fix: Patch CVE-2025-0622 for grub2 and increase sbat to grub,5

[corvus-callidus]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

The upstream review process for updating shim to 16.1 requires that our version of grub2 contain certain CVE fixes and be updated to sbat grub,5. During the preparation of the review collateral, it was noticed that we were missing CVE-2025-0622 and the sbat increase. NIST has not finished its analysis of this CVE, so Astrolabe did not flag it.

I have verified that all of the other CVEs fixes required for the shim review are present in our package. There should be no additional changes needed.

• Upstream shim-review instructions showing required CVE fixes and sbat value: https://github.com/rhboot/shim-review#do-you-have-fixes-for-all-the-following-grub2-cves-applied
• Grub-devel mailing list entry detailing patches: https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html

Change Log

• Patch CVE-2025-0622
• Bump grub2 sbat entry to grub,5

Does this affect the toolchain?

NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-0622

Test Methodology

• Pipeline build id: 1067429
• Manual testing with shim 15.8, upcoming shim 16.1 to verify both grub and secure boot functionality.

[corvus-callidus]

Regarding failing PR checks:

• Check Disallowed Files check is failing due to thinking that grub2-efi-binary-signed.spec is a binary file. It contains no problematic content.
• Check Package CGManifests is failing due to a known issue. Discussed offline with @christopherco and @jslobodzian.

[CBL-Mariner-Bot]

Auto cherry-pick results:

• 3.0-dev ✅ -> [AUTO-CHERRYPICK] fix: Patch CVE-2025-0622 for grub2 and increase sbat to grub,5 - branch 3.0-dev #16197

Auto cherry-pick pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1070802&view=results