all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [PATCH 0/1] grub security update (CVE-2015-8370)
@ 2015-12-20  4:56 Leo Famulari
  2015-12-20  4:56 ` [PATCH 1/1] gnu: grub: Add fix for CVE-2015-8730 Leo Famulari
  2015-12-20 22:19 ` [PATCH 0/1] grub security update (CVE-2015-8370) Ludovic Courtès
  0 siblings, 2 replies; 6+ messages in thread
From: Leo Famulari @ 2015-12-20  4:56 UTC (permalink / raw)
  To: guix-devel

This patch for Grub2 fixes CVE-2015-8370 [0][1]. The source of the patch
is [0].

One thing to note is that there doesn't seem to be any response from
upstream, yet. However, at least some distros are applying the patch
[2][3].

AFAIK, GuixSD doesn't support authenticated Grub yet, so this
vulnerability doesn't manifest itself. Because of this, I did not test
if the patch fixes the bug. I did test that Grub works as expected with
the patch applied.

If I'm wrong, and it's possible to set up authenticated Grub on GuixSD,
I can test that, too.

I tested this patch on bare-metal i686, like this:

0) Installed GuixSD on i686 laptop.
1) Cloned Guix source tree and built Guix.
2) Applied this patch, and built Grub as a sanity check.
`./pre-inst-env guix build grub`
3) Reconfigured the system against the source tree.
`./pre-inst-env guix system reconfigure config.scm`
4) Successfully rebooted several times into different generations of the 
system.

[0]
http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html

[1]
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8370

[2] Select "Fedora 23" from the "RELEASE" menu:
https://apps.fedoraproject.org/packages/grub2/sources/spec/

[3] See "changelog":
https://packages.qa.debian.org/g/grub2.html

Leo Famulari (1):
  gnu: grub: Add fix for CVE-2015-8730.

 gnu/packages/grub.scm                         |  4 ++-
 gnu/packages/patches/grub-CVE-2015-8370.patch | 45 +++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/grub-CVE-2015-8370.patch

-- 
2.6.2

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2015-12-21 17:39 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-12-20  4:56 [PATCH 0/1] grub security update (CVE-2015-8370) Leo Famulari
2015-12-20  4:56 ` [PATCH 1/1] gnu: grub: Add fix for CVE-2015-8730 Leo Famulari
2015-12-20 22:19 ` [PATCH 0/1] grub security update (CVE-2015-8370) Ludovic Courtès
2015-12-21  3:50   ` Leo Famulari
2015-12-21 10:39     ` Ludovic Courtès
2015-12-21 17:39       ` Leo Famulari

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.