From 4863f0afc161c2f00196e4ebde2e48d2c3e81a42 Mon Sep 17 00:00:00 2001
From: Lynsey Rydberg <lyrydber@microsoft.com>
Date: Wed, 4 Mar 2026 19:57:36 +0000
Subject: [PATCH] fix: Patch CVE-2025-0622 for grub2 and increase sbat to
 grub,5

---
 .../grub2-efi-binary-signed.spec              |   5 +-
 SPECS/grub2/CVE-2025-0622.patch               | 115 ++++++++++++++++++
 SPECS/grub2/grub2.signatures.json             |   2 +-
 SPECS/grub2/grub2.spec                        |   7 +-
 SPECS/grub2/sbat.csv.in                       |   2 +-
 5 files changed, 127 insertions(+), 4 deletions(-)
 create mode 100644 SPECS/grub2/CVE-2025-0622.patch

diff --git a/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec
index fe4b56ba482..5932c438dff 100644
--- a/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec
+++ b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec
@@ -13,7 +13,7 @@
 Summary:        Signed GRand Unified Bootloader for %{buildarch} systems
 Name:           grub2-efi-binary-signed-%{buildarch}
 Version:        2.06
-Release:        26%{?dist}
+Release:        27%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -84,6 +84,9 @@ cp %{SOURCE3} %{buildroot}/boot/efi/EFI/%{efidir}/%{grubpxeefiname}
 /boot/efi/EFI/%{efidir}/%{grubpxeefiname}
 
 %changelog
+* Wed Mar 04 2026 Lynsey Rydberg <lyrydber@microsoft.com> - 2.06-27
+- Bump release number to match grub release
+
 * Mon Nov 24 2025 Akhila Guruju <v-guakhila@microsoft.com> - 2.06-26
 - Bump release number to match grub release
 
