Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 568326 (CVE-2015-8370) - <sys-boot/grub-2.02_beta2-r8:2 - authentication bypass (CVE-2015-8370)
Summary: <sys-boot/grub-2.02_beta2-r8:2 - authentication bypass (CVE-2015-8370)
Status: RESOLVED FIXED
Alias: CVE-2015-8370
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-15 13:09 UTC by Agostino Sarubbo
Modified: 2015-12-21 17:14 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-12-15 13:09:43 UTC
From ${URL} :

A vulnerability in Grub2 (Back to 28) has been found. Versions from 1.98
(December, 2009) to 2.02 (December, 2015) are affected. The vulnerability can be 
exploited under certain circumstances, allowing local attackers to bypass any 
kind of authentication (plain or hashed passwords). And so, the attacker may 
take control of the computer.


More details at:
http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Mike Gilbert gentoo-dev 2015-12-15 18:32:07 UTC
I applied the "emergency patch" in grub-2.02_beta2-r8. Feel free to stabilize it.
Comment 2 Agostino Sarubbo gentoo-dev 2015-12-17 13:48:32 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2015-12-17 13:48:57 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Richard Freeman gentoo-dev 2015-12-18 11:54:13 UTC
It isn't obvious from the upgrade whether grub2 requires a reinstall following the update (to modify any on-disk structures/etc).  If that is necessary I'd suggest at least a warning of some kind if not a news item.  If a reinstall is unnecessary I don't think any further notice is necessary.
Comment 5 Mike Gilbert gentoo-dev 2015-12-18 14:44:59 UTC
(In reply to Richard Freeman from comment #4)

Good point. The patch modifies files under grub-core, so a reinstall is definitely necessary.

I will add a pkg_postinst message and draft a news item.
Comment 6 Mike Gilbert gentoo-dev 2015-12-19 13:58:55 UTC
Cleanup is done.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-12-19 14:31:54 UTC
This issue was resolved and addressed in
 GLSA 201512-03 at https://security.gentoo.org/glsa/201512-03
by GLSA coordinator Tobias Heinlein (keytoaster).
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-21 17:14:13 UTC
Arches and Maintainer(s), Thank you for your work.