Hello community, here is the log from the commit of package grub2 for openSUSE:Factory checked in at 2015-12-17 15:53:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/grub2 (Old) and /work/SRC/openSUSE:Factory/.grub2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2" Changes: -------- --- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2015-11-24 22:30:33.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.grub2.new/grub2.changes 2015-12-17 15:53:42.000000000 +0100 @@ -1,0 +2,30 @@ +Wed Dec 16 05:04:37 UTC 2015 - arvidj...@gmail.com + +- Add 0001-Fix-security-issue-when-reading-username-and-passwor.patch + Fix for CVE-2015-8370 [boo#956631] + +------------------------------------------------------------------- +Wed Dec 9 18:13:27 UTC 2015 - arvidj...@gmail.com + +- Update grub2-efi-xen-chainload.patch - fix copying of Linux kernel + and initrd to ESP (boo#958193) + +------------------------------------------------------------------- +Mon Dec 7 08:03:41 UTC 2015 - o...@aepfle.de + +- Rename grub2-xen.cfg to grub2-xen-pv-firmware.cfg (boo#926795) + +------------------------------------------------------------------- +Fri Dec 4 17:06:17 UTC 2015 - o...@aepfle.de + +- grub2-xen.cfg: to handle grub1 menu.lst in PV guest (boo#926795) + +------------------------------------------------------------------- +Thu Nov 26 10:22:28 UTC 2015 - mch...@suse.com + +- Expand list of grub.cfg search path in PV Xen guest for systems + installed to btrfs snapshot. (bsc#946148) (bsc#952539) + * modified grub2-xen.cfg +- drop grub2-fix-Grub2-with-SUSE-Xen-package-install.patch (bsc#774666) + +------------------------------------------------------------------- Old: ---- grub2-fix-Grub2-with-SUSE-Xen-package-install.patch grub2-xen.cfg New: ---- 0001-Fix-security-issue-when-reading-username-and-passwor.patch grub2-xen-pv-firmware.cfg ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grub2.spec ++++++ --- /var/tmp/diff_new_pack.tYXzp3/_old 2015-12-17 15:53:45.000000000 +0100 +++ /var/tmp/diff_new_pack.tYXzp3/_new 2015-12-17 15:53:45.000000000 +0100 @@ -146,7 +146,7 @@ Source12: grub2-snapper-plugin.sh Source14: 80_suse_btrfs_snapshot Source15: grub2-once.service -Source16: grub2-xen.cfg +Source16: grub2-xen-pv-firmware.cfg # required hook for systemd-sleep (bsc#941758) Source17: grub2-systemd-sleep.sh Source1000: PATCH_POLICY @@ -160,7 +160,6 @@ Patch10: grub2-fix-error-terminal-gfxterm-isn-t-found.patch Patch12: grub2-fix-menu-in-xen-host-server.patch Patch15: not-display-menu-when-boot-once.patch -Patch16: grub2-fix-Grub2-with-SUSE-Xen-package-install.patch Patch17: grub2-pass-corret-root-for-nfsroot.patch Patch18: grub2-fix-locale-en.mo.gz-not-found-error-message.patch Patch19: grub2-efi-HP-workaround.patch @@ -206,6 +205,7 @@ Patch69: grub2-getroot-fix-get-btrfs-fs-prefix-big-endian.patch Patch70: grub2-default-distributor.patch Patch71: grub2-menu-unrestricted.patch +Patch72: 0001-Fix-security-issue-when-reading-username-and-passwor.patch # Btrfs snapshot booting related patches Patch101: grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch Patch102: grub2-btrfs-02-export-subvolume-envvars.patch @@ -436,7 +436,6 @@ %patch10 -p1 %patch12 -p1 %patch15 -p1 -%patch16 -p1 %patch17 -p1 %patch18 -p1 %patch19 -p1 @@ -481,6 +480,7 @@ %patch69 -p1 %patch70 -p1 %patch71 -p1 +%patch72 -p1 %patch101 -p1 %patch102 -p1 %patch103 -p1 ++++++ 0001-Fix-security-issue-when-reading-username-and-passwor.patch ++++++ >From 451d80e52d851432e109771bb8febafca7a5f1f2 Mon Sep 17 00:00:00 2001 From: Hector Marco-Gisbert <hecma...@upv.es> Date: Wed, 16 Dec 2015 07:57:18 +0300 Subject: [PATCH] Fix security issue when reading username and password This patch fixes two integer underflows at: * grub-core/lib/crypto.c * grub-core/normal/auth.c CVE-2015-8370 Signed-off-by: Hector Marco-Gisbert <hecma...@upv.es> Signed-off-by: Ismael Ripoll-Ripoll <irip...@disca.upv.es> Also-By: Andrey Borzenkov <arvidj...