From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: [PATCH 0/1] grub security update (CVE-2015-8370)
Date: Sat, 19 Dec 2015 23:56:35 -0500
Message-ID: <cover.1450587367.git.leo@famulari.name>
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60290)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1aAW32-0000id-OS
	for guix-devel@gnu.org; Sat, 19 Dec 2015 23:56:45 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1aAW2z-0008AN-IN
	for guix-devel@gnu.org; Sat, 19 Dec 2015 23:56:44 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:53840)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1aAW2z-0008A0-CG
	for guix-devel@gnu.org; Sat, 19 Dec 2015 23:56:41 -0500
Received: from jasmine.lan (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231])
	by mail.messagingengine.com (Postfix) with ESMTPA id 106BBC013FE
	for <guix-devel@gnu.org>; Sat, 19 Dec 2015 23:56:40 -0500 (EST)
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: guix-devel@gnu.org

This patch for Grub2 fixes CVE-2015-8370 [0][1]. The source of the patch
is [0].

One thing to note is that there doesn't seem to be any response from
upstream, yet. However, at least some distros are applying the patch
[2][3].

AFAIK, GuixSD doesn't support authenticated Grub yet, so this
vulnerability doesn't manifest itself. Because of this, I did not test
if the patch fixes the bug. I did test that Grub works as expected with
the patch applied.

If I'm wrong, and it's possible to set up authenticated Grub on GuixSD,
I can test that, too.

I tested this patch on bare-metal i686, like this:

0) Installed GuixSD on i686 laptop.
1) Cloned Guix source tree and built Guix.
2) Applied this patch, and built Grub as a sanity check.
`./pre-inst-env guix build grub`
3) Reconfigured the system against the source tree.
`./pre-inst-env guix system reconfigure config.scm`
4) Successfully rebooted several times into different generations of the 
system.

[0]
http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html

[1]
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8370

[2] Select "Fedora 23" from the "RELEASE" menu:
https://apps.fedoraproject.org/packages/grub2/sources/spec/

[3] See "changelog":
https://packages.qa.debian.org/g/grub2.html

Leo Famulari (1):
  gnu: grub: Add fix for CVE-2015-8730.

 gnu/packages/grub.scm                         |  4 ++-
 gnu/packages/patches/grub-CVE-2015-8370.patch | 45 +++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/grub-CVE-2015-8370.patch

-- 
2.6.2