See: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
"A vulnerability in Grub2 has been found. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer."
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/grub | 3 +- ...E-2015-8370-Grub2-user-pass-vulnerability.patch | 45 ++++++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
diff --git a/lfs/grub b/lfs/grub index bcbcbd0..3e613a8 100644 --- a/lfs/grub +++ b/lfs/grub @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2015 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.00_disable_vga_fallback.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch cd $(DIR_APP) && \ ./configure \ --prefix=/usr \ diff --git a/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch b/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch new file mode 100644 index 0000000..2eef1ae --- /dev/null +++ b/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch @@ -0,0 +1,45 @@ +From 88c9657960a6c5d3673a25c266781e876c181add Mon Sep 17 00:00:00 2001 +From: Hector Marco-Gisbert hecmargi@upv.es +Date: Fri, 13 Nov 2015 16:21:09 +0100 +Subject: [PATCH] Fix security issue when reading username and password + + This patch fixes two integer underflows at: + * grub-core/lib/crypto.c + * grub-core/normal/auth.c + +Signed-off-by: Hector Marco-Gisbert hecmargi@upv.es +Signed-off-by: Ismael Ripoll-Ripoll iripoll@disca.upv.es +--- + grub-core/lib/crypto.c | 2 +- + grub-core/normal/auth.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c +index 010e550..524a3d8 100644 +--- a/grub-core/lib/crypto.c ++++ b/grub-core/lib/crypto.c +@@ -456,7 +456,7 @@ grub_password_get (char buf[], unsigned buf_size) + break; + } + +- if (key == '\b') ++ if (key == '\b' && cur_len) + { + cur_len--; + continue; +diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c +index c6bd96e..5782ec5 100644 +--- a/grub-core/normal/auth.c ++++ b/grub-core/normal/auth.c +@@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned buf_size) + break; + } + +- if (key == '\b') ++ if (key == '\b' && cur_len) + { + cur_len--; + grub_printf ("\b"); +-- +1.9.1 +
We are usually not using this code, but of course we will patch this.
Thank you for having an eye on these things.
Best, -Michael
On Fri, 2015-12-18 at 21:28 +0100, Matthias Fischer wrote:
See: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
"A vulnerability in Grub2 has been found. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer."
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/grub | 3 +- ...E-2015-8370-Grub2-user-pass-vulnerability.patch | 45 ++++++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 src/patches/0001-Fix-CVE-2015-8370-Grub2-user -pass-vulnerability.patch
diff --git a/lfs/grub b/lfs/grub index bcbcbd0..3e613a8 100644 --- a/lfs/grub +++ b/lfs/grub @@ -1,7 +1,7 @@ #################################################################### ########### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2015 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub -2.00_disable_vga_fallback.patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/0001
-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch cd $(DIR_APP) && \ ./configure \ --prefix=/usr \ diff --git a/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass -vulnerability.patch b/src/patches/0001-Fix-CVE-2015-8370-Grub2-user -pass-vulnerability.patch new file mode 100644 index 0000000..2eef1ae --- /dev/null +++ b/src/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass -vulnerability.patch @@ -0,0 +1,45 @@ +From 88c9657960a6c5d3673a25c266781e876c181add Mon Sep 17 00:00:00 2001 +From: Hector Marco-Gisbert hecmargi@upv.es +Date: Fri, 13 Nov 2015 16:21:09 +0100 +Subject: [PATCH] Fix security issue when reading username and password
- This patch fixes two integer underflows at:
- grub-core/lib/crypto.c
- grub-core/normal/auth.c
+Signed-off-by: Hector Marco-Gisbert hecmargi@upv.es +Signed-off-by: Ismael Ripoll-Ripoll iripoll@disca.upv.es +---
- grub-core/lib/crypto.c | 2 +-
- grub-core/normal/auth.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
+diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c +index 010e550..524a3d8 100644 +--- a/grub-core/lib/crypto.c ++++ b/grub-core/lib/crypto.c +@@ -456,7 +456,7 @@ grub_password_get (char buf[], unsigned buf_size)
break;
- }
+- if (key == '\b') ++ if (key == '\b' && cur_len)
- {
cur_len--;
continue;
+diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c +index c6bd96e..5782ec5 100644 +--- a/grub-core/normal/auth.c ++++ b/grub-core/normal/auth.c +@@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned buf_size)
break;
- }
+- if (key == '\b') ++ if (key == '\b' && cur_len)
- {
cur_len--;
grub_printf ("\b");
+-- +1.9.1