grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418

  • Done
  • quality assurance status badge
Details
4 participants
  • Leo Famulari
  • Léo Le Bouter
  • Maxim Cournoyer
  • Mark H Weaver
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal
L
L
Léo Le Bouter wrote on 16 Mar 2021 09:08
(address . bug-guix@gnu.org)
ba69ba4020b40dfa182174ea2395cf17195512d5.camel@zaclys.net
As outlined by
we have a new wave of GRUB security vulnerabilities around SecureBoot.

There is no new upstream release so patching this appears to be some
kind of sport.

Debian has patched it in this commit:

I see also there's a new concept of SBAT section to ease administrative
efforts around certificate revocation when signed binaries such as some
GRUB2 things become vulnerable (and we don't want them to verify
successfully anymore).

This looks like a sizeable upgrade to a sensitive part of GNU Guix, so
we have to test carefully.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQZ38ACgkQRaix6GvN
EKZD9xAAphY8xFLTczFCZLKoZw4UkFsvMLHdiarD/RoDWFzATRHJqB/vN9chAXfk
Ou56B6qOKtGwevwSlvCNXx9fSQS90Ae3h5HqyqZDgO5I3AVQPcXEYeylgngV18NG
exh0Vzmyd+Ue8mBpFKcLTuph3C5WffJXgFGpGZBcoMlSLOMVGAUKxY8uQLCAoaN1
CsBuIKFV+5kAbK+H480UVanpudMFuzPadWHXlwRbV/uPMDQL5FuFlRQ+ZDbKZQjJ
FdnoR0bKFRfYHofqf/EflEX3V0kYkUI/Kk0uzoEtGfiUVE/iS8r0s2sCvPII7Her
374GCS06zzIguMPtqiO7ikg0oJtJ2I+C9WTfYvZe3bKTRXUXdYUPuTwqQVd9uyuQ
QP4w5wwTCvidJ7iYZoA5Vk27Cs6JnOsds8PG7b4nQhSluATiVckOGz50H1G8SOlE
gnVEuxT6NIqYYtYOLFJfmNTIU4hnKKwSun3DMxr5UgL54M/MnoWrCCPiFO6R8GMR
bICsP59N9EqKGaoYtAxjOdKIQnBT2NBnBcmsGVhakDnS34OX5dd54w2sFjZkSgkK
Rx20A4bg1ODwRJkrICRuhDagg8P47SiovFxQzjiXA3Va1we06yCxpzUXsIK9SyH8
WhEhxgAoh+pi37K4fTj76Tj+NODwYICuTwWx5A0Me5/DrPqkltk=
=f/yr
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 16 Mar 2021 09:16
(address . 47185@debbugs.gnu.org)
167a5c8e8451729bc50b530229ca34a832af7530.camel@zaclys.net
On Tue, 2021-03-16 at 09:08 +0100, Léo Le Bouter via Bug reports for
GNU Guix wrote:
Toggle quote (3 lines)
> There is no new upstream release so patching this appears to be some
> kind of sport.

There seems to be a release candidate available:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQaXkACgkQRaix6GvN
EKbXcw/+MU6e2edC+EE2beNfVxKyO3v5w47chk0TZeF/XA14kE9ZKjRPSUXhi+MS
IPbbGlqd7HbQKmaX202ItSRvG7iaAo7pWzH0/q9vyTte4veUftJ7TTE1N7UYh4KQ
iAilEG12KY81g0NGIZkU8J1m7oNw4CvL6yG/jQL58zomtSx2godaVu9UEdrFYvxH
FWUJ3sqN9Qj05NM2jx4u/+LVfbvU9ixW5sFxzyivKVPxTDNG5CD3D0m3yrsZOvJP
TFfedbKisa9Zw/f4skEjNt7ceZT+7YqxPohe6inJch6OJG7phkQRVUsiC8oWCxed
tmNU42qrVed4L76CWirV9m3Xw+ingsaJw5hfVSf8vVE4Pi4YOnwWopBpTFlsV5mQ
cLqRDX2NQ1R/tnXi4JfZb5SV0l8CWKc19N9GloJkGeKo+krzKN9tocM2A0JVnX71
YlTVMiEoSKQc2a667o6/80P5XRg8lXYRDhFA/tH/YzgF8U/kwhIfvdGpFNFUv/uV
FHjGFhpF5mmfh8gIC4fKyZQoSKuUwpRFB7vj5/saseIQmGQJyfgUn0lPenb0UGRw
w5MWlpCwAncmd35urHRMpBEpNC+Spo2G64gnAQHeB/QH7B4xfk/Un7bMzAobrK+B
gJpaBiJflbZp5wHmpA/JD92dZYoKpjHWbAMICUBZmzR891y4Zuc=
=y8Jo
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 16 Mar 2021 09:36
(address . 47185@debbugs.gnu.org)
3de2a6393156da40334d95993e15b22ca0eae5df.camel@zaclys.net
NOTE: SecureBoot on GNU Guix is not something common at all, so the
urgency to fix this issue is not as great as if we explicitly
advertised support for SecureBoot.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQbhQACgkQRaix6GvN
EKZykg//SI+lx2UdH/BigTfKPTCC8W+HY2hB1Af+EfxrMRP2aeYubM0R8D1qeHE8
GtLb37rFWF2IVD3A08CiOIDlrzQqvRaTefvwuXl8G1DiaCN16/AiVRBl56p0o6KY
6ihNk4EssaTgsEK6G9vdfM+oLsSaGY8jpRr3nz1jnjz/mzl8URYMjKVm/Cp6Mwys
6NGKquG6QSe4GrxNolrzNNhhkdi6VzluIqn60SBN8bMhSRv6+pLFtdvBX7SPLG7V
BPyoa+oJsJVS3wojBnnIeDK+3Ha0NihuKSCexyoZ67sqWXhNfMWne7259kFbFDD1
dm6MjqIhWsNVUnOtTpsGPFcEDCrUl4jmw4DpJavKB2yP3ViTGNrS34IbDJztXXsh
g+/29n6b9NgsXqljrJuu9v75UuGtAo2Z6yJafTL0zrav7HcziKtQFJG1bEMn5Xjg
N8kNoAUOE6NIml2YradplPyo9H0VOZTYS0g2dkaJN3OENmOz9rxa0LQTAYSxLXZC
nE0ZHvauSqKun4FgHcz/ui9bGpkL1tnwcEtVCwMttYFD6bOx1DVh29vbKhnAmXHd
MWBi+gNjX5R8iLbGGtDRr0rItjNRN4q+BYmySRI6fyAh4Tl8HMKfLz+ogxWDaO/I
c94WUg8dbtmCepxVNZM6GpaDYm1H8pZFE3bomMOoVprfiQwxW+s=
=codz
-----END PGP SIGNATURE-----


