From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] grub 2.00: Bugfix for CVE-2015-8370
Date: Fri, 18 Dec 2015 23:43:18 +0000
Message-ID: <1450482198.31655.212.camel@ipfire.org>
In-Reply-To: <1450470532-21728-1-git-send-email-matthias.fischer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4204832839821514262=="
List-Id: <development.lists.ipfire.org>

--===============4204832839821514262==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

We are usually not using this code, but of course we will patch this.

Thank you for having an eye on these things.

Best,
-Michael

On Fri, 2015-12-18 at 21:28 +0100, Matthias Fischer wrote:
> See: 
> http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
> 
> "A vulnerability in Grub2 has been found. Versions from 1.98
> (December, 2009)
> to 2.02 (December, 2015) are affected. The vulnerability can be
> exploited
> under certain circumstances, allowing local attackers to bypass any
> kind of
> authentication (plain or hashed passwords). And so, the attacker may
> take
> control of the computer."
> 
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
>  lfs/grub                                           |  3 +-
>  ...E-2015-8370-Grub2-user-pass-vulnerability.patch | 45
> ++++++++++++++++++++++
>  2 files changed, 47 insertions(+), 1 deletion(-)
>  create mode 100644 src/patches/0001-Fix-CVE-2015-8370-Grub2-user
> -pass-vulnerability.patch
> 
> diff --git a/lfs/grub b/lfs/grub
> index bcbcbd0..3e613a8 100644
> --- a/lfs/grub
> +++ b/lfs/grub
> @@ -1,7 +1,7 @@
>  ####################################################################
> ###########
>  #                                                                   
>           #
>  # IPFire.org - A linux based firewall                               
>           #
> -# Copyright (C) 2007-2014  IPFire Team  <info(a)ipfire.org>           
>           #
> +# Copyright (C) 2007-2015  IPFire Team  <info(a)ipfire.org>           
>           #
>  #                                                                   
>           #
>  # This program is free software: you can redistribute it and/or
> modify        #
>  # it under the terms of the GNU General Public License as published
> by        #
> @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	@$(PREBUILD)
>  	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf
> $(DIR_DL)/$(DL_FILE)
>  	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub
> -2.00_disable_vga_fallback.patch
> +	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/0001
> -Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
>  	cd $(DIR_APP) && \
>  		./configure \
>  			--prefix=/usr \
> diff --git a/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass
> -vulnerability.patch b/src/patches/0001-Fix-CVE-2015-8370-Grub2-user
> -pass-vulnerability.patch
> new file mode 100644
> index 0000000..2eef1ae
> --- /dev/null
> +++ b/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass
> -vulnerability.patch
> @@ -0,0 +1,45 @@
> +From 88c9657960a6c5d3673a25c266781e876c181add Mon Sep 17 00:00:00
> 2001
> +From: Hector Marco-Gisbert <hecmargi(a)upv.es>
> +Date: Fri, 13 Nov 2015 16:21:09 +0100
> +Subject: [PATCH] Fix security issue when reading username and
> password
> +
> +  This patch fixes two integer underflows at:
> +    * grub-core/lib/crypto.c
> +    * grub-core/normal/auth.c
> +
> +Signed-off-by: Hector Marco-Gisbert <hecmargi(a)upv.es>
> +Signed-off-by: Ismael Ripoll-Ripoll <iripoll(a)disca.upv.es>
> +---
> + grub-core/lib/crypto.c  | 2 +-
> + grub-core/normal/auth.c | 2 +-
> + 2 files changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
> +index 010e550..524a3d8 100644
> +--- a/grub-core/lib/crypto.c
> ++++ b/grub-core/lib/crypto.c
> +@@ -456,7 +456,7 @@ grub_password_get (char buf[], unsigned
> buf_size)
> + 	  break;
> + 	}
> + 
> +-      if (key == '\b')
> ++      if (key == '\b' && cur_len)
> + 	{
> + 	  cur_len--;
> + 	  continue;
> +diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
> +index c6bd96e..5782ec5 100644
> +--- a/grub-core/normal/auth.c
> ++++ b/grub-core/normal/auth.c
> +@@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned
> buf_size)
> + 	  break;
> + 	}
> + 
> +-      if (key == '\b')
> ++      if (key == '\b' && cur_len)
> + 	{
> + 	  cur_len--;
> + 	  grub_printf ("\b");
> +-- 
> +1.9.1
> +

--===============4204832839821514262==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEKCmlRSWNCQUFC
Q2dBR0JRSldkSm9XQUFvSkVJQjU4UDl2a0FrSG5uc1AvMXJXa3lOaTN3c1picXl3R3poWFR6bHMK
bmY3ZUxLVG1RTkNoUEdXQlZDTVB4c2lWOE1xeHc5VzF5WW1XMDlCck9WQWRGNmtQVlVSemZFZHdI
T3h4ME9CWApuWVpsYUMyaE5iUDVYdFl5b0ZEdjQ4dG1xaDhsVkxRWFJUNG5uZFErWEt5TW9DZjJ0
WDJETDFtMU9MMk5YcnZrCmFpajk5Y0hGUk5yT2Flam5yTzF2SDV3eHF6bWRwcjhaWnoyRXVySm1L
Q2RlYjlGUjA3SzFHNlM2N2Jsc3cxeEsKV3ZIbEFFREhHTC9Td3FXODNYRkVLY0R6c3VOczQ2N3Jj
d1p5N01BeEdoUWpDRC9kb3NUUzhSSmpDRDVZV1pxZwpBb05PQzRpVGlOdnBrQkZTd3RXY2xrTVhp
Y0l2bFFGQ3BHVC90YjhzNWFNUzBHLzgwaG85Q2l1QVpZeDhNUzBlCnJKN2xIVHFrNUZZSnR3bTNR
Kys3V2s2TnBucDlHQ2xmQXNXT3BiSUtJODUyWWVlRS91TUpVSW02bzBqVjU4QzAKVVV4QjB6SEJi
aUxTbnhPOUVQTUxGYlhmVEhBRWpna3MrOEc4QVoycCthY2pLTFVHWElOeVpqTHhadFN2OXd3RApw
bzdEclB2cjIwU1NITTBFYXVhb3dmWm92NU5meldRak1qQkRGSnpzY2VLUjVuYU9BSlRGQUNGQjRC
bk1YclhMCkQxSmR6eXRNaUNTejYyWjhMbDk5bGw0ZnBuZ2NXS3ZBMkxiREh5c2NpWkFVTU1HbXoz
U3EwcHZwWnQwZkVvZDIKM1I4VGlXNVRxbUhPeUkwUkJ1Sm9MWEtRYWRGRDM5K0UzZlBObFRjOE1M
UHVQN050NlpuYVhtS0FnajVXSnFRbQp0a2NSdG5DMStZQXl6TWFXY1dEWQo9bUsxeAotLS0tLUVO
RCBQR1AgU0lHTkFUVVJFLS0tLS0K

--===============4204832839821514262==--