@gmail.com> --- grub-core/lib/crypto.c | 3 ++- grub-core/normal/auth.c | 7 +++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c index 010e550..683a8aa 100644 --- a/grub-core/lib/crypto.c +++ b/grub-core/lib/crypto.c @@ -470,7 +470,8 @@ grub_password_get (char buf[], unsigned buf_size) if (key == '\b') { - cur_len--; + if (cur_len) + cur_len--; continue; } diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c index c6bd96e..8615c48 100644 --- a/grub-core/normal/auth.c +++ b/grub-core/normal/auth.c @@ -174,8 +174,11 @@ grub_username_get (char buf[], unsigned buf_size) if (key == '\b') { - cur_len--; - grub_printf ("\b"); + if (cur_len) + { + cur_len--; + grub_printf ("\b"); + } continue; } -- 1.9.1 ++++++ grub2-efi-xen-chainload.patch ++++++ --- /var/tmp/diff_new_pack.tYXzp3/_old 2015-12-17 15:53:45.000000000 +0100 +++ /var/tmp/diff_new_pack.tYXzp3/_new 2015-12-17 15:53:45.000000000 +0100 @@ -114,7 +114,7 @@ + chainloader \$cmdpath/${xen_basename} ${xen_basename} $section + } + EOF -+ for f in ${grub_dir}/$xen_cfg ${xen_dir}/${xen_basename} ${rel_dirname}/${basename} ${rel_dirname}/${initrd}; do ++ for f in ${grub_dir}/$xen_cfg ${xen_dir}/${xen_basename} ${dirname}/${basename} ${dirname}/${initrd}; do + cp --preserve=timestamps $f $efi_dir + echo $(basename $f) >> $efi_dir/grub.xen-files + done ++++++ grub2-xen-pv-firmware.cfg ++++++ insmod part_msdos insmod part_gpt insmod search insmod configfile insmod legacy_configfile set debian_cddev="" set debian_cdarch="" if [ "${grub_cpu}" = "x86_64" ]; then debian_cdarch="amd" fi if [ "${grub_cpu}" = "i386" ]; then debian_cdarch="i386" fi if [ -n "${debian_cdarch}" ]; then set debian_kern="/install.${debian_cdarch}/xen/vmlinuz" set debian_initrd="/install.${debian_cdarch}/xen/initrd.gz" search -s debian_domUcfg -f "/install.${debian_cdarch}/xen/debian.cfg" search -s debian_cdkern -f "${debian_kern}" search -s debian_cdinitrd -f "${debian_initrd}" if [ -n "${debian_domUcfg}" -a -n "${debian_cdinitrd}" -a -n "${debian_cdkern}" -a "${debian_domUcfg}" = "${debian_cdinitrd}" -a "${debian_domUcfg}" = "${debian_cdkern}" ]; then debian_cddev="${debian_domUcfg}" fi fi set fedora_cddev="" if [ "${grub_cpu}" = "x86_64" ]; then set fedora_kern="/images/pxeboot/vmlinuz" set fedora_initrd="/images/pxeboot/initrd.img" search -s fedora_cdkern -f "${fedora_kern}" search -s fedora_cdinitrd -f "${fedora_initrd}" if [ -n "${fedora_cdkern}" -a -n "${fedora_cdinitrd}" -a "${fedora_cdkern}" = "${fedora_cdinitrd}" ]; then set fedora_cddev="${fedora_cdkern}" fi fi set suse_cddev="" search -s suse_cddev_content -f "/content" search -s suse_cddev_product -f "/media.1/products" if [ -n "${suse_cddev_content}" -a -n "${suse_cddev_product}" -a "${suse_cddev_content}" = "${suse_cddev_product}" ]; then set suse_cddev="${suse_cddev_content}" fi hdcfg_list="/boot/grub2/grub.cfg \ /@/boot/grub2/grub.cfg \ /@/.snapshots/1/snapshot/boot/grub2/grub.cfg \ /.snapshots/1/snapshot/boot/grub2/grub.cfg \ /grub2/grub.cfg" hdlst_list="/boot/grub/menu.lst \ /grub/menu.lst" for c in ${hdcfg_list}; do if search -s hddev -f "${c}"; then menuentry "${hddev} Boot From Hard Disk ($c)" { set root="${hddev}" configfile "${c}" } break fi done for c in ${hdlst_list}; do if search -s hddev -f "${c}"; then menuentry "${hddev} Boot From Hard Disk (${c})" { set root="${hddev}" legacy_configfile "${c}" } break fi done set timeout=0 if [ -n "${debian_cddev}" ]; then set timeout=8 menuentry "${debian_cddev} Debian Install" { set root="${debian_cddev}" linux "${debian_kern}" ignore_loglevel initrd "${debian_initrd}" } fi if [ -n "${fedora_cddev}" ]; then set timeout=8 menuentry "${fedora_cddev} Fedora Install" { set root="${fedora_cddev}" linux "${fedora_kern}" ignore_loglevel initrd "${fedora_initrd}" } menuentry "${fedora_cddev} Fedora Rescue" { set root="${fedora_cddev}" linux "${fedora_kern}" ignore_loglevel rescue initrd "${fedora_initrd}" } fi if [ -n "${suse_cddev}" ]; then if [ "${grub_cpu}" = "i386" ]; then set suse_cdarch="i586" else set suse_cdarch="${grub_cpu}" fi set timeout=8 set root="${suse_cddev}" set suse_cdcfg="/boot/${suse_cdarch}/grub2-xen/grub.cfg" set suse_cdkern="/boot/${suse_cdarch}/vmlinuz-xen" set suse_cdinitrd="/boot/${suse_cdarch}/initrd-xen" if [ -f "${suse_cdcfg}" ]; then menuentry "${suse_cddev} SUSE Install menu" { set root="${suse_cddev}" configfile "${suse_cdcfg}" } elif [ -f "${suse_cdkern}" -a -f "$suse_cdinitrd" ]; then menuentry "${suse_cddev} SUSE Install" { linux "${suse_cdkern}" linemode=1 xencons=hvc0 initrd "${suse_cdinitrd}" } menuentry "${suse_cddev} SUSE Rescue" { linux "${suse_cdkern}" linemode=1 xencons=hvc0 rescue=1 initrd "${suse_cdinitrd}" } menuentry "${suse_cddev} SUSE Upgrade" { linux "${suse_cdkern}" linemode=1 xencons=hvc0 upgrade=1 initrd "${suse_cdinitrd}" } else echo "the device ${suse_cddev} is not xen pv bootable" fi fi