:60:f7:b7:
- ed:ea:b6:0d:ae:63:f8:09:a1:8f:62:ee:09:d2:cb:
- 0a:81:df:7c:72:4b:bf:bd:fb:59:24:84:1f:1d:ce:
- 36:bc:4c:13:84:ca:c5:e0:81:bb:ec:61:8f:9f:78:
- 88:43:8d:e0:16:b2:ab:90:14:23:29:ce:1d:e7:a1:
- bb:4a:93:f9:f8:8d:b8:ff:2f:30:74:66:b2:31:89:
- b1:7d
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:FALSE
- X509v3 Key Usage: critical
- Digital Signature
- X509v3 Extended Key Usage: critical
- Code Signing
- X509v3 Subject Key Identifier:
- 1E:55:FF:FF:01:71:5F:F1:28:7F:C8:A9:7C:AF:83:9F:ED:7A:33:0B
- X509v3 Authority Key Identifier:
- keyid:70:00:7F:99:20:9C:12:6B:E1:47:74:EA:EC:7B:6D:96:31:F3:4D:CA
-
- Signature Algorithm: sha256WithRSAEncryption
- 6b:1b:fa:f3:a8:c0:1e:e7:55:49:f2:4e:16:1f:9a:1b:22:9c:
- ff:c9:81:d0:5b:d6:28:3c:38:91:65:b5:ca:63:e6:9d:13:2d:
- 5f:f5:cc:67:c2:82:55:73:8f:8b:0c:0c:a9:60:2a:a8:b2:19:
- c1:a7:87:94:d8:69:5e:3c:88:e5:32:8a:4c:a6:6f:69:8b:c5:
- f2:7e:8e:d2:af:37:2d:27:73:c7:ad:9d:bc:14:08:a8:aa:57:
- 22:37:be:c6:d2:2d:a3:70:81:4a:88:8c:a3:44:89:6c:7d:9d:
- 9f:db:ff:5c:c6:ec:6d:97:b0:08:8d:76:c6:14:d0:25:81:a3:
- 09:b6:f2:89:32:12:b2:f2:71:71:b6:ac:c1:65:d1:9c:6b:e1:
- a4:4e:74:d0:01:17:ad:38:0f:17:86:07:56:b3:a1:86:5d:99:
- ef:d6:55:98:b9:ce:63:46:8b:37:c4:53:55:8b:7a:10:75:90:
- fd:e6:62:f0:6c:af:89:91:17:34:f7:99:77:6d:29:fa:92:bb:
- c3:45:77:fe:a3:15:da:54:7d:47:16:b6:6f:94:09:b8:5f:ca:
- e9:34:a2:bf:18:cd:d3:f4:17:2c:98:e4:e4:ca:46:ad:4b:a4:
- 34:77:47:ec:5d:21:a6:cf:5c:b9:5a:47:ca:04:a1:93:56:13:
- 0a:cc:47:91
------BEGIN CERTIFICATE-----
-MIIDjjCCAnagAwIBAgIJAJPCBNi9d2sSMA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV
-BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1
-cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTEwMzc1NFoXDTM4MDExODEwMzc1NFow
-TTEnMCUGA1UEAwweQ2VudE9TIFNlY3VyZSBCb290IFNpZ25pbmcgMjAyMSIwIAYJ
-KoZIhvcNAQkBFhNzZWN1cml0eUBjZW50b3Mub3JnMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEA1PAyTVB6wEHWYWhZXlvOZePpewHkU5TJt8FrtxILvI/X
-FxvBdzoIF7oj8b2Y8HzLlnAuDi6WZrefKRJv7jAzoaXu+Uuj+1JF2H7C6KkgqfIu
-9ES3hT80fMBzHXNjLxGgfd/nWiC5uf9dDm2Qhh8u+se1lDeARg37X/gm9M4vDVu/
-5Y2lEte6zxbyXBCuoICo3MRrACT0S/ABgn5LHLbWrOFyMgddSErNulycCXKJsi5g
-97ft6rYNrmP4CaGPYu4J0ssKgd98cku/vftZJIQfHc42vEwThMrF4IG77GGPn3iI
-Q43gFrKrkBQjKc4d56G7SpP5+I24/y8wdGayMYmxfQIDAQABo3gwdjAMBgNVHRMB
-Af8EAjAAMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAd
-BgNVHQ4EFgQUHlX//wFxX/Eof8ipfK+Dn+16MwswHwYDVR0jBBgwFoAUcAB/mSCc
-EmvhR3Tq7HttljHzTcowDQYJKoZIhvcNAQELBQADggEBAGsb+vOowB7nVUnyThYf
-mhsinP/JgdBb1ig8OJFltcpj5p0TLV/1zGfCglVzj4sMDKlgKqiyGcGnh5TYaV48
-iOUyikymb2mLxfJ+jtKvNy0nc8etnbwUCKiqVyI3vsbSLaNwgUqIjKNEiWx9nZ/b
-/1zG7G2XsAiNdsYU0CWBowm28okyErLycXG2rMFl0Zxr4aROdNABF604DxeGB1az
