Follow-up Comment #3, bug #66603 (group grub): Hi Vladimir and others,
Checking in on this bug (#66603) as it relates to CVE-2024-56738, which is still affecting current Debian releases (tracked in Debian bug #1102217: https://bugs.debian.org/1102217) . I see Vladimir Serbinenko mentioned back in December 2024 (comment #2) a plan to switch to using libgcrypt functions after updating libgcrypt. Has there been any progress on that front, or is there an estimated timeline? In the meantime, the constant-time comparison fix proposed by Jonathan Bar Or in the original report (or a similar patch, like the one I have tested based on the same principle) seems like a viable solution to address the immediate side-channel vulnerability. Would applying such a direct fix be acceptable for GRUB in the interim, or is the switch to libgcrypt the only path forward? I have a tested patch implementing the constant-time comparison using bitwise operations (similar to the one attached here previously) that resolves the issue on Debian systems. Happy to provide it again if helpful. Thanks, Mostafa _______________________________________________________ Reply to this item at: <https://savannah.gnu.org/bugs/?66603> _______________________________________________ Message sent via Savannah https://savannah.gnu.org/
signature.asc
Description: PGP signature
