From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id CKsiJT9oUGDYQwAA0tVLHw
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 16 Mar 2021 08:11:43 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id QC/eID9oUGDhWgAAB5/wlQ
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 16 Mar 2021 08:11:43 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 0FA7AE3BC
	for <larch@yhetil.org>; Tue, 16 Mar 2021 09:11:43 +0100 (CET)
Received: from localhost ([::1]:60470 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1lM4nl-0000Bq-PI
	for larch@yhetil.org; Tue, 16 Mar 2021 04:11:41 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:38368)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lM4ld-0007e4-Vr
 for bug-guix@gnu.org; Tue, 16 Mar 2021 04:09:32 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:54764)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lM4lc-0005m4-0s
 for bug-guix@gnu.org; Tue, 16 Mar 2021 04:09:29 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lM4la-0005Ba-EX
 for bug-guix@gnu.org; Tue, 16 Mar 2021 04:09:26 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#47185: grub2 package is vulnerable to CVE-2020-14372,
 CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225,
 CVE-2021-20233 and CVE-2021-3418
Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@zaclys.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Tue, 16 Mar 2021 08:09:20 +0000
Resent-Message-ID: <handler.47185.B.161588214919695@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 47185
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 47185@debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.161588214919695
 (code B ref -1); Tue, 16 Mar 2021 08:09:20 +0000
Received: (at submit) by debbugs.gnu.org; 16 Mar 2021 08:09:09 +0000
Received: from localhost ([127.0.0.1]:38077 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lM4l8-00055t-NJ
 for submit@debbugs.gnu.org; Tue, 16 Mar 2021 04:09:06 -0400
Received: from lists.gnu.org ([209.51.188.17]:58936)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lM4kq-00051M-0l
 for submit@debbugs.gnu.org; Tue, 16 Mar 2021 04:08:48 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:38188)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lM4kp-0007C2-IY
 for bug-guix@gnu.org; Tue, 16 Mar 2021 04:08:39 -0400
Received: from mail.zaclys.net ([178.33.93.72]:34647)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lM4kk-0005HW-ST
 for bug-guix@gnu.org; Tue, 16 Mar 2021 04:08:39 -0400
Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12G88W4L014386
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@gnu.org>; Tue, 16 Mar 2021 09:08:32 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12G88W4L014386
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615882112;
 bh=iQ0mE4+Ex2rkynSlRXF/xvFRnOOEcTfsRIB0f27HkMk=;
 h=Subject:From:To:Date:From;
 b=iTeblbFEtcMpXu5t7650hRYEmIqqGm5WdWUv6wG/XqDlp+kLP6wIQaOfICk6sJK2X
 GW6ea6+mWOk8Wjpe2vQR6NT0/edH2yRh5MidN11qF0S5YGmtkqDSFAjzYJ+YcMX+94
 +SFRwALoQ3hWkt6b7XFisrnw0Hiug2xm6wZgymog=
Message-ID: <ba69ba4020b40dfa182174ea2395cf17195512d5.camel@zaclys.net>
Date: Tue, 16 Mar 2021 09:08:31 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-pU+8X2Uhm7Uo1IGzq6HE"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; 
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, 
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
Reply-to:  =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@zaclys.net>
From:  =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1615882303;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe:
	 list-post:dkim-signature; bh=iQ0mE4+Ex2rkynSlRXF/xvFRnOOEcTfsRIB0f27HkMk=;
	b=EfrGV5KMr6wj5vkjbq6roch0pe0dgtduSXoIZceQmQdj86Vorzk+7DEAXL1bbM+Ul0VW7t
	gR2mg26kN1hUJnbnMLV8FX2kqs35HHNjCtm+9bBOLZl6OtdvLDnCvh1gY+py548ANqA337
	+Eh6tHE52rSlfyP263Qc7P9XPyHcow8xCZW+hPOStmbAI9Z3NDYRYNCaNi0icpmwpBqXit
	JYKP3j7s8UyYUnwLipE9GGbqCgrMvz5ioBNS+8DlB2k4WV67n6dU5dtyLoQJrkBmwbe1BD
	jbaFVjOzCG4CB31dUUWjyaE7NV3T3HqsWK7ivRV3EgdLPR81VAA616xgpwlIUQ==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615882303; a=rsa-sha256; cv=none;
	b=s6yPxz41d23VieDP2NfEWEp6fYF6AxIo+jFvrh28QWkGV1cLP/i4BIz8TpdktD0qF7/ntB
	EXG2zc7N8hm23w6QiVtfjAmA7vdOcsTtkJUZOKy2VRvO/7IZ8FTV00xhOFpZARLJifVj8Q
	2Cs73pOKoJhl7kKFgIcUlzkDvuGGTzB5zB9xvRyj1bBiDK+P3ti7MUVSv9aGgJj9l9Qfbb
	kZbnkPwmHyNF/ZEdkViHClhLUDF7hB9IHZgalNkUlnRpgrIc/LzPq1537jFvb1bB05nSPU
	9RtLJoEHUYzFRoBTOocVm6KA32J08K7LJ3wjhNUzSXaYgr85l7foUl54tzyKAQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=iTeblbFE;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Spam-Score: -5.00
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=iTeblbFE;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Queue-Id: 0FA7AE3BC
X-Spam-Score: -5.00
X-Migadu-Scanner: scn0.migadu.com
X-TUID: RhzR6xhe1gBU