M
M
Mark H Weaver wrote on 17 Mar 2021 00:47
87pmzyirt1.fsf@netris.org
Hi Léo,

Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> writes:
Toggle quote (4 lines)
> NOTE: SecureBoot on GNU Guix is not something common at all, so the
> urgency to fix this issue is not as great as if we explicitly
> advertised support for SecureBoot.

I would go further and question whether *anyone* is using SecureBoot
with a Guix system, and moreover whether its feasible to do without
non-trivial development work.

Toggle quote (3 lines)
> This looks like a sizeable upgrade to a sensitive part of GNU Guix, so
> we have to test carefully.

Indeed. I would like to underline this point: GRUB is the only part of
a Guix system that cannot be easily rolled back if it breaks. If we
make changes to GRUB that causes breakage for some minority of users,
those users could end up with an unbootable system, requiring the use of
a rescue disk to repair.

Therefore, we should be *very* careful about updating our GRUB package,
especially for the sake of bugs that almost certainly do not affect Guix
users.

I think we should refrain from updating GRUB until there's an official
upstream stable release. Even then, I would advise making an effort to
test it on Guix systems, using several different system configurations,
before pushing it to 'master'.

What do you think?

Regards,
Mark
L
L
Leo Famulari wrote on 17 Mar 2021 03:15
(name . Mark H Weaver)(address . mhw@netris.org)
YFFmPgweFmoXEuSx@jasmine.lan
On Tue, Mar 16, 2021 at 07:47:43PM -0400, Mark H Weaver wrote:
Toggle quote (7 lines)
> I think we should refrain from updating GRUB until there's an official
> upstream stable release. Even then, I would advise making an effort to
> test it on Guix systems, using several different system configurations,
> before pushing it to 'master'.
>
> What do you think?

I agree with Mark that we should tread carefully. Also, I am always
available to test GRUB changes. I have a computer dedicated to testing
changes with Guix System.
L
L
Léo Le Bouter wrote on 19 Mar 2021 11:29
(address . control@debbugs.gnu.org)
35e9d8fb5e5caacb8abac2ead7742d7ccd9ee737.camel@zaclys.net
tags 47185 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBUfRUACgkQRaix6GvN
EKZyzxAAokqeecxL5GW9yJv0n8HivE2gkNvrkr3rIDqMqwXc/SIWvULMkZpgjLDg
cl2X2w+EjQpXjqgaNdK1wuHq5HHHDQ+vDio6tOq3HgFbD51gRTDwmYGt6mSdM2ji
2ndUlD9uhteZ/ZOl7pJJ13t/woj+qh3dlCRyMeba9pz6emRGWoHaxPA9Uftltv0n
hhAxkiGVQPzcw6i0xrKkzOH26HQYrGV8ygIt9bgcO2dD6EggfHo+yRPX6u6BPcAU
2HQmgtChioJYmGlBP2V17/frhiuhqH0OVykaYrMNjBo2Z+/cEAvNReuW6PSfmKVF
saVYeFanPPgYOPM7P8XXaJCX43I2mgjT98W+lamUb3L4653ahl/St8rjv9fTVfHK
PPmFfA+p5lUjZgZrwL93q7rAoSSV/VrPBklzFjH9xrcQXkRPb2CNkggMFP18h/kN
M9Hl/TGTpWaiws4DuEPA6LbJRiR86Y13QT87+5Nu0VnA7qNynH3Xy7YWZmaC42K0
LCLtxp07FXgopeh+4hgbxUAXo/gXMFutaEhwsSxqih9ljEr5kZoX7FFkKMoCz74L
KcLrs+y4rH6R3RV0TyIpa/iJ4VcyLttZrw1G8DHUtyXgS2u0NCoCUVn8YB1uIdN7
EzzSs8PdnHPHnOOrcf6f6qJTLHBd44AipFABBu/e8IPlZFWGtQM=
=AihY
-----END PGP SIGNATURE-----


M
M
Maxim Cournoyer wrote on 23 Mar 2022 04:32
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47185-done@debbugs.gnu.org)
87r16txs0t.fsf@gmail.com
Hello,

I'm closing this, since we're now using GRUB 2.06, released in June of
last year.

Thank you,

Maxim
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 47185@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47185
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch