[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 0/1] grub security update (CVE-2015-8370)
|
From: |
Leo Famulari |
|
Subject: |
[PATCH 0/1] grub security update (CVE-2015-8370) |
|
Date: |
Sat, 19 Dec 2015 23:56:35 -0500 |
This patch for Grub2 fixes CVE-2015-8370 [0][1]. The source of the patch
is [0].
One thing to note is that there doesn't seem to be any response from
upstream, yet. However, at least some distros are applying the patch
[2][3].
AFAIK, GuixSD doesn't support authenticated Grub yet, so this
vulnerability doesn't manifest itself. Because of this, I did not test
if the patch fixes the bug. I did test that Grub works as expected with
the patch applied.
If I'm wrong, and it's possible to set up authenticated Grub on GuixSD,
I can test that, too.
I tested this patch on bare-metal i686, like this:
0) Installed GuixSD on i686 laptop.
1) Cloned Guix source tree and built Guix.
2) Applied this patch, and built Grub as a sanity check.
`./pre-inst-env guix build grub`
3) Reconfigured the system against the source tree.
`./pre-inst-env guix system reconfigure config.scm`
4) Successfully rebooted several times into different generations of the
system.
[0]
http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
[1]
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8370
[2] Select "Fedora 23" from the "RELEASE" menu:
https://apps.fedoraproject.org/packages/grub2/sources/spec/
[3] See "changelog":
https://packages.qa.debian.org/g/grub2.html
Leo Famulari (1):
gnu: grub: Add fix for CVE-2015-8730.
gnu/packages/grub.scm | 4 ++-
gnu/packages/patches/grub-CVE-2015-8370.patch | 45 +++++++++++++++++++++++++++
2 files changed, 48 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/grub-CVE-2015-8370.patch
--
2.6.2
- [PATCH 0/1] grub security update (CVE-2015-8370),
Leo Famulari <=