Summary: | sys-boot/grub:2 - LZO Denial of Service and Arbitrary Code Execution through embedded code | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | CC: | base-system, bkohler, floppym, hanno |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [upstream] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 515246 |
Description
Kristian Fiskerstrand (RETIRED)
2014-06-26 22:11:46 UTC
The relevant code seems to exist in sys-boot/grub:2 in grub-core/lib/minilzo/minilzo.c. I have no idea how to "fix" it; I will leave that to upstream. Thanks. Do you have the upstream bug ID tracking this? I am not aware of a bug report upstream as of yet. I've filed an upstream bug on https://savannah.gnu.org/bugs/index.php?42635 Kristian, maybe you want to ping the bug again? Library is still not updated in grub's git master. (In reply to Thomas Deutschmann from comment #5) > Kristian, maybe you want to ping the bug again? Library is still not updated > in grub's git master. I tend to agree with the assessment that severity is low on this Upstream has no concerns of exploit with this and nothing has been found in the wild. Furthermore, if a possible exploit existed then usual security measures would prevent it. |