From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [PATCH 0/1] grub security update (CVE-2015-8370) Date: Sun, 20 Dec 2015 23:19:44 +0100 Message-ID: <87r3igsqyn.fsf@gnu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:46498) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aAmKU-0004zM-6r for guix-devel@gnu.org; Sun, 20 Dec 2015 17:19:51 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aAmKQ-00025l-Sp for guix-devel@gnu.org; Sun, 20 Dec 2015 17:19:50 -0500 In-Reply-To: (Leo Famulari's message of "Sat, 19 Dec 2015 23:56:35 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari skribis: > This patch for Grub2 fixes CVE-2015-8370 [0][1]. The source of the patch > is [0]. > > One thing to note is that there doesn't seem to be any response from > upstream, yet. However, at least some distros are applying the patch > [2][3]. > > AFAIK, GuixSD doesn't support authenticated Grub yet, so this > vulnerability doesn't manifest itself. Right, but still worth fixing. And perhaps someone will get the idea of adding authentication in our GRUB support code? :-) > I tested this patch on bare-metal i686, like this: Thanks for testing and explaining how you tested it. Leo Famulari skribis: > * gnu/packages/patches/grub-CVE-2015-8370.patch: New file. > * gnu/packages/grub.scm: Apply patch. > --- > gnu/packages/grub.scm | 4 ++- > gnu/packages/patches/grub-CVE-2015-8370.patch | 45 +++++++++++++++++++++= ++++++ > 2 files changed, 48 insertions(+), 1 deletion(-) Please make sure to add the patch to gnu-system.am. OK to push with this change. Thank you! Ludo=E2=80=99.