Apply cve-2025-nov patch series

[UTsweetyfish]

• Bump SBAT 'grub' entry to 6
• Set DPKG_VENDOR to Deepin, SB_EFI_VENDOR to deepin

Summary by Sourcery

Apply November 2025 CVE patch set to grub and update Debian packaging metadata accordingly.

Bug Fixes:

• Backport upstream fixes for recursion depth calculation, USB test string handling, and proper module/command unregistration in grub to address security and stability issues.

Enhancements:

• Update SBAT CSV entries and bump the grub SBAT generation to align with the new patched build.
• Set Debian packaging vendor variables (DPKG_VENDOR, SB_EFI_VENDOR) for Deepin-based builds to ensure correct vendor identification.

Build:

• Register the new cve-2025-nov patch series in the Debian patch list and changelog so it is applied during package builds.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Applies the November 2025 CVE patch set to grub, wires the new patches into the Debian packaging, and updates SBAT/packaging metadata for the Deepin vendor, including bumping the grub SBAT generation to 6.

File-Level Changes

Change	Details	Files
Wire the new CVE-2025-November patch series into the Debian packaging.	Extend the debian/patches/series file to include the new cve-2025-nov patch set so they are applied during package build Introduce a dedicated debian/patches/cve-2025-nov/ directory to group the new patches logically	debian/patches/series debian/patches/cve-2025-nov/commands-test-Fix-error-in-recursion-depth-calculati.patch debian/patches/cve-2025-nov/commands-usbtest-Ensure-string-length-is-sufficient-.patch debian/patches/cve-2025-nov/commands-usbtest-Use-correct-string-length-field.patch debian/patches/cve-2025-nov/gettext-gettext-Unregister-gettext-command-on-module.patch debian/patches/cve-2025-nov/kern-file-Call-grub_dl_unref-after-fs-fs_close.patch debian/patches/cve-2025-nov/net-net-Unregister-net_set_vlan-command-on-unload.patch debian/patches/cve-2025-nov/normal-main-Unregister-commands-on-module-unload.patch debian/patches/cve-2025-nov/tests-lib-functional_test-Unregister-commands-on-mod.patch
Update SBAT metadata and vendor identifiers for Deepin builds.	Bump the grub SBAT generation field to 6 across Debian/Deepin/UOS SBAT CSV templates Align SBAT entry vendor strings for Deepin-specific builds Ensure SBAT templates remain consistent across all Debian-derived variants	debian/sbat.debian.csv.in debian/sbat.deepin.csv.in debian/sbat.uos.csv.in
Adjust Debian packaging rules and metadata for Deepin as the vendor and integrate the security update.	Set DPKG_VENDOR to Deepin and SB_EFI_VENDOR to deepin in the rules to ensure correct vendor identification in builds Update debian/changelog with a new entry describing the CVE-2025-Nov patch series application and SBAT bump	debian/rules debian/changelog

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[github-actions]

TAG Bot

TAG: 2.12-7deepin7
EXISTED: no
DISTRIBUTION: unstable

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• Since you’ve bumped the SBAT generation and added multiple *.csv.in variants, double-check that the grub SBAT level and component names are kept consistent across debian/sbat.debian.csv.in, sbat.deepin.csv.in, and sbat.uos.csv.in to avoid mismatched revocations between vendors.
• The introduction of DPKG_VENDOR and SB_EFI_VENDOR for Deepin builds in debian/rules should be guarded so it doesn’t affect non-Deepin derivatives; consider scoping or conditioning these variables so they only apply when building for that specific vendor.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Since you’ve bumped the SBAT generation and added multiple `*.csv.in` variants, double-check that the grub SBAT level and component names are kept consistent across `debian/sbat.debian.csv.in`, `sbat.deepin.csv.in`, and `sbat.uos.csv.in` to avoid mismatched revocations between vendors.
- The introduction of `DPKG_VENDOR` and `SB_EFI_VENDOR` for Deepin builds in `debian/rules` should be guarded so it doesn’t affect non-Deepin derivatives; consider scoping or conditioning these variables so they only apply when building for that specific vendor.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from utsweetyfish. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• https:/raw.githubusercontent.com/deepin-community/template-repository/master/debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[UTsweetyfish]

/integrate

[github-actions]

AutoIntegrationPr Bot
auto integrate with pr url: deepin-community/Repository-Integration#3465
PrNumber: 3465
PrBranch: auto-integration-19730392172