authentication accepts wrong passwords

Bug #478806 reported by Robert Millan on 2009-11-09
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
grub2 (Debian)
Fix Released
Unknown
grub2 (Ubuntu)
Critical
Unassigned
Karmic
Critical
Jamie Strandboge

Bug Description

Binary package hint: grub2

Details in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555195

UNTESTED patch from upstream Bazaar attached.

Robert Millan (rmh-aybabtu) wrote :
visibility: private → public
Colin Watson (cjwatson) on 2009-11-09
Changed in grub2 (Ubuntu):
status: New → Triaged
importance: Undecided → High
importance: High → Critical
Robert Millan (rmh-aybabtu) wrote :

I'm sorry, there were a couple of minor compilation bugs. Here's a correct patch.

I've received confirmation that it fixes the problem, but haven't yet tested myself.

Changed in grub2 (Debian):
status: Unknown → Confirmed
Changed in grub2 (Debian):
status: Confirmed → Fix Released
Lorenzo De Liso (blackz) wrote :

Yes, the patch works.

Colin Watson (cjwatson) wrote :

Here's the final aggregated patch that went into Bazaar (almost identical to Robert's patch above). Could somebody from the security team shepherd this into karmic-security? It'll be in lucid quite soon.

Changed in grub2 (Ubuntu Karmic):
status: New → Triaged
importance: Undecided → Critical
Colin Watson (cjwatson) wrote :
Changed in grub2 (Ubuntu Karmic):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Colin Watson (cjwatson) wrote :

Fixed in grub2 1.97+20091130-1ubuntu1 in Lucid now:

grub2 (1.97+20091115-1) unstable; urgency=low

  * New upstream snapshot.
    - Fix security problem with password checking. (Closes: #555195)
    - Fix the generated GNU/Hurd menu entries and also add support for
      it in 30_os-prober. (Closes: #555188)
    - Same grub-mkrescue for grub-pc and grub-coreboot, used by
      grub-rescue-pc during postinst now. (Closes: #501867)

  [ Felix Zielcke ]
  * Ship grub-mkisofs in grub-common.
  * patches/002_grub.d_freebsd.in.diff: Remove (merged upstream).
  * patches/906_grub_extras.diff: Remove. Superseded by GRUB_CONTRIB variable
    in recent upstream trunk.
  * rules: Export GRUB_CONTRIB to enable grub-extras add-ons.
  * Pass --force to grub-install in the postinst. (Closes: #553415)
  * Don't strip debug symbols from grub-emu. It's meant for debugging
    and with them it's much more useful.
  * Ship grub-mkfloppy in grub-pc.
  * Revert the Replaces: grub-common to (<= 1.96+20080413-1) on the
    grub-pc package. It was wrongly modified long ago.

  [ Robert Millan ]
  * copyright: Document mkisofs.
  * control: Update Vcs- fields (moved to Bazaar).
  * rules: Update debian/legacy/update-grub rule to Bazaar.

 -- Felix Zielcke <email address hidden> Sun, 15 Nov 2009 19:13:31 +0100

Changed in grub2 (Ubuntu):
status: Triaged → Fix Released
Changed in grub2 (Ubuntu Karmic):
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :
Changed in grub2 (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.