From ea5eefc94a14a6c0161b3a1e7a792fb8de272dac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Fabian=20Silva=20Delgado?= Date: Tue, 22 Dec 2015 10:48:36 -0300 Subject: grub-1:2.02.beta2-6.parabola1: updating revision * fix CVE-2015-8370: Grub2 Authentication Bypass (FS#47386 -> https://bugs.archlinux.org/task/47386) * lock grub-extras revision to fix build failure (FS#46165 -> https://bugs.archlinux.org/task/46165) --- ...y-issue-when-reading-username-and-passwor.patch | 47 ++++++++++++++++++++++ libre/grub/PKGBUILD | 10 ++++- 2 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 libre/grub/0001-Fix-security-issue-when-reading-username-and-passwor.patch (limited to 'libre/grub') diff --git a/libre/grub/0001-Fix-security-issue-when-reading-username-and-passwor.patch b/libre/grub/0001-Fix-security-issue-when-reading-username-and-passwor.patch new file mode 100644 index 000000000..aa07f2ffc --- /dev/null +++ b/libre/grub/0001-Fix-security-issue-when-reading-username-and-passwor.patch @@ -0,0 +1,47 @@ +From e16eeda1200deabd0d3a4af968d526d62845a85f Mon Sep 17 00:00:00 2001 +From: Hector Marco-Gisbert +Date: Fri, 13 Nov 2015 16:21:09 +0100 +Subject: [PATCH] Fix security issue when reading username and password + + This patch fixes two integer underflows at: + * grub-core/lib/crypto.c + * grub-core/normal/auth.c + +Resolves: CVE-2015-8370 + +Signed-off-by: Hector Marco-Gisbert +Signed-off-by: Ismael Ripoll-Ripoll +--- + grub-core/lib/crypto.c | 2 +- + grub-core/normal/auth.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c +index 010e550..524a3d8 100644 +--- a/grub-core/lib/crypto.c ++++ b/grub-core/lib/crypto.c +@@ -468,7 +468,7 @@ grub_password_get (char buf[], unsigned buf_size) + break; + } + +- if (key == '\b') ++ if (key == '\b' && cur_len) + { + cur_len--; + continue; +diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c +index c6bd96e..5782ec5 100644 +--- a/grub-core/normal/auth.c ++++ b/grub-core/normal/auth.c +@@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned buf_size) + break; + } + +- if (key == '\b') ++ if (key == '\b' && cur_len) + { + cur_len--; + grub_printf ("\b"); +-- +2.6.4 + diff --git a/libre/grub/PKGBUILD b/libre/grub/PKGBUILD index 95204924b..5865ab712 100644 --- a/libre/grub/PKGBUILD +++ b/libre/grub/PKGBUILD @@ -351,6 +351,7 @@ _GRUB_EMU_BUILD='0' _pkgver='2.02' _GRUB_GIT_TAG='grub-2.02-beta2' +_GRUB_EXTRAS_COMMIT=4a56e2c2cc3d78f12f1788c27669a651071dee49 _UNIFONT_VER='6.3.20131217' @@ -371,7 +372,7 @@ pkgname=('grub') 'grub-omap3_beagle_xm' 'grub-omap3_beagle_xm_ab') pkgdesc='GNU GRand Unified Bootloader (2), (Parabola rebranded)' pkgver='2.02.beta2' -pkgrel='5.parabola10' +pkgrel='6.parabola1' epoch='1' url='https://www.gnu.org/software/grub/' arch=('x86_64' 'i686' 'armv7h') @@ -410,9 +411,10 @@ elif [[ "$CARCH" = 'armv7h' ]]; then fi source=("grub-${_pkgver}::git+git://git.sv.gnu.org/grub.git#tag=${_GRUB_GIT_TAG}" - "grub-extras::git+git://git.sv.gnu.org/grub-extras.git#branch=master" + "grub-extras::git+git://git.sv.gnu.org/grub-extras.git#commit=${_GRUB_EXTRAS_COMMIT}" "http://ftp.gnu.org/gnu/unifont/unifont-${_UNIFONT_VER}/unifont-${_UNIFONT_VER}.bdf.gz" "http://ftp.gnu.org/gnu/unifont/unifont-${_UNIFONT_VER}/unifont-${_UNIFONT_VER}.bdf.gz.sig" + '0001-Fix-security-issue-when-reading-username-and-passwor.patch' 'grub-10_linux-20_linux_xen-detect-parabola-initramfs.patch' 'grub-add-GRUB_COLOR_variables.patch' '60_memtest86+' @@ -428,6 +430,7 @@ md5sums=('SKIP' 'SKIP' '728b7439ac733a7c0d56049adec364c7' 'SKIP' + '9589ec46a04f9bb4d5da987340a4a324' '3a9bb9bafe0062388e11f72f0e80ba7e' 'e506ae4a9f9f7d1b765febfa84e10d48' 'be55eabc102f2c60b38ed35c203686d6' @@ -449,6 +452,9 @@ _pkgver() { prepare() { cd "${srcdir}/grub-${_pkgver}/" + msg 'CVE-2015-8370' + patch -Np1 -i "${srcdir}/0001-Fix-security-issue-when-reading-username-and-passwor.patch" + msg 'Patch to detect of Parabola GNU/Linux-libre initramfs images by grub-mkconfig' patch -Np1 -i "${srcdir}/grub-10_linux-20_linux_xen-detect-parabola-initramfs.patch" -- cgit v1.2.2