startupmanager triggers a highly insecure default option after a kernel update
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| StartUp-Manager |
Incomplete
|
Undecided
|
Jimmy Rönnholm | ||
| startupmanager (Ubuntu) |
Invalid
|
Undecided
|
Marco Rodrigues | ||
Bug Description
A user is sometimes presented with a highly undesirable and insecure default option in a popup window, after a kernel update. He is namely being asked what he wants to do with the old menu.lst, and the proposed answer is.... to keep the old menu.lst!
When the user agrees with the proposed answer, the new kernel lines aren't added to menu.lst. And so the user will continue to boot from the old, outdated kernel.
This happens only when something was previously changed inside the Automagic part of the Grub menu.lst, for example by startupmanager. For more information see this bug report:
https:/
As startupmanager is a tool that's often used by beginners with Linux, this creates grave security risks for those unsuspecting beginners. Please fix startupmanager, so that it only can change those options in menu.lst that won't trigger the popup window mentioned above, after a kernel update.
I quote a member of the Grub team (last sentence in his post):
"In any event, if users are seeing this prompt as a result of using startupmanager, then a high-priority task needs to be opened on startupmanager to get *that* tool fixed."
https:/
I hope you can fix this quickly. It's real bad.
Thanks in advance, Pjotr.
| Jimmy Rönnholm (jronnholm) wrote | #1 |
| Changed in startup-manager: | |
| assignee: | nobody → jimmy-ronnholm |
| status: | New → Incomplete |
| Jimmy Rönnholm (jronnholm) wrote | #2 |
| security vulnerability: | yes → no |
| Changed in startupmanager (Ubuntu): | |
| status: | New → Incomplete |
| Changed in startupmanager (Ubuntu): | |
| status: | Incomplete → Invalid |
| assignee: | nobody → Marco Rodrigues (gothicx) |
I am not sure if I understand this correctly, but sum is not supposed to do anything with the automagic part of menu.lst.
In fact, sum calls update-grub to finalize any changes when the app is closed.
It would be nice if you could provide an unmodified menu.lst and one that has been changed by sum to cause this problem so I can see what may be the cause of this.