diff --git a/.grub2.checksum b/.grub2.checksum
index 13f9b3dc301761229d3ee6216ea6f6bec80665d0..3a06e672051399458fc0be2952c6a6cba51bb50a 100644
--- a/.grub2.checksum
+++ b/.grub2.checksum
@@ -1 +1 @@
-8878d473700765c4d72429495cdd01b0f78f282b99d04b67e94be8ca0f4a101e
+2a888a7fcc43f8ac42005d503f46b51eeb654d4025e6c584ae53b56d12bdca6a
diff --git a/.grub2.metadata b/.grub2.metadata
index a2b4b5ea1d2ccd4536c9b20fef5ffa7be5da4e77..3f85c530aa3fbb2515ec19cfa452c54b9a65c497 100644
--- a/.grub2.metadata
+++ b/.grub2.metadata
@@ -1,4 +1,4 @@
b79ea44af91b93d17cd3fe80bdae6ed43770678a9a5ae192ccea803ebb657ee1 SOURCES/grub-2.06.tar.xz
-aea0ea746353c6c2b5b8874e65facd087bb0346ec198993f8aaaa21eea040378 SOURCES/unifont-13.0.06.pcf.gz
f3bd4a5087865b78217fc68fe2d1abc8be90bd48e3b9cb077c1979441a6f9e8d SOURCES/gnulib-9f48fb992a3d7e96610c4ce8be969cff2d61a01b.tar.gz
1fddd06b4854598a18ff3742c472c6a5c609929ce1ab74ec9901812aaf30be02 SOURCES/theme.tar.bz2
+aea0ea746353c6c2b5b8874e65facd087bb0346ec198993f8aaaa21eea040378 SOURCES/unifont-13.0.06.pcf.gz
diff --git a/SOURCES/0329-search-command-add-flag-to-only-search-root-dev.patch b/SOURCES/0329-search-command-add-flag-to-only-search-root-dev.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5079ee9a22c8d948abdd32aaa81189f13041754d
--- /dev/null
+++ b/SOURCES/0329-search-command-add-flag-to-only-search-root-dev.patch
@@ -0,0 +1,159 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Marta Lewandowska <mlewando@redhat.com>
+Date: Mon, 9 Oct 2023 08:53:18 +0200
+Subject: [PATCH] search command: add flag to only search root dev
+
+bz#2223437
+Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
+---
+ grub-core/commands/search.c | 36 ++++++++++++++++++++++++++++++++++++
+ grub-core/commands/search_wrap.c | 5 +++++
+ grub-core/kern/misc.c | 30 ++++++++++++++++++++++++++++++
+ include/grub/misc.h | 1 +
+ include/grub/search.h | 3 ++-
+ 5 files changed, 74 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/search.c b/grub-core/commands/search.c
+index 57d26ced8a8e..94fe8b2872a1 100644
+--- a/grub-core/commands/search.c
++++ b/grub-core/commands/search.c
+@@ -85,6 +85,42 @@ iterate_device (const char *name, void *data)
+ grub_device_close (dev);
+ }
+
++ /* Skip it if it's not the root device when requested. */
++ if (ctx->flags & SEARCH_FLAGS_ROOTDEV_ONLY)
++ {
++ const char *root_dev;
++ root_dev = grub_env_get ("root");
++ if (root_dev != NULL && *root_dev != '\0')
++ {
++ char *root_disk = grub_malloc (grub_strlen(root_dev) + 1);
++ char *name_disk = grub_malloc (grub_strlen(name) + 1);
++ char *rem_1 = grub_malloc(grub_strlen(root_dev) + 1);
++ char *rem_2 = grub_malloc(grub_strlen(name) + 1);
++
++ if (root_disk != NULL && name_disk != NULL &&
++ rem_1 != NULL && rem_2 != NULL)
++ {
++ /* get just the disk name; partitions will be different. */
++ grub_str_sep (root_dev, root_disk, ',', rem_1);
++ grub_str_sep (name, name_disk, ',', rem_2);
