We are usually not using this code, but of course we will patch this.

Thank you for having an eye on these things.

Best,
-Michael

On Fri, 2015-12-18 at 21:28 +0100, Matthias Fischer wrote:
> See: 
> http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
> 
> "A vulnerability in Grub2 has been found. Versions from 1.98
> (December, 2009)
> to 2.02 (December, 2015) are affected. The vulnerability can be
> exploited
> under certain circumstances, allowing local attackers to bypass any
> kind of
> authentication (plain or hashed passwords). And so, the attacker may
> take
> control of the computer."
> 
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
>  lfs/grub                                           |  3 +-
>  ...E-2015-8370-Grub2-user-pass-vulnerability.patch | 45
> ++++++++++++++++++++++
>  2 files changed, 47 insertions(+), 1 deletion(-)
>  create mode 100644 src/patches/0001-Fix-CVE-2015-8370-Grub2-user
> -pass-vulnerability.patch
> 
> diff --git a/lfs/grub b/lfs/grub
> index bcbcbd0..3e613a8 100644
> --- a/lfs/grub
> +++ b/lfs/grub
> @@ -1,7 +1,7 @@
>  ####################################################################
> ###########
>  #                                                                   
>           #
>  # IPFire.org - A linux based firewall                               
>           #
> -# Copyright (C) 2007-2014  IPFire Team  <info(a)ipfire.org>           
>           #
> +# Copyright (C) 2007-2015  IPFire Team  <info(a)ipfire.org>           
>           #
>  #                                                                   
>           #
>  # This program is free software: you can redistribute it and/or
> modify        #
>  # it under the terms of the GNU General Public License as published
> by        #
> @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	@$(PREBUILD)
>  	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf
> $(DIR_DL)/$(DL_FILE)
>  	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub
> -2.00_disable_vga_fallback.patch
> +	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/0001
> -Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
>  	cd $(DIR_APP) && \
>  		./configure \
>  			--prefix=/usr \
> diff --git a/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass
> -vulnerability.patch b/src/patches/0001-Fix-CVE-2015-8370-Grub2-user
> -pass-vulnerability.patch
> new file mode 100644
> index 0000000..2eef1ae
> --- /dev/null
> +++ b/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass
> -vulnerability.patch
> @@ -0,0 +1,45 @@
> +From 88c9657960a6c5d3673a25c266781e876c181add Mon Sep 17 00:00:00
> 2001
> +From: Hector Marco-Gisbert <hecmargi(a)upv.es>
> +Date: Fri, 13 Nov 2015 16:21:09 +0100
> +Subject: [PATCH] Fix security issue when reading username and
> password
> +
> +  This patch fixes two integer underflows at:
> +    * grub-core/lib/crypto.c
> +    * grub-core/normal/auth.c
> +
> +Signed-off-by: Hector Marco-Gisbert <hecmargi(a)upv.es>
> +Signed-off-by: Ismael Ripoll-Ripoll <iripoll(a)disca.upv.es>
> +---
> + grub-core/lib/crypto.c  | 2 +-
> + grub-core/normal/auth.c | 2 +-
> + 2 files changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
> +index 010e550..524a3d8 100644
> +--- a/grub-core/lib/crypto.c
> ++++ b/grub-core/lib/crypto.c
> +@@ -456,7 +456,7 @@ grub_password_get (char buf[], unsigned
> buf_size)
> + 	  break;
> + 	}
> + 
> +-      if (key == '\b')
> ++      if (key == '\b' && cur_len)
> + 	{
> + 	  cur_len--;
> + 	  continue;
> +diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
> +index c6bd96e..5782ec5 100644
> +--- a/grub-core/normal/auth.c
> ++++ b/grub-core/normal/auth.c
> +@@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned
> buf_size)
> + 	  break;
> + 	}
> + 
> +-      if (key == '\b')
> ++      if (key == '\b' && cur_len)
> + 	{
> + 	  cur_len--;
> + 	  grub_printf ("\b");
> +-- 
> +1.9.1
> +