authentication accepts wrong passwords

I'm sorry, there were a couple of minor compilation bugs. Here's a correct patch.

I've received confirmation that it fixes the problem, but haven't yet tested myself.

Yes, the patch works.

Here's the final aggregated patch that went into Bazaar (almost identical to Robert's patch above). Could somebody from the security team shepherd this into karmic-security? It'll be in lucid quite soon.

Fixed in grub2 1.97+20091130-1ubuntu1 in Lucid now:

grub2 (1.97+20091115-1) unstable; urgency=low

  * New upstream snapshot.
    - Fix security problem with password checking. (Closes: #555195)
    - Fix the generated GNU/Hurd menu entries and also add support for
      it in 30_os-prober. (Closes: #555188)
    - Same grub-mkrescue for grub-pc and grub-coreboot, used by
      grub-rescue-pc during postinst now. (Closes: #501867)

  [ Felix Zielcke ]
  * Ship grub-mkisofs in grub-common.
  * patches/002_grub.d_freebsd.in.diff: Remove (merged upstream).
  * patches/906_grub_extras.diff: Remove. Superseded by GRUB_CONTRIB variable
    in recent upstream trunk.
  * rules: Export GRUB_CONTRIB to enable grub-extras add-ons.
  * Pass --force to grub-install in the postinst. (Closes: #553415)
  * Don't strip debug symbols from grub-emu. It's meant for debugging
    and with them it's much more useful.
  * Ship grub-mkfloppy in grub-pc.
  * Revert the Replaces: grub-common to (<= 1.96+20080413-1) on the
    grub-pc package. It was wrongly modified long ago.

  [ Robert Millan ]
  * copyright: Document mkisofs.
  * control: Update Vcs- fields (moved to Bazaar).
  * rules: Update debian/legacy/update-grub rule to Bazaar.

 -- Felix Zielcke <email address hidden> Sun, 15 Nov 2009 19:13:31 +0100

http://www.ubuntu.com/usn/USN-868-1