diff --git a/SPECS/grub2/CVE-2025-0622.patch b/SPECS/grub2/CVE-2025-0622.patch
new file mode 100644
index 00000000000..b3a2813bc09
--- /dev/null
+++ b/SPECS/grub2/CVE-2025-0622.patch
@@ -0,0 +1,115 @@
+From 2123c5bca7e21fbeb0263df4597ddd7054700726 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 19:24:29 +0000
+Subject: [PATCH 1/3] commands/pgp: Unregister the "check_signatures" hooks on
+ module unload
+
+If the hooks are not removed they can be called after the module has
+been unloaded leading to an use-after-free.
+
+Fixes: CVE-2025-0622
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/pgp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
+index c6766f044..5fadc33c4 100644
+--- a/grub-core/commands/pgp.c
++++ b/grub-core/commands/pgp.c
+@@ -1010,6 +1010,8 @@ GRUB_MOD_INIT(pgp)
+ 
+ GRUB_MOD_FINI(pgp)
+ {
++  grub_register_variable_hook ("check_signatures", NULL, NULL);
++  grub_env_unset ("check_signatures");
+   grub_verifier_unregister (&grub_pubkey_verifier);
+   grub_unregister_extcmd (cmd);
+   grub_unregister_extcmd (cmd_trust);
+-- 
+2.45.4
+
+
+From 9c16197734ada8d0838407eebe081117799bfe67 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 23:46:55 +0000
+Subject: [PATCH 2/3] normal: Remove variables hooks on module unload
+
+The normal module does not entirely cleanup after itself in
+its GRUB_MOD_FINI() leaving a few variables hooks in place.
+It is not possible to unload normal module now but fix the
+issues for completeness.
+
+On the occasion replace 0s with NULLs for "pager" variable
+hooks unregister.
+
+Fixes: CVE-2025-0622
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/normal/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index 838f57fa5..04d058f55 100644
+--- a/grub-core/normal/main.c
++++ b/grub-core/normal/main.c
+@@ -582,7 +582,9 @@ GRUB_MOD_FINI(normal)
+   grub_xputs = grub_xputs_saved;
+ 
+   grub_set_history (0);
+-  grub_register_variable_hook ("pager", 0, 0);
++  grub_register_variable_hook ("pager", NULL, NULL);
++  grub_register_variable_hook ("color_normal", NULL, NULL);
++  grub_register_variable_hook ("color_highlight", NULL, NULL);
+   grub_fs_autoload_hook = 0;
+   grub_unregister_command (cmd_clear);
+   grub_unregister_command (cmd_normal);
+   grub_unregister_command (cmd_normal_exit);
+ }
+-- 
+2.45.4
+
+
+From 7580addfc8c94cedb0cdfd7a1fd65b539215e637 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 23:52:06 +0000
+Subject: [PATCH 3/3] gettext: Remove variables hooks on module unload
+
+The gettext module does not entirely cleanup after itself in
+its GRUB_MOD_FINI() leaving a few variables hooks in place.
+It is not possible to unload gettext module because normal
+module depends on it. Though fix the issues for completeness.
+
+Fixes: CVE-2025-0622
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/gettext/gettext.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 7a1c14e4f..e4f4f8ee6 100644
+--- a/grub-core/gettext/gettext.c
++++ b/grub-core/gettext/gettext.c
+@@ -544,6 +544,10 @@ GRUB_MOD_FINI (gettext)
+ {
+   grub_unregister_command (cmd);
+ 
++  grub_register_variable_hook ("locale_dir", NULL, NULL);
++  grub_register_variable_hook ("secondary_locale_dir", NULL, NULL);
++  grub_register_variable_hook ("lang", NULL, NULL);
++
+   grub_gettext_delete_list (&main_context);
+   grub_gettext_delete_list (&secondary_context);
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/grub2/grub2.signatures.json b/SPECS/grub2/grub2.signatures.json
index 1dec98a7e34..7dd264cf60f 100644
--- a/SPECS/grub2/grub2.signatures.json
+++ b/SPECS/grub2/grub2.signatures.json
@@ -2,6 +2,6 @@
  "Signatures": {
   "gnulib-d271f868a8df9bbec29049d01e056481b7a1a263.tar.gz": "4e23415ae2977ffca15e07419ceff3e9334d0369eafc9e7ae2578f8dd9a4839c",
   "grub-2.06.tar.gz": "660eaa2355a4045d8d0cdb5765169d1cad9912ec07873b86c9c6d55dbaa9dfca",
-  "sbat.csv.in": "bda0c179d651655f126c508673bbf80505b4aa4b64c347409f4d7ec668b164f0"
+  "sbat.csv.in": "d0591975060289753d67c1653b7459d002a736dd40ecfd36b2689033d4891240"
  }
 }
diff --git a/SPECS/grub2/grub2.spec b/SPECS/grub2/grub2.spec
index 6b32d4e0e50..5b046d2e16c 100644
--- a/SPECS/grub2/grub2.spec
+++ b/SPECS/grub2/grub2.spec
@@ -7,7 +7,7 @@
 Summary:        GRand Unified Bootloader
 Name:           grub2
 Version:        2.06
-Release:        26%{?dist}
+Release:        27%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -130,6 +130,7 @@ Patch:          CVE-2024-45780.patch
 Patch:          CVE-2025-61661.patch
 Patch:          CVE-2025-61662.patch
 Patch:          CVE-2025-61663.patch
+Patch:          CVE-2025-0622.patch
 # Following are included as part of above CVEs and kept here as nopatch
 # and commented out, because from patch command perspective, these files
 # have garbage content.
@@ -467,6 +468,10 @@ cp $GRUB_PXE_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_PXE_MODULE_NAME
 %config(noreplace) %{_sysconfdir}/grub.d/41_custom
 
 %changelog
+* Wed Mar 04 2026 Lynsey Rydberg <lyrydber@microsoft.com> - 2.06-27
+- Patch CVE-2025-0622
+- Bump SBAT to grub,5
+
 * Mon Nov 24 2025 Akhila Guruju <v-guakhila@microsoft.com> - 2.06-26
 - Patch CVE-2025-61661, CVE-2025-61662 & CVE-2025-61663
 
diff --git a/SPECS/grub2/sbat.csv.in b/SPECS/grub2/sbat.csv.in
index 76617ee24d1..46585d2c107 100644
--- a/SPECS/grub2/sbat.csv.in
+++ b/SPECS/grub2/sbat.csv.in
@@ -1,4 +1,4 @@
 sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
-grub,4,Free Software Foundation,grub,@@VERSION@@,https://www.gnu.org/software/grub/
+grub,5,Free Software Foundation,grub,@@VERSION@@,https://www.gnu.org/software/grub/
 grub.azurelinux,3,Microsoft,grub2,@@VERSION_RELEASE@@,https://github.com/microsoft/azurelinux
 grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com