rpm/grub2
SHA256
1
0
Fork 0
forked from pool/grub2
Code Pull Requests Activity

Accepting request 349095 from home:arvidjaar:branches:Base:System

Browse Source 
- Add 0001-Fix-security-issue-when-reading-username-and-passwor.patch
  Fix for CVE-2015-8370.

OBS-URL: https://build.opensuse.org/request/show/349095
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=193
This commit is contained in:
Michael Chang 2015-12-17 02:45:19 +00:00 committed by Git OBS Bridge
parent 6af81371e5
commit bc2335ce74
3 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
0001-Fix-security-issue-when-reading-username-and-passwor.patch Normal file
View File

@ -0,0 +1,54 @@
From 451d80e52d851432e109771bb8febafca7a5f1f2 Mon Sep 17 00:00:00 2001
From: Hector Marco-Gisbert <hecmargi@upv.es>
Date: Wed, 16 Dec 2015 07:57:18 +0300
Subject: [PATCH] Fix security issue when reading username and password
This patch fixes two integer underflows at:
* grub-core/lib/crypto.c
* grub-core/normal/auth.c
CVE-2015-8370
Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es>
Also-By: Andrey Borzenkov <arvidjaar@gmail.com>
---
grub-core/lib/crypto.c | 3 ++-
grub-core/normal/auth.c | 7 +++++--
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
index 010e550..683a8aa 100644
--- a/grub-core/lib/crypto.c
+++ b/grub-core/lib/crypto.c
@@ -470,7 +470,8 @@ grub_password_get (char buf[], unsigned buf_size)
if (key == '\b')
{
- cur_len--;
+ if (cur_len)
+ cur_len--;
continue;
}
diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
index c6bd96e..8615c48 100644
--- a/grub-core/normal/auth.c
+++ b/grub-core/normal/auth.c
@@ -174,8 +174,11 @@ grub_username_get (char buf[], unsigned buf_size)
if (key == '\b')
{
- cur_len--;
- grub_printf ("\b");
+ if (cur_len)
+ {
+ cur_len--;
+ grub_printf ("\b");
+ }
continue;
}
--
1.9.1

6
grub2.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Wed Dec 16 05:04:37 UTC 2015 - arvidjaar@gmail.com
- Add 0001-Fix-security-issue-when-reading-username-and-passwor.patch
Fix for CVE-2015-8370.
-------------------------------------------------------------------
Wed Dec 9 18:13:27 UTC 2015 - arvidjaar@gmail.com

2
grub2.spec
View File

@ -205,6 +205,7 @@ Patch68: grub2-btrfs-fix-get_root-key-comparison-failures-due-to-en.patch
Patch69: grub2-getroot-fix-get-btrfs-fs-prefix-big-endian.patch
Patch70: grub2-default-distributor.patch
Patch71: grub2-menu-unrestricted.patch
Patch72: 0001-Fix-security-issue-when-reading-username-and-passwor.patch
# Btrfs snapshot booting related patches
Patch101: grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch
Patch102: grub2-btrfs-02-export-subvolume-envvars.patch
@ -479,6 +480,7 @@ mv po/grub.pot po/%{name}.pot
%patch69 -p1
%patch70 -p1
%patch71 -p1
%patch72 -p1
%patch101 -p1
%patch102 -p1
%patch103 -p1