Accepting request 349095 from home:arvidjaar:branches:Base:System
- Add 0001-Fix-security-issue-when-reading-username-and-passwor.patch Fix for CVE-2015-8370. OBS-URL: https://build.opensuse.org/request/show/349095 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=193
This commit is contained in:
parent
6af81371e5
commit
bc2335ce74
@ -0,0 +1,54 @@
|
||||
From 451d80e52d851432e109771bb8febafca7a5f1f2 Mon Sep 17 00:00:00 2001
|
||||
From: Hector Marco-Gisbert <hecmargi@upv.es>
|
||||
Date: Wed, 16 Dec 2015 07:57:18 +0300
|
||||
Subject: [PATCH] Fix security issue when reading username and password
|
||||
|
||||
This patch fixes two integer underflows at:
|
||||
* grub-core/lib/crypto.c
|
||||
* grub-core/normal/auth.c
|
||||
|
||||
CVE-2015-8370
|
||||
|
||||
Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
|
||||
Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es>
|
||||
Also-By: Andrey Borzenkov <arvidjaar@gmail.com>
|
||||
---
|
||||
grub-core/lib/crypto.c | 3 ++-
|
||||
grub-core/normal/auth.c | 7 +++++--
|
||||
2 files changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
|
||||
index 010e550..683a8aa 100644
|
||||
--- a/grub-core/lib/crypto.c
|
||||
+++ b/grub-core/lib/crypto.c
|
||||
@@ -470,7 +470,8 @@ grub_password_get (char buf[], unsigned buf_size)
|
||||
|
||||
if (key == '\b')
|
||||
{
|
||||
- cur_len--;
|
||||
+ if (cur_len)
|
||||
+ cur_len--;
|
||||
continue;
|
||||
}
|
||||
|
||||
diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
|
||||
index c6bd96e..8615c48 100644
|
||||
--- a/grub-core/normal/auth.c
|
||||
+++ b/grub-core/normal/auth.c
|
||||
@@ -174,8 +174,11 @@ grub_username_get (char buf[], unsigned buf_size)
|
||||
|
||||
if (key == '\b')
|
||||
{
|
||||
- cur_len--;
|
||||
- grub_printf ("\b");
|
||||
+ if (cur_len)
|
||||
+ {
|
||||
+ cur_len--;
|
||||
+ grub_printf ("\b");
|
||||
+ }
|
||||
continue;
|
||||
}
|
||||
|
||||
--
|
||||
1.9.1
|
||||
|
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 16 05:04:37 UTC 2015 - arvidjaar@gmail.com
|
||||
|
||||
- Add 0001-Fix-security-issue-when-reading-username-and-passwor.patch
|
||||
Fix for CVE-2015-8370.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 9 18:13:27 UTC 2015 - arvidjaar@gmail.com
|
||||
|
||||
|
@ -205,6 +205,7 @@ Patch68: grub2-btrfs-fix-get_root-key-comparison-failures-due-to-en.patch
|
||||
Patch69: grub2-getroot-fix-get-btrfs-fs-prefix-big-endian.patch
|
||||
Patch70: grub2-default-distributor.patch
|
||||
Patch71: grub2-menu-unrestricted.patch
|
||||
Patch72: 0001-Fix-security-issue-when-reading-username-and-passwor.patch
|
||||
# Btrfs snapshot booting related patches
|
||||
Patch101: grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch
|
||||
Patch102: grub2-btrfs-02-export-subvolume-envvars.patch
|
||||
@ -479,6 +480,7 @@ mv po/grub.pot po/%{name}.pot
|
||||
%patch69 -p1
|
||||
%patch70 -p1
|
||||
%patch71 -p1
|
||||
%patch72 -p1
|
||||
%patch101 -p1
|
||||
%patch102 -p1
|
||||
%patch103 -p1
|
||||
|
Loading…
Reference in New Issue
Block a user