grub 2.00: Bugfix for CVE-2015-8370
| Message ID | 1450470532-21728-1-git-send-email-matthias.fischer@ipfire.org |
|---|---|
| State | Accepted |
| Commit | 44fb4620ee2a314070fbf47de6cd7a6a2c7365f2 |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.tremer.info [172.28.1.200]) by septima.ipfire.org (Postfix) with ESMTP id 29B1C615F6 for <patchwork@ipfire.org>; Fri, 18 Dec 2015 21:29:02 +0100 (CET) Received: from hedwig.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id B01BAA12; Fri, 18 Dec 2015 21:29:01 +0100 (CET) Received: from Devel.localdomain (p5DD83545.dip0.t-ipconnect.de [93.216.53.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id D417FD5 for <development@lists.ipfire.org>; Fri, 18 Dec 2015 21:28:57 +0100 (CET) From: Matthias Fischer <matthias.fischer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] grub 2.00: Bugfix for CVE-2015-8370 Date: Fri, 18 Dec 2015 21:28:52 +0100 Message-Id: <1450470532-21728-1-git-send-email-matthias.fischer@ipfire.org> X-Mailer: git-send-email 2.6.4 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <http://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <http://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Message
Matthias Fischer
Dec. 19, 2015, 7:28 a.m. UTC
See: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
"A vulnerability in Grub2 has been found. Versions from 1.98 (December, 2009)
to 2.02 (December, 2015) are affected. The vulnerability can be exploited
under certain circumstances, allowing local attackers to bypass any kind of
authentication (plain or hashed passwords). And so, the attacker may take
control of the computer."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
lfs/grub | 3 +-
...E-2015-8370-Grub2-user-pass-vulnerability.patch | 45 ++++++++++++++++++++++
2 files changed, 47 insertions(+), 1 deletion(-)
create mode 100644 src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
Comments
We are usually not using this code, but of course we will patch this. Thank you for having an eye on these things. Best, -Michael On Fri, 2015-12-18 at 21:28 +0100, Matthias Fischer wrote: > See: > http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html > > "A vulnerability in Grub2 has been found. Versions from 1.98 > (December, 2009) > to 2.02 (December, 2015) are affected. The vulnerability can be > exploited > under certain circumstances, allowing local attackers to bypass any > kind of > authentication (plain or hashed passwords). And so, the attacker may > take > control of the computer." > > Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> > --- > lfs/grub | 3 +- > ...E-2015-8370-Grub2-user-pass-vulnerability.patch | 45 > ++++++++++++++++++++++ > 2 files changed, 47 insertions(+), 1 deletion(-) > create mode 100644 src/patches/0001-Fix-CVE-2015-8370-Grub2-user > -pass-vulnerability.patch > > diff --git a/lfs/grub b/lfs/grub > index bcbcbd0..3e613a8 100644 > --- a/lfs/grub > +++ b/lfs/grub > @@ -1,7 +1,7 @@ > #################################################################### > ########### > # > # > # IPFire.org - A linux based firewall > # > -# Copyright (C) 2007-2014 IPFire Team <info@ipfire.org> > # > +# Copyright (C) 2007-2015 IPFire Team <info@ipfire.org> > # > # > # > # This program is free software: you can redistribute it and/or > modify # > # it under the terms of the GNU General Public License as published > by # > @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf > $(DIR_DL)/$(DL_FILE) > cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub > -2.00_disable_vga_fallback.patch > + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/0001 > -Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch > cd $(DIR_APP) && \ > ./configure \ > --prefix=/usr \ > diff --git a/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass > -vulnerability.patch b/src/patches/0001-Fix-CVE-2015-8370-Grub2-user > -pass-vulnerability.patch > new file mode 100644 > index 0000000..2eef1ae > --- /dev/null > +++ b/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass > -vulnerability.patch > @@ -0,0 +1,45 @@ > +From 88c9657960a6c5d3673a25c266781e876c181add Mon Sep 17 00:00:00 > 2001 > +From: Hector Marco-Gisbert <hecmargi@upv.es> > +Date: Fri, 13 Nov 2015 16:21:09 +0100 > +Subject: [PATCH] Fix security issue when reading username and > password > + > + This patch fixes two integer underflows at: > + * grub-core/lib/crypto.c > + * grub-core/normal/auth.c > + > +Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es> > +Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es> > +--- > + grub-core/lib/crypto.c | 2 +- > + grub-core/normal/auth.c | 2 +- > + 2 files changed, 2 insertions(+), 2 deletions(-) > + > +diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c > +index 010e550..524a3d8 100644 > +--- a/grub-core/lib/crypto.c > ++++ b/grub-core/lib/crypto.c > +@@ -456,7 +456,7 @@ grub_password_get (char buf[], unsigned > buf_size) > + break; > + } > + > +- if (key == '\b') > ++ if (key == '\b' && cur_len) > + { > + cur_len--; > + continue; > +diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c > +index c6bd96e..5782ec5 100644 > +--- a/grub-core/normal/auth.c > ++++ b/grub-core/normal/auth.c > +@@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned > buf_size) > + break; > + } > + > +- if (key == '\b') > ++ if (key == '\b' && cur_len) > + { > + cur_len--; > + grub_printf ("\b"); > +-- > +1.9.1 > +