--=-pU+8X2Uhm7Uo1IGzq6HE
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

As outlined by=20
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass202=
1
we have a new wave of GRUB security vulnerabilities around SecureBoot.

There is no new upstream release so patching this appears to be some
kind of sport.

Debian has patched it in this commit:=20
https://salsa.debian.org/grub-team/grub/-/commit/37c2a594625efba8b7f10d18a4=
44393982d2e31f

I see also there's a new concept of SBAT section to ease administrative
efforts around certificate revocation when signed binaries such as some
GRUB2 things become vulnerable (and we don't want them to verify
successfully anymore).

This looks like a sizeable upgrade to a sensitive part of GNU Guix, so
we have to test carefully.

--=-pU+8X2Uhm7Uo1IGzq6HE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQZ38ACgkQRaix6GvN
EKZD9xAAphY8xFLTczFCZLKoZw4UkFsvMLHdiarD/RoDWFzATRHJqB/vN9chAXfk
Ou56B6qOKtGwevwSlvCNXx9fSQS90Ae3h5HqyqZDgO5I3AVQPcXEYeylgngV18NG
exh0Vzmyd+Ue8mBpFKcLTuph3C5WffJXgFGpGZBcoMlSLOMVGAUKxY8uQLCAoaN1
CsBuIKFV+5kAbK+H480UVanpudMFuzPadWHXlwRbV/uPMDQL5FuFlRQ+ZDbKZQjJ
FdnoR0bKFRfYHofqf/EflEX3V0kYkUI/Kk0uzoEtGfiUVE/iS8r0s2sCvPII7Her
374GCS06zzIguMPtqiO7ikg0oJtJ2I+C9WTfYvZe3bKTRXUXdYUPuTwqQVd9uyuQ
QP4w5wwTCvidJ7iYZoA5Vk27Cs6JnOsds8PG7b4nQhSluATiVckOGz50H1G8SOlE
gnVEuxT6NIqYYtYOLFJfmNTIU4hnKKwSun3DMxr5UgL54M/MnoWrCCPiFO6R8GMR
bICsP59N9EqKGaoYtAxjOdKIQnBT2NBnBcmsGVhakDnS34OX5dd54w2sFjZkSgkK
Rx20A4bg1ODwRJkrICRuhDagg8P47SiovFxQzjiXA3Va1we06yCxpzUXsIK9SyH8
WhEhxgAoh+pi37K4fTj76Tj+NODwYICuTwWx5A0Me5/DrPqkltk=
=f/yr
-----END PGP SIGNATURE-----

--=-pU+8X2Uhm7Uo1IGzq6HE--