* bug#47185: grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418
@ 2021-03-16 8:08 Léo Le Bouter via Bug reports for GNU Guix
2021-03-16 8:16 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-16 8:36 ` Léo Le Bouter via Bug reports for GNU Guix
0 siblings, 2 replies; 6+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-16 8:08 UTC (permalink / raw)
To: 47185
[-- Attachment #1: Type: text/plain, Size: 728 bytes --]
As outlined by
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021
we have a new wave of GRUB security vulnerabilities around SecureBoot.
There is no new upstream release so patching this appears to be some
kind of sport.
Debian has patched it in this commit:
https://salsa.debian.org/grub-team/grub/-/commit/37c2a594625efba8b7f10d18a444393982d2e31f
I see also there's a new concept of SBAT section to ease administrative
efforts around certificate revocation when signed binaries such as some
GRUB2 things become vulnerable (and we don't want them to verify
successfully anymore).
This looks like a sizeable upgrade to a sensitive part of GNU Guix, so
we have to test carefully.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#47185: grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418
2021-03-16 8:08 bug#47185: grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418 Léo Le Bouter via Bug reports for GNU Guix
@ 2021-03-16 8:16 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-16 8:36 ` Léo Le Bouter via Bug reports for GNU Guix
1 sibling, 0 replies; 6+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-16 8:16 UTC (permalink / raw)
To: 47185
[-- Attachment #1: Type: text/plain, Size: 300 bytes --]
On Tue, 2021-03-16 at 09:08 +0100, Léo Le Bouter via Bug reports for
GNU Guix wrote:
> There is no new upstream release so patching this appears to be some
> kind of sport.
There seems to be a release candidate available:
https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00219.html
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#47185: grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418
2021-03-16 8:08 bug#47185: grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418 Léo Le Bouter via Bug reports for GNU Guix
2021-03-16 8:16 ` Léo Le Bouter via Bug reports for GNU Guix
@ 2021-03-16 8:36 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-16 23:47 ` Mark H Weaver
1 sibling, 1 reply; 6+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-16 8:36 UTC (permalink / raw)
To: 47185
[-- Attachment #1: Type: text/plain, Size: 168 bytes --]
NOTE: SecureBoot on GNU Guix is not something common at all, so the
urgency to fix this issue is not as great as if we explicitly
advertised support for SecureBoot.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#47185: grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418
2021-03-16 8:36 ` Léo Le Bouter via Bug reports for GNU Guix
@ 2021-03-16 23:47 ` Mark H Weaver
2021-03-17 2:15 ` Leo Famulari
0 siblings, 1 reply; 6+ messages in thread
From: Mark H Weaver @ 2021-03-16 23:47 UTC (permalink / raw)
To: Léo Le Bouter, 47185
Hi Léo,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> writes:
> NOTE: SecureBoot on GNU Guix is not something common at all, so the
> urgency to fix this issue is not as great as if we explicitly
> advertised support for SecureBoot.
I would go further and question whether *anyone* is using SecureBoot
with a Guix system, and moreover whether its feasible to do without
non-trivial development work.
> This looks like a sizeable upgrade to a sensitive part of GNU Guix, so
> we have to test carefully.
Indeed. I would like to underline this point: GRUB is the only part of
a Guix system that cannot be easily rolled back if it breaks. If we
make changes to GRUB that causes breakage for some minority of users,
those users could end up with an unbootable system, requiring the use of
a rescue disk to repair.
Therefore, we should be *very* careful about updating our GRUB package,
especially for the sake of bugs that almost certainly do not affect Guix
users.
I think we should refrain from updating GRUB until there's an official
upstream stable release. Even then, I would advise making an effort to
test it on Guix systems, using several different system configurations,
before pushing it to 'master'.
What do you think?
Regards,
Mark
^ permalink raw reply [flat|nested] 6+ messages in thread* bug#47185: grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418
2021-03-16 23:47 ` Mark H Weaver
@ 2021-03-17 2:15 ` Leo Famulari
0 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2021-03-17 2:15 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 47185
On Tue, Mar 16, 2021 at 07:47:43PM -0400, Mark H Weaver wrote:
> I think we should refrain from updating GRUB until there's an official
> upstream stable release. Even then, I would advise making an effort to
> test it on Guix systems, using several different system configurations,
> before pushing it to 'master'.
>
> What do you think?
I agree with Mark that we should tread carefully. Also, I am always
available to test GRUB changes. I have a computer dedicated to testing
changes with Guix System.
^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <35e9d8fb5e5caacb8abac2ead7742d7ccd9ee737.camel@zaclys.net>]
* bug#47185: grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418
[not found] <35e9d8fb5e5caacb8abac2ead7742d7ccd9ee737.camel@zaclys.net>
@ 2022-03-23 3:32 ` Maxim Cournoyer
0 siblings, 0 replies; 6+ messages in thread
From: Maxim Cournoyer @ 2022-03-23 3:32 UTC (permalink / raw)
To: Léo Le Bouter; +Cc: 47185-done
Hello,
I'm closing this, since we're now using GRUB 2.06, released in June of
last year.
Thank you,
Maxim
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-03-23 3:33 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-16 8:08 bug#47185: grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418 Léo Le Bouter via Bug reports for GNU Guix
2021-03-16 8:16 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-16 8:36 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-16 23:47 ` Mark H Weaver
2021-03-17 2:15 ` Leo Famulari
[not found] <35e9d8fb5e5caacb8abac2ead7742d7ccd9ee737.camel@zaclys.net>
2022-03-23 3:32 ` Maxim Cournoyer
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).