-oYZdme/WVZi5zmNGizfEU1WLehB1kP3mYvBsr4mRFzT3mXdtKfqSu8NFd/6jFdpU
-fUcWtm+UCbhfyuk0or8YzdP0FyyY5OTKRq1LpDR3R+xdIabPXLlaR8oEoZNWEwrM
-R5E=
------END CERTIFICATE-----
diff --git a/SOURCES/centossecurebootca2.crt b/SOURCES/centossecurebootca2.crt
deleted file mode 100644
index ff4e981..0000000
--- a/SOURCES/centossecurebootca2.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDYjCCAkqgAwIBAgIJAIlReu6IOzL7MA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV
-BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1
-cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTA4MTkzMloXDTM4MDExODA4MTkzMlow
-RjEgMB4GA1UEAwwXQ2VudE9TIFNlY3VyZSBCb290IENBIDIxIjAgBgkqhkiG9w0B
-CQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQChatbNaQDV0RTCqff1tl92xI6gu1k8jYufW8FyzZ6uDnxoGpBT0LiU
-WKuGjMQ89JgiApFzDYSLWrZg8NbTnVdz0hny4SMyspe5weUk6IToKXvEejZNFn6i
-vae2vfT0/ASKsgIvUcz4sWHMK43vbfv/pVpYGLgoG5aNUkt7VhkeURwJzR3ODgDp
-aL4bQ/7qEo8ASHCEvQx6klG330Z06O0kjS6GK12cPC1t5ZlimVXCNWP1jf0pMWmh
-aBrZjbyY0j8R7Yns3cEovAM230chsVdyFxSYpqCLzMlmWNxiIlvcAoDIRMWEa7Da
-SSAfJWH+ygAzad1PHlnCB0zAFbLAMJH1AgMBAAGjUzBRMB0GA1UdDgQWBBRwAH+Z
-IJwSa+FHdOrse22WMfNNyjAfBgNVHSMEGDAWgBRwAH+ZIJwSa+FHdOrse22WMfNN
-yjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAe5NcVSUd/POZs
-Jkiep8ATNwXglLAeYxB55F42sXx5OOdKMBmhqWQIVJvaih/wsfKIBfdUGv2L9dH8
-IQgiU1PRYx0baSVJno3HcQTbCqLvnvckusR7IUTDAFj774MvXwS6yV6pXzxDmuh2
-t8hRktOKFeUtdlDYqg9X3Ia3GkoB5huyEbuaZTNcV4TAfU/yAERNIAgRs+fLQU70
-OgGlWsp35J8qPkZKabGf0surDa2xa6iAoFyknxruoKQ8uNSB9KB7/0JvVouNx90+
-ncykWW96GVKs8+H5WGza10FqrchtThSNCSXTtLbTXoK0Atdvu0o04XUbsCGMnlcG
-zAVb3/m0
------END CERTIFICATE-----
diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros
index a4291b2..0dade27 100644
--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@@ -101,6 +101,16 @@
-e 's/-m64//g' \\\
) %{nil}
%endif
+%ifarch %{ix86}
+%global target_cpu_name %{_arch}
+%global grub_target_name %{_arch}-pc
+
+%global legacy_target_cpu_name i386
+%global legacy_package_arch pc
+%global platform pc
+
+%global with_legacy_arch 0
+%endif
%ifarch aarch64
%global efiarch aa64
@@ -152,6 +162,14 @@
%global with_efi_common 1
%global with_legacy_common 0
%endif
+%ifarch %{ix86}
+%global with_efi_arch 0
+%global with_alt_efi_arch 0
+%global with_efi_common 0
+%global with_legacy_common 1
+%global with_legacy_utils 1
+%global with_legacy_arch 0
+%endif
%if 0%{with_efi_common}
%global common_srcdir grub-%{grubefiarch}-%{tarversion}
@@ -331,7 +349,7 @@ GRUB_MODULES=" all_video boot btrfs cat chain configfile echo \\\
gzio halt hfsplus iso9660 jpeg loadenv loopback \\\
lvm mdraid09 mdraid1x minicmd normal part_apple \\\
part_msdos part_gpt password_pbkdf2 png reboot \\\
- search search_fs_uuid search_fs_file \\\
