startupmanager triggers a highly insecure default option after a kernel update

Bug #238392 reported by Pjotr12345 on 2008-06-08
Affects Status Importance Assigned to Milestone
Jimmy Rönnholm
startupmanager (Ubuntu)
Marco Rodrigues

Bug Description

A user is sometimes presented with a highly undesirable and insecure default option in a popup window, after a kernel update. He is namely being asked what he wants to do with the old menu.lst, and the proposed answer is.... to keep the old menu.lst!

When the user agrees with the proposed answer, the new kernel lines aren't added to menu.lst. And so the user will continue to boot from the old, outdated kernel.

This happens only when something was previously changed inside the Automagic part of the Grub menu.lst, for example by startupmanager. For more information see this bug report:

As startupmanager is a tool that's often used by beginners with Linux, this creates grave security risks for those unsuspecting beginners. Please fix startupmanager, so that it only can change those options in menu.lst that won't trigger the popup window mentioned above, after a kernel update.

I quote a member of the Grub team (last sentence in his post):
"In any event, if users are seeing this prompt as a result of using startupmanager, then a high-priority task needs to be opened on startupmanager to get *that* tool fixed."

I hope you can fix this quickly. It's real bad.

Thanks in advance, Pjotr.

Jimmy Rönnholm (jronnholm) wrote :

I am not sure if I understand this correctly, but sum is not supposed to do anything with the automagic part of menu.lst.
In fact, sum calls update-grub to finalize any changes when the app is closed.
It would be nice if you could provide an unmodified menu.lst and one that has been changed by sum to cause this problem so I can see what may be the cause of this.

Changed in startup-manager:
assignee: nobody → jimmy-ronnholm
status: New → Incomplete
Jimmy Rönnholm (jronnholm) wrote :

Just a question for you who get the popup window:
Have you manually edited menu.lst or used another tool to edit it before using sum?
Since this is triggered by edits to the automagically(by update-grub) generated part of menu.lst, which sum NEVER touches, my guess is that something else has been messing with that part.

security vulnerability: yes → no
Changed in startupmanager (Ubuntu):
status: New → Incomplete
Changed in startupmanager (Ubuntu):
status: Incomplete → Invalid
assignee: nobody → Marco Rodrigues (gothicx)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers