Bug 40282
| Summary: | grub2: CVE-2015-8370 (3.2) | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Arvid Requate <requate> |
| Component: | Security updates | Assignee: | Janek Walkenhorst <walkenhorst> |
| Status: | CLOSED FIXED | QA Contact: | Philipp Hahn <hahn> |
| Severity: | normal | ||
| Priority: | P4 | CC: | gohmann |
| Version: | UCS 3.2 | Flags: | requate:
Patch_Available+
|
| Target Milestone: | UCS 3.2-8-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| What kind of report is it?: | --- | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | Security | |
| Max CVSS v3 score: | |||
| Bug Depends on: | |||
| Bug Blocks: | 41364 | ||
|
Description
Arvid Requate
r16548 Upstream fix backported as grub2/3.2-0-0-ucs/2.00-18-errata3.2-8/CVE-2015-8370.patch r69570 Advisory: grub2.yaml How to reproduce:
--- /etc/grub.d/00_header
+++ /etc/grub.d/00_header
@@ -315,3 +315,8 @@
if [ "x${GRUB_BADRAM}" != "x" ] ; then
echo "badram ${GRUB_BADRAM}"
fi
+
+cat <<EOF
+set superusers="benutzer"
+password benutzer univention
+EOF
update-grub
shutdown -r now
On username and password prompt press Backspace at least 28 times, before trying to enter the username or password.
Tests (amd64 KVM, i386 KVM): OK OK: amd64 @ kvm OK: i386 @ kvm both did not crash bat did not accept correctly entered credentials - now works OK: dpkg-query -W grub-common # 2.00-18.110.201605271548 OK: zless /usr/share/doc/grub-common/changelog.Debian.gz OK: errata-announce -V --only grub2.yaml FIXED: r69641 grub2.yaml |