+ regexp search search_fs_uuid search_fs_file \\\
search_label serial sleep syslinuxcfg test tftp \\\
video xfs" \
GRUB_MODULES+=%{efi_modules} \
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 191482a..a566e0f 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -484,3 +484,16 @@ Patch0483: 0483-btrfs-Move-logging-code-in-grub_btrfs_read_logical.patch
Patch0484: 0484-btrfs-Move-the-error-logging-from-find_device-to-its.patch
Patch0485: 0485-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch
Patch0486: 0486-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch
+Patch0487: 0487-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
+Patch0488: 0488-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
+Patch0489: 0489-font-Fix-several-integer-overflows-in-grub_font_cons.patch
+Patch0490: 0490-font-Remove-grub_font_dup_glyph.patch
+Patch0491: 0491-font-Fix-integer-overflow-in-ensure_comb_space.patch
+Patch0492: 0492-font-Fix-integer-overflow-in-BMP-index.patch
+Patch0493: 0493-font-Fix-integer-underflow-in-binary-search-of-char-.patch
+Patch0494: 0494-fbutil-Fix-integer-overflow.patch
+Patch0495: 0495-font-Fix-an-integer-underflow-in-blit_comb.patch
+Patch0496: 0496-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
+Patch0497: 0497-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
+Patch0498: 0498-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
+Patch0499: 0499-safemath-add-grub_cast-for-gcc-5.1.patch
diff --git a/SOURCES/sbat.csv.in b/SOURCES/sbat.csv.in
index fdc0e9f..808a8f4 100755
--- a/SOURCES/sbat.csv.in
+++ b/SOURCES/sbat.csv.in
@@ -1,3 +1,3 @@
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
-grub,2,Free Software Foundation,grub,2.02,https://www.gnu.org/software/grub/
+grub,3,Free Software Foundation,grub,2.02,https://www.gnu.org/software/grub/
grub.rhel7,2,Red Hat Enterprise Linux 7,grub2,@@VERSION@@,mail:secalert@redhat.com
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index f24f119..bb09383 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -1,22 +1,12 @@
%undefine _hardened_build
-%global flagday 1:2.02-0.87.el7.centos.2
+
%global tarversion 2.02~beta2
%undefine _missing_build_ids_terminate_build
-%ifarch i686
-%define platform pc
-%define legacy_package_arch i386
-%define legacy_target_cpu_name i386
-%define target_cpu_name i386
-%endif
-%ifarch x86_64
-%define mock 1
-%endif
-
Name: grub2
Epoch: 1
Version: 2.02
-Release: 0.87.0.2%{?dist}%{?buildid}.11
+Release: 0.87%{?dist}%{?buildid}.14
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
License: GPLv3+
@@ -27,10 +17,10 @@ Source1: grub.macros
Source2: grub.patches
Source3: http://unifoundry.com/unifont-5.1.20080820.pcf.gz
