Joined: 12 May 2004
|Posted: Sat Dec 19, 2015 3:26 pm Post subject: [ glsa 201512-03 ] grub
|Gentoo Linux Security Advisory
Title: GRUB: Authentication bypass (GLSA 201512-03)
Date: December 19, 2015
GRUB's authentication prompt can be bypassed by entering a sequence
of backspace characters.
GNU GRUB is a multiboot boot loader used by most Linux systems.
Vulnerable: < 2.02_beta2-r8
Unaffected: >= 2.02_beta2-r8
Unaffected: >= 0.97 < 0.98
Architectures: All supported architectures
An integer underflow in GRUB’s username/password authentication code
has been discovered.
An attacker with access to the system console may bypass the username
prompt by entering a sequence of backspace characters, allowing them e.g.
to get full access to GRUB’s console or to load a customized kernel.
There is no known workaround at this time.
All GRUB 2.x users should upgrade to the latest version:
After upgrading, make sure to run the grub2-install command with options
|# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-boot/grub-2.02_beta2-r8"
appropriate for your system. See the GRUB2 Quick Start guide in the
references below for examples. Your system will be vulnerable until this
action is performed.