++ if (root_disk != NULL && *root_disk != '\0' &&
++ name_disk != NULL && *name_disk != '\0')
++ if (grub_strcmp(root_disk, name_disk) != 0)
++ {
++ grub_free (root_disk);
++ grub_free (name_disk);
++ grub_free (rem_1);
++ grub_free (rem_2);
++ return 0;
++ }
++ }
++ grub_free (root_disk);
++ grub_free (name_disk);
++ grub_free (rem_1);
++ grub_free (rem_2);
++ }
++ }
++
+ #ifdef DO_SEARCH_FS_UUID
+ #define compare_fn grub_strcasecmp
+ #else
+diff --git a/grub-core/commands/search_wrap.c b/grub-core/commands/search_wrap.c
+index 0b62acf85359..06b5f51eefb5 100644
+--- a/grub-core/commands/search_wrap.c
++++ b/grub-core/commands/search_wrap.c
+@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =
+ ARG_TYPE_STRING},
+ {"no-floppy", 'n', 0, N_("Do not probe any floppy drive."), 0, 0},
+ {"efidisk-only", 0, 0, N_("Only probe EFI disks."), 0, 0},
++ {"root-dev-only", 'r', 0, N_("Only probe root device."), 0, 0},
+ {"hint", 'h', GRUB_ARG_OPTION_REPEATABLE,
+ N_("First try the device HINT. If HINT ends in comma, "
+ "also try subpartitions"), N_("HINT"), ARG_TYPE_STRING},
+@@ -75,6 +76,7 @@ enum options
+ SEARCH_SET,
+ SEARCH_NO_FLOPPY,
+ SEARCH_EFIDISK_ONLY,
++ SEARCH_ROOTDEV_ONLY,
+ SEARCH_HINT,
+ SEARCH_HINT_IEEE1275,
+ SEARCH_HINT_BIOS,
+@@ -189,6 +191,9 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args)
+ if (state[SEARCH_EFIDISK_ONLY].set)
+ flags |= SEARCH_FLAGS_EFIDISK_ONLY;
+
++ if (state[SEARCH_ROOTDEV_ONLY].set)
++ flags |= SEARCH_FLAGS_ROOTDEV_ONLY;
++
+ if (state[SEARCH_LABEL].set)
+ grub_search_label (id, var, flags, hints, nhints);
+ else if (state[SEARCH_FS_UUID].set)
+diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
+index cb454614022f..50af9ee1bdd9 100644
+--- a/grub-core/kern/misc.c
++++ b/grub-core/kern/misc.c
+@@ -619,6 +619,36 @@ grub_reverse (char *str)
+ }
+ }
+
++/* Separate string into two parts, broken up by delimiter delim. */
++void
++grub_str_sep (const char *s, char *p, char delim, char *r)
++{
++ char* t = grub_strndup(s, grub_strlen(s));
++
++ if (t != NULL && *t != '\0')
++ {
++ char* tmp = t;
++
++ while (((*p = *t) != '\0') && ((*p = *t) != delim))
++ {
++ p++;
++ t++;
++ }
++ *p = '\0';
++
++ if (*t != '\0')
++ {
++ t++;
++ while ((*r++ = *t++) != '\0')
++ ;
++ *r = '\0';
++ }
++ grub_free (tmp);
++ }
++ else
++ grub_free (t);
++}
++
+ /* Divide N by D, return the quotient, and store the remainder in *R. */
+ grub_uint64_t
+ grub_divmod64 (grub_uint64_t n, grub_uint64_t d, grub_uint64_t *r)
+diff --git a/include/grub/misc.h b/include/grub/misc.h
+index faae0ae8606c..981526644d29 100644
+--- a/include/grub/misc.h
++++ b/include/grub/misc.h
+@@ -314,6 +314,7 @@ void *EXPORT_FUNC(grub_memset) (void *s, int c, grub_size_t n);
+ grub_size_t EXPORT_FUNC(grub_strlen) (const char *s) WARN_UNUSED_RESULT;
+ int EXPORT_FUNC(grub_printf) (const char *fmt, ...) __attribute__ ((format (GNU_PRINTF, 1, 2)));
