Fedora has issued an advisory on December 13: https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173703.html Reproducible: Steps to Reproduce:
######################################## Update Advisory grub2-2.02-0.git9752.18.3.mga5 has been pushed to 5/core/updates_testing This is patched using the Fedora patch, which makes two very small code changes. ######################################## Description This is a security update to correct a vulnerability discovered when using the grub2 password. References: CVE-2015-8370 (buffer overflow when checking password) https://bugs.mageia.org/show_bug.cgi?id=17334 ######################################## Files affected grub2-2.02-0.git9752.18.3.mga5.src.rpm grub2-2.02-0.git9752.18.3.mga5.i586.rpm grub2-efi-2.02-0.git9752.18.3.mga5.i586.rpm grub2-mageia-theme-2.02-0.git9752.18.3.mga5.noarch.rpm grub2-debuginfo-2.02-0.git9752.18.3.mga5.i586.rpm grub2-2.02-0.git9752.18.3.mga5.x86_64.rpm grub2-efi-2.02-0.git9752.18.3.mga5.x86_64.rpm grub2-mageia-theme-2.02-0.git9752.18.3.mga5.noarch.rpm grub2-debuginfo-2.02-0.git9752.18.3.mga5.x86_64.rpm ####################################### Testing: I would suggest that minimal regression testing of password use is all that is needed.
Hardware: i586 => AllCVE: (none) => CVE-2015-8370Assignee: zen25000 => qa-bugs
Thanks! Barry, is the patch for this already in Cauldron?
CC: (none) => zen25000
It w(In reply to David Walser from comment #2) > Thanks! Barry, is the patch for this already in Cauldron? No but it will be soon, along with another related, but AFAICT non essential one that won't apply in Mga5. There have been lots of changes to grub2 in Cauldron since Mga5, so I have only added the CVE patch there as I don't want to risk causing more issues. I have just installed the Cauldron update locally and I don't see any regressions, however I have never used passwords in grub2 and I would be surprised if this actually affects anyone as it's not a simple job to set up. See: https://help.ubuntu.com/community/Grub2/Passwords
More info: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
Ouch - there are some devious people about :\ So the POC is in the first paragraph.
Advisory: ======================== Updated grub2 packages fix security vulnerability: A flaw was found in the way the grub2 handled backspace characters entered in username and password prompts. An attacker with access to the system console could use this flaw to bypass grub2 password protection and gain administrative access to the system (CVE-2015-8370). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8370 http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html https://rhn.redhat.com/errata/RHSA-2015-2623.html
Using the "Am I vulnerable" test from the second link above in a fully updated Mga5 (UEFI) x86_64 in a VM I could not replicate the original bug, no matter how many back-spaces were entered. YMMV I tested by doing the following: To add a superuser password: 1. open /etc/grub.d/40_custom in a root editor and add the lines: set superusers=myusername password myusername mypassword export superusers 2. open /etc/grub.d/10_linux in a root editor and edit line 29 to read: CLASS="--class gnu-linux --users '' --class gnu --class os" ^^^^^^^^^^ Note that "--users ''" has been added. 3. run update-grub Now on reboot you will be asked for username and password after selecting an entry from the boot menu. To replicate the bug hit backspace 28 times when asked for username and you should be dropped to a grub2 shell or the system should reboot. After this update from updates_testing it should not drop to shell or reboot.
(In reply to Barry Jackson from comment #7) > Using the "Am I vulnerable" test from the second link above in a fully > updated Mga5 (UEFI) x86_64 in a VM I could not replicate the original bug, > no matter how many back-spaces were entered. YMMV in a fully updated Mga5 (UEFI) x86_64 real h/w unable to replicate bug. I followed below instructions to enable boot password requirement: > > To add a superuser password: > > 1. open /etc/grub.d/40_custom in a root editor and add the lines: > > set superusers=myusername > password myusername mypassword > export superusers > > 2. open /etc/grub.d/10_linux in a root editor and edit line 29 to read: > > CLASS="--class gnu-linux --users '' --class gnu --class os" > ^^^^^^^^^^ > > 3. run update-grub how-ever, I am unable to boot with GRUB2 as user or password is rejected, I am just passed back to boot menu
CC: (none) => westel
Strange, However you could try the 28 backspaces before removing the changes to try again. :) I just followed my instructions to the letter in my main Mga5 system here and it works perfectly. (I actually used an encrypted password to give it more of a test) Maybe you made a typo? Caps lock?
I'm using grub rather than grub2 on my main testing system (my other system is still down). I'll just point out this should be tested on both efi and bios firmware systems.
CC: (none) => davidwhodgins
Whiteboard: (none) => advisory
(In reply to Dave Hodgins from comment #10) > I'm using grub rather than grub2 on my main testing system (my other system > is still down). It takes < 2 mins to switch to grub2 using mcc->boot - same to switch back ;) > I'll just point out this should be tested on both efi and > bios firmware systems. Yes
Testing complete mga5 32 (Bios system) Switched to grub2 as in comment 11. Rebooted. Installed updates. Rebooted. Could do with an EFI test x86_64 before validating.
Whiteboard: advisory => has_procedure advisory mga5-32-ok
On mga5-64 (EFI) Installed packages from testing; grub2-efi-2.02-0.git9752.18.3.mga5 grub2-mageia-theme-2.02-0.git9752.18.3.mga5 Packages installed cleanly. System re-booted normally. OK for mga5-64 (EFI) Does this update also need to be tested on a mga5-64 BIOS system?
if you have one handy to test it on jim yes pls
On mga5-64 (BIOS) Switched to Grub2 and rebooted. Installed packages from testing: grub2-mageia-theme-2.02-0.git9752.18.3.mga5 grub2-2.02-0.git9752.18.3.mga5 Packages installed cleanly. System re-booted normally. OK for mga5-64 (BIOS)
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure advisory mga5-32-ok => has_procedure advisory mga5-32-ok MGA5-64-OK
This update is now validated and can be pushed to updates.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0480.html
Status: NEW => RESOLVEDResolution: (none) => FIXED