Source4: gitignore
-Source5: centos-ca-secureboot.der
-Source6: centossecureboot001.crt
-Source7: centossecurebootca2.crt
-Source8: centossecureboot202.crt
+Source5: redhatsecurebootca3.cer
+Source6: redhatsecureboot301.cer
+Source7: redhatsecurebootca5.cer
+Source8: redhatsecureboot502.cer
Source9: sbat.csv.in
%include %{SOURCE1}
@@ -64,11 +54,8 @@ BuildRequires: pesign >= 0.99-8
%if %{?_with_ccache: 1}%{?!_with_ccache: 0}
BuildRequires: ccache
%endif
-%if 0%{?centos}
-%global efidir centos
-%endif
-ExcludeArch: s390 s390x %{arm}
+ExcludeArch: s390 s390x %{arm} %{?ix86}
Obsoletes: %{name} <= %{flagday}
%if 0%{with_legacy_arch}
@@ -153,10 +140,6 @@ This subpackage provides tools for support of all platforms.
%prep
%setup -T -c -n grub-%{tarversion}
%do_common_setup
-sed -i.orig -e 's@/efi/EFI/redhat/@/efi/EFI/%{efidir}/@' \
- grub-%{tarversion}/util/grub-setpassword.in
-touch --reference=grub-%{tarversion}/util/grub-setpassword.in.orig \
- grub-%{tarversion}/util/grub-setpassword.in
%if 0%{with_efi_arch}
%do_setup %{grubefiarch}
sed -e "s,@@VERSION@@,%{evr},g" %{SOURCE9} \
@@ -171,10 +154,10 @@ sed -e "s,@@VERSION@@,%{evr},g" %{SOURCE9} \
%build
%if 0%{with_efi_arch}
-%do_primary_efi_build %{grubefiarch} %{grubefiname} %{grubeficdname} %{_target_platform} "'%{efi_cflags}'" %{SOURCE5} %{SOURCE6} centossecureboot001 %{SOURCE7} %{SOURCE8} centossecureboot202
+%do_primary_efi_build %{grubefiarch} %{grubefiname} %{grubeficdname} %{_target_platform} "'%{efi_cflags}'" %{SOURCE5} %{SOURCE6} redhatsecureboot301 %{SOURCE7} %{SOURCE8} redhatsecureboot502
%endif
%if 0%{with_alt_efi_arch}
-%do_alt_efi_build %{grubaltefiarch} %{grubaltefiname} %{grubalteficdname} %{_alt_target_platform} "'%{alt_efi_cflags}'" %{SOURCE5} %{SOURCE6} centossecureboot001 %{SOURCE7} %{SOURCE8} centossecureboot202
+%do_alt_efi_build %{grubaltefiarch} %{grubaltefiname} %{grubalteficdname} %{_alt_target_platform} "'%{alt_efi_cflags}'" %{SOURCE5} %{SOURCE6} redhatsecureboot301 %{SOURCE7} %{SOURCE8} redhatsecureboot502
%endif
%if 0%{with_legacy_arch}%{with_legacy_utils}
%do_legacy_build %{grublegacyarch}
@@ -486,6 +469,18 @@ fi
%endif
%changelog
+* Thu Feb 1 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.02-087.el7.14
+- Rebuild for signing
+- Related: RHEL-23460
+
+* Wed Jan 31 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.02-087.el7.13
+- safemath: add grub_cast for gcc < 5.1
+- Related: RHEL-23460
+
+* Tue Jan 30 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.02-087.el7.12
+- Font CVE fixes and bump SBAT (CVE-2022-2601)
+- Resolves: RHEL-23460
+
* Wed Nov 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-087.el7.11
- Bump sbat
- Resolves: CVE-2022-28733