+ int EXPORT_FUNC(grub_printf_) (const char *fmt, ...) __attribute__ ((format (GNU_PRINTF, 1, 2)));
++void EXPORT_FUNC(grub_str_sep) (const char *s, char *p, char delim, char *r);
+
+ /* Replace all `ch' characters of `input' with `with' and copy the
+ result into `output'; return EOS address of `output'. */
+diff --git a/include/grub/search.h b/include/grub/search.h
+index 4190aeb2cbf5..321d1400e451 100644
+--- a/include/grub/search.h
++++ b/include/grub/search.h
+@@ -22,7 +22,8 @@
+ enum search_flags
+ {
+ SEARCH_FLAGS_NO_FLOPPY = 1,
+- SEARCH_FLAGS_EFIDISK_ONLY = 2
++ SEARCH_FLAGS_EFIDISK_ONLY = 2,
++ SEARCH_FLAGS_ROOTDEV_ONLY = 4
+ };
+
+ void grub_search_fs_file (const char *key, const char *var,
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 38f43d8be4f48eeb213cb0ebafd7882995984a08..b41fa9999f5730a6bcb9cfed9439b8b7b2b5d81f 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -326,3 +326,4 @@ Patch0325: 0325-kern-ieee1275-init-Extended-support-in-Vec5.patch
Patch0326: 0326-efi-http-change-uint32_t-to-uintn_t.patch
Patch0327: 0327-grub-mkconfig-dont-overwrite-BLS-cmdline-if-BLSCFG.patch
Patch0328: 0328-grub2-mkconfig-Pass-all-boot-params-when-used-by-ana.patch
+Patch0329: 0329-search-command-add-flag-to-only-search-root-dev.patch
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index 0586f225d6901e19fd460072cd0e6e7689f7a8f6..558009c596ded179debe4b727cb64974c5a67576 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -16,7 +16,7 @@
Name: grub2
Epoch: 1
Version: 2.06
-Release: 70%{?dist}.1.rocky.0.2
+Release: 70%{?dist}.2.rocky.0.2
Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+
URL: http://www.gnu.org/software/grub/
@@ -350,7 +350,7 @@ BOOT_UUID=$(%{name}-probe --target=fs_uuid ${GRUB_HOME})
GRUB_DIR=$(%{name}-mkrelpath ${GRUB_HOME})
cat << EOF > ${EFI_HOME}/grub.cfg.stb
-search --no-floppy --fs-uuid --set=dev ${BOOT_UUID}
+search --no-floppy --root-dev-only --fs-uuid --set=dev ${BOOT_UUID}
set prefix=(\$dev)${GRUB_DIR}
export \$prefix
configfile \$prefix/grub.cfg
@@ -534,7 +534,7 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif
%changelog
-* Tue Dec 05 2023 Release Engineering <releng@rockylinux.org> - 2.06-70.rocky.0.2
+* Wed Jan 24 2024 Release Engineering <releng@rockylinux.org> - 2.06-70.rocky.0.2
- Removing redhat old cert sources entries (Sherif Nagy)
- Preserving rhel8 sbat entry based on shim-review feedback ticket no. 194
- Adding prod cert
@@ -544,6 +544,11 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
- Adding Rocky testing CA, CERT and sbat files
- Use DER for ppc64le builds from rocky-sb-certs (Louis Abel)
+* Thu Jan 4 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-70.el9_3.2
+- search command: add flag to only search root dev
+ (CVE-2023-4001)
+- Resolves: #RHEL-20525
+
* Thu Sep 7 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.06-70.el9_3.1
- Bump spec release version
- Related: #2203203