Re: [PATCH] grub 2.00: Bugfix for CVE-2015-8370

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] grub 2.00: Bugfix for CVE-2015-8370
Date: Fri, 18 Dec 2015 23:43:18 +0000	[thread overview]
Message-ID: <1450482198.31655.212.camel@ipfire.org> (raw)
In-Reply-To: <1450470532-21728-1-git-send-email-matthias.fischer@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 3966 bytes --]

We are usually not using this code, but of course we will patch this.

Thank you for having an eye on these things.

Best,
-Michael

On Fri, 2015-12-18 at 21:28 +0100, Matthias Fischer wrote:
> See: 
> http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
> 
> "A vulnerability in Grub2 has been found. Versions from 1.98
> (December, 2009)
> to 2.02 (December, 2015) are affected. The vulnerability can be
> exploited
> under certain circumstances, allowing local attackers to bypass any
> kind of
> authentication (plain or hashed passwords). And so, the attacker may
> take
> control of the computer."
> 
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
>  lfs/grub                                           |  3 +-
>  ...E-2015-8370-Grub2-user-pass-vulnerability.patch | 45
> ++++++++++++++++++++++
>  2 files changed, 47 insertions(+), 1 deletion(-)
>  create mode 100644 src/patches/0001-Fix-CVE-2015-8370-Grub2-user
> -pass-vulnerability.patch
> 
> diff --git a/lfs/grub b/lfs/grub
> index bcbcbd0..3e613a8 100644
> --- a/lfs/grub
> +++ b/lfs/grub
> @@ -1,7 +1,7 @@
>  ####################################################################
> ###########
>  #                                                                   
>           #
>  # IPFire.org - A linux based firewall                               
>           #
> -# Copyright (C) 2007-2014  IPFire Team  <info(a)ipfire.org>           
>           #
> +# Copyright (C) 2007-2015  IPFire Team  <info(a)ipfire.org>           
>           #
>  #                                                                   
>           #
>  # This program is free software: you can redistribute it and/or
> modify        #
>  # it under the terms of the GNU General Public License as published
> by        #
> @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	@$(PREBUILD)
>  	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf
> $(DIR_DL)/$(DL_FILE)
>  	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub
> -2.00_disable_vga_fallback.patch
> +	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/0001
> -Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
>  	cd $(DIR_APP) && \
>  		./configure \
>  			--prefix=/usr \
> diff --git a/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass
> -vulnerability.patch b/src/patches/0001-Fix-CVE-2015-8370-Grub2-user
> -pass-vulnerability.patch
> new file mode 100644
> index 0000000..2eef1ae
> --- /dev/null
> +++ b/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass
> -vulnerability.patch
> @@ -0,0 +1,45 @@
> +From 88c9657960a6c5d3673a25c266781e876c181add Mon Sep 17 00:00:00
> 2001
> +From: Hector Marco-Gisbert <hecmargi(a)upv.es>
> +Date: Fri, 13 Nov 2015 16:21:09 +0100
> +Subject: [PATCH] Fix security issue when reading username and
> password
> +
> +  This patch fixes two integer underflows at:
> +    * grub-core/lib/crypto.c
> +    * grub-core/normal/auth.c
> +
> +Signed-off-by: Hector Marco-Gisbert <hecmargi(a)upv.es>
> +Signed-off-by: Ismael Ripoll-Ripoll <iripoll(a)disca.upv.es>
> +---
> + grub-core/lib/crypto.c  | 2 +-
> + grub-core/normal/auth.c | 2 +-
> + 2 files changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
> +index 010e550..524a3d8 100644
> +--- a/grub-core/lib/crypto.c
> ++++ b/grub-core/lib/crypto.c
> +@@ -456,7 +456,7 @@ grub_password_get (char buf[], unsigned
> buf_size)
> + 	  break;
> + 	}
> + 
> +-      if (key == '\b')
> ++      if (key == '\b' && cur_len)
> + 	{
> + 	  cur_len--;
> + 	  continue;
> +diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
> +index c6bd96e..5782ec5 100644
> +--- a/grub-core/normal/auth.c
> ++++ b/grub-core/normal/auth.c
> +@@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned
> buf_size)
> + 	  break;
> + 	}
> + 
> +-      if (key == '\b')
> ++      if (key == '\b' && cur_len)
> + 	{
> + 	  cur_len--;
> + 	  grub_printf ("\b");
> +-- 
> +1.9.1
> +

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

     prev parent reply	other threads:[~2015-12-18 23:43 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-18 20:28 Matthias Fischer
2015-12-18 23:43 ` Michael Tremer [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1450482198.31655.212.camel@ipfire.org \
    --to=michael.tremer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox